Republished with permission from
WatchGuard Technologies, Inc.
Protecting Pocket PCs
By 2007, Internet access via 802.11, Bluetooth, and 3G wireless will be embedded in 75 percent of Personal Digital Assistants sold. Many of those PDAs will run Microsoft operating systems like Pocket PC 2002, Windows Mobile 2003, or their descendents. High-speed connectivity, combined with a familiar computing environment, will increase productivity for mobile professionals. But these advances also create a perfect breeding ground for trouble.
Consider Cabir, a Symbian worm released in mid-June by the cracker group 29A. When an infected Nokia Series 60 smartphone boots, Cabir sends itself to all nearby Bluetooth devices. Written as a proof-of-concept, Cabir's main adverse impact is battery drain. Duts, a similar 29A worm for Pocket PCs, was released in mid-July. A pair of backdoor Trojans that enable remote access and control of infected Pocket PCs were also demonstrated by Seth Fogie at Blackhat 2004.
A major PDA malware outbreak has yet to occur, but these proofs-of-concept constitute a wake-up call. Compromise is only a matter of time and opportunity; attackers have both in ample supply. So let's start taking steps today to safeguard our PDAs.
Personal Devices, Company Control
In this article, I'll explore a few techniques and tools available to secure Pocket PCs. For brevity, I'll use the term Pocket PC to refer to any handheld running Microsoft Pocket PC 2002 (based on Windows CE 3.0), Windows Mobile 2003 (based on Windows CE .NET 4.2), and Phone Editions of those two operating systems (aka Smartphones). To learn more about these Microsoft platforms and differences between them, visit the Windows Mobile website.
Some of the tools covered here are also available for other PDA operating systems. Readers using PalmOS and SymbianOS can browse PalmSource and SymbianWare for additional tools, or read my previous LiveSecurity column on Security Tools for Palm.
No matter which operating system your PDA runs, there's an excellent chance that you haven't secured your handheld with the same diligence applied to desktops and servers. Why? For starters, most PDAs used for business are still purchased by individuals. According to TNS NFO, three out of four employees use personal PDAs or smartphones for business but don't know if those devices are secure or haven't taken any steps to do so.
Today, less than 30 percent of companies have formally-defined security policies and practices to govern business use of PDAs. Fewer still have invested in tools to track, provision, and audit handheld devices. (What tools? For example, enterprise management suites like iAnywhere XcelleNet Afaria Frontline Security Management and Novell ZENworks Handheld Management provide PDA asset administration, software distribution, and event monitoring.)
Deploying such systems really means shifting device ownership from employee to employer. That may happen over time, but it certainly won't happen overnight. In the meantime, employees can start taking more responsibility for securing their own PDAs. Employers can encourage this through education, policy setting, best practice recommendations, and site licensing. PDAs may require different products than desktops, but many of the same security measures are available for Pocket PCs.
According to Gartner, failure to require power-on password usage is the number one risk associated with Pocket PCs. Device-level authentication should be your first line of defense against unauthorized use of misplaced or stolen devices. Go beyond the Pocket PC's basic PIN protection by using tools like these:
Products are also available from RSA and VASCO to turn Pocket PCs into software tokens (one-time password generators) for two-factor authentication. Those tokens won't secure your Pocket PC, but they can help travelers carry fewer devices.
Stored Data Encryption
Today's Pocket PCs are more than simple PIMs that store contacts, schedules, and to-do lists. Bigger, faster handhelds now run Pocket versions of Word, Excel, and Outlook, using ActiveSync to share files with desktops at work or home. However, according to Pointsec, over half of those who use PDAs for business don't encrypt stored data. Sensitive information written to your Pocket PC's ROM and removable storage cards can be protected from unauthorized access by using encryption tools:
Pocket PCs have long posed a risk as a carrier for Win32 viruses picked up via e-mail, Web browsing, or Infrared beaming, then synchronized onto desktops. Viruses written specifically for the Pocket PC pale in comparison to their Win32 counterparts, but that's not because this operating system is invulnerable. Quite the opposite: experts say that PDA processors like ARM are very easy to compromise. Virus writers have simply lacked interest in attacking PDAs -- until now. Before you download ringtones, wallpaper, or games from who-knows-where, protect your PC from malware:
Note that this list includes virus scanners and PDA intrusion detection products. Malicious code can arrive as a virus, worm, or Trojan. Your Pocket PC should be protected from all of these threats.
Due to risks associated with always-on residential broadband, personal firewall software has become standard equipment on home desktop PCs. Pocket PCs with embedded wireless face similar threats as they transition from occasionally-connected to always-connected devices. The lightweight TCP stacks used in Pocket PCs are vulnerable to both traditional DoS attacks like Kiss of Death (PDF) and new wireless attacks like Bluejacking.
As you would with any other networked device, start by turning off unused interfaces. That's easy for adapters that you never use, but forgetting to disable interfaces used intermittently is human nature. Several security tools mentioned in this article can permit or deny use of Pocket PC adapters, based on centrally-administered policies. For example, Certicom's movianCrypt, a well-known PDA access control and encryption product, can disable Infrared and ActiveSync connections based on policy.
Network interfaces that are actively in use require the Pocket PC equivalent of personal firewalls used on desktop PCs. For example:
Obviously, VPNs have a role to play in wireless data protection. Pocket PC 2002 includes a built-in PPTP VPN client; Windows Mobile 2003 adds an L2TP VPN client. But you certainly aren't limited to using one of those Microsoft VPN clients:
In addition, 802.1X Supplicant products like Funk Odyssey and Meetinghouse AEGIS are now sold for Pocket PC platforms. 802.1X Supplicants are not wireless VPN clients, but help secure WLAN traffic by supporting user authentication and dynamically-keyed WEP/WPA between Access Points and Stations. 802.1X is helpful on PDAs used inside company networks, but wireless VPNs are required for secure access across the Internet.
These security measures are probably familiar to you, even if some example products are not. Don't underestimate the security risks posed by employee-owned PDAs. Pocket PCs may be smaller than laptops and desktops, but the logins, passwords, e-mail, and files they use still require business-grade protection. If you already have a Pocket PC security program in place, excellent! If not, start mitigating those risks by following links in this article to learn how to secure your Pocket PC. When the Pocket PC equivalent of Netsky or Sasser finally does hit, you'll be very glad that you did. ##
Articles by Lisa Phifer on wireless security:
LiveSecurity article on securing Palm OS:
Free registration required:
Copyright© 2004, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.
Copyright © 1996 - 2004
WatchGuard Technologies, Inc. All rights reserved.