Republished with permission from WatchGuard Technologies, Inc.

WatchGuard


Protecting Pocket PCs

By Lisa Phifer, Core Competence, Inc.

By 2007, Internet access via 802.11, Bluetooth, and 3G wireless will be embedded in 75 percent of Personal Digital Assistants sold. Many of those PDAs will run Microsoft operating systems like Pocket PC 2002, Windows Mobile 2003, or their descendents. High-speed connectivity, combined with a familiar computing environment, will increase productivity for mobile professionals. But these advances also create a perfect breeding ground for trouble.

Consider Cabir, a Symbian worm released in mid-June by the cracker group 29A. When an infected Nokia Series 60 smartphone boots, Cabir sends itself to all nearby Bluetooth devices. Written as a proof-of-concept, Cabir's main adverse impact is battery drain. Duts, a similar 29A worm for Pocket PCs, was released in mid-July. A pair of backdoor Trojans that enable remote access and control of infected Pocket PCs were also demonstrated by Seth Fogie at Blackhat 2004.

A major PDA malware outbreak has yet to occur, but these proofs-of-concept constitute a wake-up call. Compromise is only a matter of time and opportunity; attackers have both in ample supply. So let's start taking steps today to safeguard our PDAs.

Personal Devices, Company Control

In this article, I'll explore a few techniques and tools available to secure Pocket PCs. For brevity, I'll use the term Pocket PC to refer to any handheld running Microsoft Pocket PC 2002 (based on Windows CE 3.0), Windows Mobile 2003 (based on Windows CE .NET 4.2), and Phone Editions of those two operating systems (aka Smartphones). To learn more about these Microsoft platforms and differences between them, visit the Windows Mobile website.

Some of the tools covered here are also available for other PDA operating systems. Readers using PalmOS and SymbianOS can browse PalmSource and SymbianWare for additional tools, or read my previous LiveSecurity column on Security Tools for Palm.

No matter which operating system your PDA runs, there's an excellent chance that you haven't secured your handheld with the same diligence applied to desktops and servers. Why? For starters, most PDAs used for business are still purchased by individuals. According to TNS NFO, three out of four employees use personal PDAs or smartphones for business but don't know if those devices are secure or haven't taken any steps to do so.

Today, less than 30 percent of companies have formally-defined security policies and practices to govern business use of PDAs. Fewer still have invested in tools to track, provision, and audit handheld devices. (What tools? For example, enterprise management suites like iAnywhere XcelleNet Afaria Frontline Security Management and Novell ZENworks Handheld Management provide PDA asset administration, software distribution, and event monitoring.)

Deploying such systems really means shifting device ownership from employee to employer. That may happen over time, but it certainly won't happen overnight. In the meantime, employees can start taking more responsibility for securing their own PDAs. Employers can encourage this through education, policy setting, best practice recommendations, and site licensing. PDAs may require different products than desktops, but many of the same security measures are available for Pocket PCs.

Device Authentication

According to Gartner, failure to require power-on password usage is the number one risk associated with Pocket PCs. Device-level authentication should be your first line of defense against unauthorized use of misplaced or stolen devices. Go beyond the Pocket PC's basic PIN protection by using tools like these:

  • Bluefire's Mobile Firewall Plus can wipe a Pocket PC back to factory settings following a configurable number of failed PIN authentication attempts.
  • CIC's Sign-On compares the user's signature to a previously-recorded "template" to unlock the Pocket PC.
  • HP's iPAQ H5550 Pocket PC includes a built-in fingerprint reader for biometric user authentication.
  • Softava's PicturePassword unlocks Pocket PCs by requiring the user to tap one pre-defined spot on a configurable "skin."
  • SFR's visKey PPC approach is similar, but uses a sequence of points to increase the possible number of "passwords."
  • Transaction Security's CryptoSign requires the user to enter a "sign" (an arbitrary series of pen strokes that are never displayed) to unlock the Pocket PC.
  • Utimaco's Safeguard PDA enforces password rules with increasing delay between failed attempts, escalating to alarm or memory erase.

Products are also available from RSA and VASCO to turn Pocket PCs into software tokens (one-time password generators) for two-factor authentication. Those tokens won't secure your Pocket PC, but they can help travelers carry fewer devices.

Stored Data Encryption

Today's Pocket PCs are more than simple PIMs that store contacts, schedules, and to-do lists. Bigger, faster handhelds now run Pocket versions of Word, Excel, and Outlook, using ActiveSync to share files with desktops at work or home. However, according to Pointsec, over half of those who use PDAs for business don't encrypt stored data. Sensitive information written to your Pocket PC's ROM and removable storage cards can be protected from unauthorized access by using encryption tools:

  • Airscanner's Mobile Encrypter performs Pocket PC data encryption/decryption at individual file and folder levels.
  • Ilium Software's eWallet encrypts data stored on Pocket PCs and Smartphones, including passwords, PINs, contacts, and credit and calling card numbers.
  • JP Mobile's PDA Defense, available in standard, professional, and enterprise versions, encrypts selected folders and databases, decrypting data as needed.
  • Pointsec for Pocket PC provides real-time encryption for data stored on Pocket PCs and removable media, locked by picture-based access controls.
  • SoftWinder Sentry 2020 offers transparent Twofish or CAST encryption for virtual volumes stored on SD, MMC, CF and other Pocket PC removable media.
  • Vieka's PE Encrypt extends the Pocket PC's File Explorer to provide transparent, on-demand AES file encryption.

Anti-Virus Scanners

Pocket PCs have long posed a risk as a carrier for Win32 viruses picked up via e-mail, Web browsing, or Infrared beaming, then synchronized onto desktops. Viruses written specifically for the Pocket PC pale in comparison to their Win32 counterparts, but that's not because this operating system is invulnerable. Quite the opposite: experts say that PDA processors like ARM are very easy to compromise. Virus writers have simply lacked interest in attacking PDAs -- until now. Before you download ringtones, wallpaper, or games from who-knows-where, protect your PC from malware:

  • Airscanner's Mobile AntiVirus Pro augments file virus scanning with a process discovery tool that detects and stops memory resident viruses and trojans.
  • Alwil Software's Avast! is a very small footprint virus scanner for Pocket PCs and Smartphones.
  • Bluefire's Mobile Firewall Plus can detect changes made to a Pocket PC's registry, quarantining a potentially-infected PDA to stop it from infecting others.
  • F-Secure's Anti-Virus for Pocket PC scans at start-up, after every signature update, and whenever removable memory is inserted.
  • McAfee's VirusScan PDA scans Pocket PCs at power-on and during synchronization.
  • TrendMicro's PC-cillin for Wireless provides real-time virus scanning of files received through synchronization, beaming, or Internet browsing.

Note that this list includes virus scanners and PDA intrusion detection products. Malicious code can arrive as a virus, worm, or Trojan. Your Pocket PC should be protected from all of these threats.

PDA Firewalls

Due to risks associated with always-on residential broadband, personal firewall software has become standard equipment on home desktop PCs. Pocket PCs with embedded wireless face similar threats as they transition from occasionally-connected to always-connected devices. The lightweight TCP stacks used in Pocket PCs are vulnerable to both traditional DoS attacks like Kiss of Death (PDF) and new wireless attacks like Bluejacking.

As you would with any other networked device, start by turning off unused interfaces. That's easy for adapters that you never use, but forgetting to disable interfaces used intermittently is human nature. Several security tools mentioned in this article can permit or deny use of Pocket PC adapters, based on centrally-administered policies. For example, Certicom's movianCrypt, a well-known PDA access control and encryption product, can disable Infrared and ActiveSync connections based on policy.

Network interfaces that are actively in use require the Pocket PC equivalent of personal firewalls used on desktop PCs. For example:

  • Bluefire's Mobile Firewall Plus inspects, filters, and logs traffic received by Pocket PCs through supported 802.11, CDMA, and GPRS wireless adapters.
  • Check Point's VPN-1 SecureClient provides over-the-air protection for wireless data, accompanied by "integrated personal firewall" capabilities.
  • Columbitech's WVPN uses WTLS to secure wireless data between Pocket PCs and Columbitech gateways, and to firewall traffic while the client is running.

Wireless VPNs

Obviously, VPNs have a role to play in wireless data protection. Pocket PC 2002 includes a built-in PPTP VPN client; Windows Mobile 2003 adds an L2TP VPN client. But you certainly aren't limited to using one of those Microsoft VPN clients:

  • Aventail's OnDemand ( PDF) uses a Java-based agent to provide Pocket PCs with secure SSL-based tunneling to Aventail SSL VPN gateways.
  • Expertcity's GoToMyPC ( PDF) provides AES-encrypted remote access to desktop PCs (secure screen sharing) from Pocket PCs with Internet access.
  • Maya Software's Maya VPN Client supports IPSec tunneling with NAT traversal from Pocket PCs using GPRS to reach Maya and other standard VPN gateways.
  • NetMotion Wireless' Mobility XE combines secure tunneling with cross-network roaming, so Pocket PCs move from WLAN to GPRS without session interruption.
  • V-ONE's SmartPass Client supports IPSec or SSL VPN tunneling to SmartGate VPN gateways from several client platforms, including Pocket PCs.

In addition, 802.1X Supplicant products like Funk Odyssey and Meetinghouse AEGIS are now sold for Pocket PC platforms. 802.1X Supplicants are not wireless VPN clients, but help secure WLAN traffic by supporting user authentication and dynamically-keyed WEP/WPA between Access Points and Stations. 802.1X is helpful on PDAs used inside company networks, but wireless VPNs are required for secure access across the Internet.

Conclusion

These security measures are probably familiar to you, even if some example products are not. Don't underestimate the security risks posed by employee-owned PDAs. Pocket PCs may be smaller than laptops and desktops, but the logins, passwords, e-mail, and files they use still require business-grade protection. If you already have a Pocket PC security program in place, excellent! If not, start mitigating those risks by following links in this article to learn how to secure your Pocket PC. When the Pocket PC equivalent of Netsky or Sasser finally does hit, you'll be very glad that you did. ##

Resources

Articles by Lisa Phifer on wireless security:

LiveSecurity article on securing Palm OS:

End-to-End Security: Don't Overlook PDAs

Lisa Phifer's Wireless CORner

WLAN Tools: Analyze This!

Free registration required:

Using virtual APs to enable WPA/WPA2 coexistence

Policy-driven WLAN security


Copyright© 2004, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.



Copyright © 1996 - 2004 WatchGuard Technologies, Inc. All rights reserved.