geir olsen sr. program manager windows mobile wmb307

Windows Mobile Security: Threats, defenses, and differentiators

Geir OlsenSr. Program ManagerWindows MobileWMB307

Poll

Yes, security is important to me. I’m willing to give up certain functionality and avoid running unapproved applications so that my data is safe.

No, this is my phone(even though I didn’t pay for it).

I have every right to do whatever I want with my most very favorite companion (including watching dancing pigs and storing compromising pictures of the neighbors in awkward positions).

I refuse to accept restrictions.

Calculating some odds

5,000 employee corp, 1 CEOLoss odds same for any employee

Assume one loss per day—odds are 1:5000Likely that CEO is aware of—

Exposure potential of lossAppeal of device to thief

Perhaps CEO exception not unreasonable?

Kaminsky's Laws

If you are security, no rules apply to youIf security needs you, no onerous rules apply to youIf security does not need you, you’re maybe allowed to breathe

http://news.cnet.com/8301-1009_3-10141507-83.html?tag=mncol

http://news.cnet.com/obamas-new-blackberry-the-nsas-secure-pda/?tag=mncol

http://news.cnet.com/8301-13578_3-10147749-38.html?tag=mncol

Sectera Edge by General DynamicsRuns on Windows CE (not Windows Mobile)

Would you want to keep this in your pants pocket all day?

Threats

Risks vs. Desires

You Organization Mobile Operator

• Easy to use• Develop and

use custom applications

• Ignore security policies

• Protect corporate data

• Manage all devices

• Manage installed applications

• Provide simple helpdesk support

• Protect the network

• Manage devices (at basic level)

• Implement helpdesk support boundaries

Attack Vectors

Attacks against the device itselfAttacks against data in transit (from/to the device)

From Internet connection or cellular networkAttacks against data in storage (in the device)Attacks against the owner of the deviceDevice as vector for attacks against corp net

Physical

UK National Mobile Phone Crime Unit“Current crime statistics reveal that a mobile telephone is stolen in about half of all street crime and in approximately a third of cases it is the only property stolen.”

London Metropolitan Police report“As many as 10,000 mobile phones are stolen every month. Two thirds of the victims are aged between 13 and 16. Many phones are also stolen from unattended cars.”

Device Imaging

Plug kit into microSD slot and make copy of internal memoryVery slowRequires theft (or chance to “borrow”)Keys in memory will be copied, too

MitigationsDon’t be stupidHope the DHS doesn’t become “interested” in you

Online Attacks

Mobile phones associate with strongest signal tower, then negotiate encryptionSomeone with a tower-in-a-backpack could associate your phoneNo media layer encryption on his “tower,” of course

Mitigation: use encrypted link/applicationsNot enough if attacker installs something on your device, though

Cracking Calls

GSM encryption (A5)64-bit key often shortened to 54 bitsSession key sometimes reused across 16 calls

Crack uses rainbow tablesNeeds 3 to 4 clear-text call set-up frames2 terabytes (only!)Not entire 64-bit key space33,000 years to generate with a PC$1000 specialized hardware gets key in 30 minshttp://gcn.com/Articles/2008/02/20/Cracking-GSM-calls-made-affordable-and-easy.aspx

SIM Cards

Essentially a Java cardMobile operator can install apps over-the-air using SMS

No indication to userJava has full access to phone and network

Eavesdrop on callsRemote control a phone

BlueBug

Attacker creates serial connection profile with target deviceGives full range of modem-type “AT” commands

Initiate a phone call Send SMSs to any number Read SMSs from the phone Read and write phonebook entries Configure call forwarding

BlueSnarf

Best known type of Bluetooth attackField testing conducted in London UndergroundAttacker sends OBEX GET

Rarely is authentication requiredAttacker grabs known files

telecom/pb.vcf – phone booktelecom/cal.vcs – calendar file

HeloMoto attack is a combination of BlueBug and BlueSnarf

More BluetoothBlueSmack and BlueStab

Buffer overflow attacksBlueBump

Forced re-keyingBlueSpooof

Clone a legitimate deviceBluePrinting

Fingerprinting Bluetooth devicesBlooover and Blooover II

Automated tools

Mitigation: don’t be discoverable

Software Vulnerabilities

WAPPush (WinMo 6)

HTC disables registry key to limit “service SMS” messages that can install/update softwarehttp://forum.xda-developers.com/showthread.php?t=395389http://de.youtube.com/watch?v=QhJ5SgD-bdQ

Curse of Silence (Symbian S60 2.6-3.1)

SMS with sender length >32 chars crashes SMSRequires factory reset

ToorCon demo (iPhone)

SMS with 400 CRLFs causes display malfunctionhttp://www.youtube.com/watch?v=MGRb4iI4wM0

Software Vulnerabilities

Various (WinMo)Mosquitos (2004) – Virus, installed as gameCabir (2004) – Worm replicated through BluetoothDUTS (2004) – PPC “The Polite Virus”…asked for permission to spreadSkulls (2004)Lasco (2005)Locknut (2005)CommWarrior (2005) – Used Bluetooth during day and MMS in evening to spread. Very high phone billsMSIL/Xrove.A (2006) – virus installed via ActiveSync

Microsoft Confidential

Defenses

Time

Not a lot of malware—nowFlash point: when one smartphone OS becomes more popular than Windows desktop OS

Dilemma: few organizations will spend money on security in advance of an attack

(Maybe)No need for Firewall

Device doesn’t listen for unsolicited inbound connections

Does listen for inbound replies to outbound connections—firewalls always permit this anyway

Difficult to get Data from Device

PIN lock is a bar to data acquisitionPC to device relies on ActiveSync/WMDCActiveSync requires devices to be unlocked

Unlocking locked devicesPin reset via OWA

“Interesting” information is protectedDatabases (cemail.vol, user.hv) are locked, not accessible remotelyNot distinguishable physically in memory

Device Imaging

Most forensics tools don’t work on WinMoAvailable tools aren’t completely reliable

exFAT and TexFAT partitions not readableNo undelete mechanism for TFAT or TexFAT

No parsers for .vol files (texts, emails, contacts) in the partitions

Yet CE source is available for download…

Is this good or bad?

Data Protection

DPAPI default: AES-128FIPS 140-2 compliant (WinMo 5.0+)Storage card (WinMo 6.0+)Sensitive data protection (WinMo 6.1)RMS/IRMS/MIME (with .PFX cert)

Storage Card EncryptionAny file added to the storage card while the card is in the device is encryptedEncrypted using Data Protection API

AES128 or RC4 can be configuredMaster key is in persistent store of the device

Encrypted files are tracked by file extensionDevice hash identifies the encrypting device“<hash>.menc” portion of file name does not show on the encrypting device

Key can’t be ported to another deviceQuality test—can’t detect degradation even when streaming video

Sensitive Data Protection

Not “whole device”

Can administratively add additional directories and filesDoes not encrypt registry

User documents \My Documents

Synced email \cemail.vol

PIM data \pim.vol

Synced email properties \Windows\Messaging

Synced email attachments \Windows\Messaging\Attachments

Internet cache \Windows\Profiles\Guest\Temporary Internet Files

Key Generation and Protection

Cold bootUser and system DPAPI keys generatedStored in file system—ACLed and encrypted

Warm rebootDPAPI recomputes session keyDecrypts master keys in storage, loads into memoryUser key can also be protected with device lock password

Link Security

Exchange ActiveSync: SSLAES-128 or AES-256Server authenticates to client with certificateUser authenticates to server with NTLM or basic auth

WiFiWPA2: AES-128 or AES-256EAP-SIM (SIM card is authenticator)EAP-TLS, MS-CHAPv2 (mutual auth)

Authentication Options

Certificate support.PFX/.P12, .CER, .P7B (no private key protection)Wildcard certificatesCustom root certificates

Certificate enrollmentDevice app-initiated (no UI)Desktop via ActiveSync (with UI)Both require Windows CA and templates

Device Control

Local and remote wipeConfigurable policies through SCMDM

CameraWiFiBluetooth

Policies not alterable on device

SecureWipeAllVolumes API

Flags all mounted volumes for “wipe”MSFLASH driver reformats flash memory volumes

Erases every physical block—permanently wipes beyond recoveryOr the OEM can opt to implement the secure wipe IOCTL for the new flash driver

If the volume is a hard disk, then the volume is overwritten once with “0”s

Probably good enough for most casesDoesn’t attempt to comply with military “secure erase” requirements

Extending Security

Exchange

Adds security policy managementBut no device inventory or management

Exchange ActiveSync PoliciesStandard CAL

Sync• Configure message formats (HTML or plain

txt)• Include past email items• Email body truncation size• HTML email body truncation size• Include past calendar items (Duration)• Require manual sync while roaming• Allow attachment download• Maximum attachment size

Authentication• Minimum number of complex characters• Enable password recovery• Allow simple password• Password Expiration (Days)• Enforce password history• Windows file share access• Windows SharePoint access• Minimum password length• Timeout without user input• Require password• Require alphanumeric password• Number of failed attempts• Policy refresh interval• Allow Non-provisionable devices

Enterprise CAL adds:

Device Control• Disable desktop ActiveSync• Disable removable storage• Disable camera• Disable SMS and any MMS text

messaging

Network Control• Disable Wi-Fi• Disable Bluetooth• Disable IrDA• Allow internet sharing from device• Allow desktop sharing from device

Application Control• Disable POP3/IMAP4 email• Allow consumer email• Allow browser• Allow unsigned applications• Allow unsigned CABs• Application allow list• Application block list

Standard CAL

Encryption• Require signed SMIME messages• Require encrypted SMIME messages• Require Signed SMIME algorithm• Require encrypted SMIME algorithm• Allow SMIME encrypted algorithm

negotiation• Allow SMIME SoftCerts• Device encryption• Encrypt storage card

Key• Exchange 2007 SP1• Exchange 2007 RTM• Exchange 2003 SP2

DMZ Corporate Intranet

ISA Server /Reverse Proxy

Active Directory

Exchange Deployment Topology

Exchange Front-End/CAS Server

ExchangeMailbox Server

SharePoint 2003/2007 Server

128Bit SSLTunnel

SharePointRequest Proxy via Exchange CAS

Subscription to Mailbox

MAPIClients

System CenterMobile Device Manager 2008

Security managementDomain joinFeature and application control

Device managementFull over-the-air provisioningInventoryingRole-based administration

Microsoft Confidential

SCMDM 2008 Deployment Topology

DMZ Corporate Intranet

MMCConsole

MDM Device Management

Server

ActiveDirectory

MDMEnrollment Server

One Time PIN for Enrollment

Machine Certificate Authentication for Mobile VPN

SQLServer

Optional ISA orReverse Proxy

128Bit SSL

Tunnel

Device CertificateEnrollment

Service

Initial enrollme

nt

SCMDM 2008 Deployment Topology

DMZ Corporate Intranet

SCMDM 08Gateway

Exchange, SharePoint, Intranet and LOB Servers

SSL User Authentication

MMCConsole

MDM Device Management

Server

ActiveDirectory

Integrated WSUS Software Management

MDMEnrollment Server

IPSECVPN

128bit SSLTunnel

One Time PIN for Enrollment

Machine Certificate Authentication for Mobile VPN

SQLServer

Optional ISA orReverse Proxy

128Bit SSL

Tunnel

Device CertificateEnrollment

Service

Differentiators

Important Questions

How do phones enter an enterprise?How to balance competing demands?What happens when business data is stored on devices with no security model?How important is it to have a thriving ISV industry?Is “consumerization” affecting an enterprise security requirements?

Compete….

Geir Olsengeir.olsen@microsoft.com

question & answer

www.microsoft.com/teched Sessions On-Demand & Community

http://microsoft.com/technet Resources for IT Professionals

http://microsoft.com/msdn Resources for Developers

www.microsoft.com/learning Microsoft Certification & Training Resources

Resources

www.microsoft.com/learningMicrosoft Certification and Training Resources

Windows Mobile® ResourcesTechNet TechCenter – System Center Mobile Device Manager 2008 http://technet.microsoft.com/scmdm

TechNet TechCenter – Windows Mobile http://technet.microsoft.com/windowsmobile

MSDN Center – Windows Mobilehttp://msdn.microsoft.com/windowsmobile

Webcasts and Podcasts for IT – Windows Mobilehttp://www.microsoft.com/events/series/msecmobility.aspx

General Information – Windows Mobilehttp://www.windowsmobile.com

General Information – System Center Mobile Device Manager 2008http://www.windowsmobile.com/mobiledevicemanager

Windows Marketplace Developer Portalhttp://developer.windowsmobile.com

Windows Mobile® is giving away

Blackjack II's !

Stop by the Windows Mobile Technical Learning Center to learn how to enter

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.