geir olsen sr. program manager windows mobile wmb307
TRANSCRIPT
Windows Mobile Security: Threats, defenses, and differentiators
Geir OlsenSr. Program ManagerWindows MobileWMB307
Poll
Yes, security is important to me. I’m willing to give up certain functionality and avoid running unapproved applications so that my data is safe.
No, this is my phone(even though I didn’t pay for it).
I have every right to do whatever I want with my most very favorite companion (including watching dancing pigs and storing compromising pictures of the neighbors in awkward positions).
I refuse to accept restrictions.
Calculating some odds
5,000 employee corp, 1 CEOLoss odds same for any employee
Assume one loss per day—odds are 1:5000Likely that CEO is aware of—
Exposure potential of lossAppeal of device to thief
Perhaps CEO exception not unreasonable?
Kaminsky's Laws
If you are security, no rules apply to youIf security needs you, no onerous rules apply to youIf security does not need you, you’re maybe allowed to breathe
http://news.cnet.com/8301-1009_3-10141507-83.html?tag=mncol
http://news.cnet.com/obamas-new-blackberry-the-nsas-secure-pda/?tag=mncol
http://news.cnet.com/8301-13578_3-10147749-38.html?tag=mncol
Sectera Edge by General DynamicsRuns on Windows CE (not Windows Mobile)
Would you want to keep this in your pants pocket all day?
Threats
Risks vs. Desires
You Organization Mobile Operator
• Easy to use• Develop and
use custom applications
• Ignore security policies
• Protect corporate data
• Manage all devices
• Manage installed applications
• Provide simple helpdesk support
• Protect the network
• Manage devices (at basic level)
• Implement helpdesk support boundaries
Attack Vectors
Attacks against the device itselfAttacks against data in transit (from/to the device)
From Internet connection or cellular networkAttacks against data in storage (in the device)Attacks against the owner of the deviceDevice as vector for attacks against corp net
Physical
UK National Mobile Phone Crime Unit“Current crime statistics reveal that a mobile telephone is stolen in about half of all street crime and in approximately a third of cases it is the only property stolen.”
London Metropolitan Police report“As many as 10,000 mobile phones are stolen every month. Two thirds of the victims are aged between 13 and 16. Many phones are also stolen from unattended cars.”
Device Imaging
Plug kit into microSD slot and make copy of internal memoryVery slowRequires theft (or chance to “borrow”)Keys in memory will be copied, too
MitigationsDon’t be stupidHope the DHS doesn’t become “interested” in you
Online Attacks
Mobile phones associate with strongest signal tower, then negotiate encryptionSomeone with a tower-in-a-backpack could associate your phoneNo media layer encryption on his “tower,” of course
Mitigation: use encrypted link/applicationsNot enough if attacker installs something on your device, though
Cracking Calls
GSM encryption (A5)64-bit key often shortened to 54 bitsSession key sometimes reused across 16 calls
Crack uses rainbow tablesNeeds 3 to 4 clear-text call set-up frames2 terabytes (only!)Not entire 64-bit key space33,000 years to generate with a PC$1000 specialized hardware gets key in 30 minshttp://gcn.com/Articles/2008/02/20/Cracking-GSM-calls-made-affordable-and-easy.aspx
SIM Cards
Essentially a Java cardMobile operator can install apps over-the-air using SMS
No indication to userJava has full access to phone and network
Eavesdrop on callsRemote control a phone
BlueBug
Attacker creates serial connection profile with target deviceGives full range of modem-type “AT” commands
Initiate a phone call Send SMSs to any number Read SMSs from the phone Read and write phonebook entries Configure call forwarding
BlueSnarf
Best known type of Bluetooth attackField testing conducted in London UndergroundAttacker sends OBEX GET
Rarely is authentication requiredAttacker grabs known files
telecom/pb.vcf – phone booktelecom/cal.vcs – calendar file
HeloMoto attack is a combination of BlueBug and BlueSnarf
More BluetoothBlueSmack and BlueStab
Buffer overflow attacksBlueBump
Forced re-keyingBlueSpooof
Clone a legitimate deviceBluePrinting
Fingerprinting Bluetooth devicesBlooover and Blooover II
Automated tools
Mitigation: don’t be discoverable
Software Vulnerabilities
WAPPush (WinMo 6)
HTC disables registry key to limit “service SMS” messages that can install/update softwarehttp://forum.xda-developers.com/showthread.php?t=395389http://de.youtube.com/watch?v=QhJ5SgD-bdQ
Curse of Silence (Symbian S60 2.6-3.1)
SMS with sender length >32 chars crashes SMSRequires factory reset
ToorCon demo (iPhone)
SMS with 400 CRLFs causes display malfunctionhttp://www.youtube.com/watch?v=MGRb4iI4wM0
Software Vulnerabilities
Various (WinMo)Mosquitos (2004) – Virus, installed as gameCabir (2004) – Worm replicated through BluetoothDUTS (2004) – PPC “The Polite Virus”…asked for permission to spreadSkulls (2004)Lasco (2005)Locknut (2005)CommWarrior (2005) – Used Bluetooth during day and MMS in evening to spread. Very high phone billsMSIL/Xrove.A (2006) – virus installed via ActiveSync
Microsoft Confidential
Defenses
Time
Not a lot of malware—nowFlash point: when one smartphone OS becomes more popular than Windows desktop OS
Dilemma: few organizations will spend money on security in advance of an attack
(Maybe)No need for Firewall
Device doesn’t listen for unsolicited inbound connections
Does listen for inbound replies to outbound connections—firewalls always permit this anyway
Difficult to get Data from Device
PIN lock is a bar to data acquisitionPC to device relies on ActiveSync/WMDCActiveSync requires devices to be unlocked
Unlocking locked devicesPin reset via OWA
“Interesting” information is protectedDatabases (cemail.vol, user.hv) are locked, not accessible remotelyNot distinguishable physically in memory
Device Imaging
Most forensics tools don’t work on WinMoAvailable tools aren’t completely reliable
exFAT and TexFAT partitions not readableNo undelete mechanism for TFAT or TexFAT
No parsers for .vol files (texts, emails, contacts) in the partitions
Yet CE source is available for download…
Is this good or bad?
Data Protection
DPAPI default: AES-128FIPS 140-2 compliant (WinMo 5.0+)Storage card (WinMo 6.0+)Sensitive data protection (WinMo 6.1)RMS/IRMS/MIME (with .PFX cert)
Storage Card EncryptionAny file added to the storage card while the card is in the device is encryptedEncrypted using Data Protection API
AES128 or RC4 can be configuredMaster key is in persistent store of the device
Encrypted files are tracked by file extensionDevice hash identifies the encrypting device“<hash>.menc” portion of file name does not show on the encrypting device
Key can’t be ported to another deviceQuality test—can’t detect degradation even when streaming video
Sensitive Data Protection
Not “whole device”
Can administratively add additional directories and filesDoes not encrypt registry
User documents \My Documents
Synced email \cemail.vol
PIM data \pim.vol
Synced email properties \Windows\Messaging
Synced email attachments \Windows\Messaging\Attachments
Internet cache \Windows\Profiles\Guest\Temporary Internet Files
Key Generation and Protection
Cold bootUser and system DPAPI keys generatedStored in file system—ACLed and encrypted
Warm rebootDPAPI recomputes session keyDecrypts master keys in storage, loads into memoryUser key can also be protected with device lock password
Link Security
Exchange ActiveSync: SSLAES-128 or AES-256Server authenticates to client with certificateUser authenticates to server with NTLM or basic auth
WiFiWPA2: AES-128 or AES-256EAP-SIM (SIM card is authenticator)EAP-TLS, MS-CHAPv2 (mutual auth)
Authentication Options
Certificate support.PFX/.P12, .CER, .P7B (no private key protection)Wildcard certificatesCustom root certificates
Certificate enrollmentDevice app-initiated (no UI)Desktop via ActiveSync (with UI)Both require Windows CA and templates
Device Control
Local and remote wipeConfigurable policies through SCMDM
CameraWiFiBluetooth
Policies not alterable on device
SecureWipeAllVolumes API
Flags all mounted volumes for “wipe”MSFLASH driver reformats flash memory volumes
Erases every physical block—permanently wipes beyond recoveryOr the OEM can opt to implement the secure wipe IOCTL for the new flash driver
If the volume is a hard disk, then the volume is overwritten once with “0”s
Probably good enough for most casesDoesn’t attempt to comply with military “secure erase” requirements
Extending Security
Exchange
Adds security policy managementBut no device inventory or management
Exchange ActiveSync PoliciesStandard CAL
Sync• Configure message formats (HTML or plain
txt)• Include past email items• Email body truncation size• HTML email body truncation size• Include past calendar items (Duration)• Require manual sync while roaming• Allow attachment download• Maximum attachment size
Authentication• Minimum number of complex characters• Enable password recovery• Allow simple password• Password Expiration (Days)• Enforce password history• Windows file share access• Windows SharePoint access• Minimum password length• Timeout without user input• Require password• Require alphanumeric password• Number of failed attempts• Policy refresh interval• Allow Non-provisionable devices
Enterprise CAL adds:
Device Control• Disable desktop ActiveSync• Disable removable storage• Disable camera• Disable SMS and any MMS text
messaging
Network Control• Disable Wi-Fi• Disable Bluetooth• Disable IrDA• Allow internet sharing from device• Allow desktop sharing from device
Application Control• Disable POP3/IMAP4 email• Allow consumer email• Allow browser• Allow unsigned applications• Allow unsigned CABs• Application allow list• Application block list
Standard CAL
Encryption• Require signed SMIME messages• Require encrypted SMIME messages• Require Signed SMIME algorithm• Require encrypted SMIME algorithm• Allow SMIME encrypted algorithm
negotiation• Allow SMIME SoftCerts• Device encryption• Encrypt storage card
Key• Exchange 2007 SP1• Exchange 2007 RTM• Exchange 2003 SP2
DMZ Corporate Intranet
ISA Server /Reverse Proxy
Active Directory
Exchange Deployment Topology
Exchange Front-End/CAS Server
ExchangeMailbox Server
SharePoint 2003/2007 Server
128Bit SSLTunnel
SharePointRequest Proxy via Exchange CAS
Subscription to Mailbox
MAPIClients
System CenterMobile Device Manager 2008
Security managementDomain joinFeature and application control
Device managementFull over-the-air provisioningInventoryingRole-based administration
Microsoft Confidential
SCMDM 2008 Deployment Topology
DMZ Corporate Intranet
MMCConsole
MDM Device Management
Server
ActiveDirectory
MDMEnrollment Server
One Time PIN for Enrollment
Machine Certificate Authentication for Mobile VPN
SQLServer
Optional ISA orReverse Proxy
128Bit SSL
Tunnel
Device CertificateEnrollment
Service
Initial enrollme
nt
SCMDM 2008 Deployment Topology
DMZ Corporate Intranet
SCMDM 08Gateway
Exchange, SharePoint, Intranet and LOB Servers
SSL User Authentication
MMCConsole
MDM Device Management
Server
ActiveDirectory
Integrated WSUS Software Management
MDMEnrollment Server
IPSECVPN
128bit SSLTunnel
One Time PIN for Enrollment
Machine Certificate Authentication for Mobile VPN
SQLServer
Optional ISA orReverse Proxy
128Bit SSL
Tunnel
Device CertificateEnrollment
Service
Differentiators
Important Questions
How do phones enter an enterprise?How to balance competing demands?What happens when business data is stored on devices with no security model?How important is it to have a thriving ISV industry?Is “consumerization” affecting an enterprise security requirements?
Compete….
Geir [email protected]
question & answer
www.microsoft.com/teched Sessions On-Demand & Community
http://microsoft.com/technet Resources for IT Professionals
http://microsoft.com/msdn Resources for Developers
www.microsoft.com/learning Microsoft Certification & Training Resources
Resources
www.microsoft.com/learningMicrosoft Certification and Training Resources
Windows Mobile® ResourcesTechNet TechCenter – System Center Mobile Device Manager 2008 http://technet.microsoft.com/scmdm
TechNet TechCenter – Windows Mobile http://technet.microsoft.com/windowsmobile
MSDN Center – Windows Mobilehttp://msdn.microsoft.com/windowsmobile
Webcasts and Podcasts for IT – Windows Mobilehttp://www.microsoft.com/events/series/msecmobility.aspx
General Information – Windows Mobilehttp://www.windowsmobile.com
General Information – System Center Mobile Device Manager 2008http://www.windowsmobile.com/mobiledevicemanager
Windows Marketplace Developer Portalhttp://developer.windowsmobile.com
Windows Mobile® is giving away
Blackjack II's !
Stop by the Windows Mobile Technical Learning Center to learn how to enter
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.