Recent Events in Pocket PC Security
During the past couple of months some new developments have occurred regarding Pocket PC security that you should be aware of. This article covers some of the changes including a new version of ActiveSync, URL spoofing in Pocket Internet Explorer, what personal files survive a hard reset and how to erase them.
New Version of ActiveSync
During January, Microsoft released ActiveSync 3.8. With ActiveSync 3.8, Microsoft has changed the default installation behavior to not enable network synchronization. By not enabling network synchronization, users with Windows XP, Service Pack 2 or any other software based firewall will no longer see the prompts from the firewall to allow ActiveSync to use the internet. While this is more secure by default, the user should be aware that enabling the network synchronization may increase their PC’s security risk. This is because each application that is allowed to bypass the firewall opens up specific TCP/IP ports that allow the program to work and that a hacker can attempt to manipulate and compromise their PC. So I recommend that users that do not need to synchronize via the network to disable this option in ActiveSync to synchronize via a network. Also, please note that the option to support network synchronization affects users that attempt to synchronize via a dialup (RAS) connection as well since it uses TCP/IP.
URL Spoofing in Pocket Internet Explorer
When users are using Pocket Internet Explorer, they can click on a link on a website or in e-mail that appears to look like it came from a legitimate website they wanted to visit. However when they visit the site, it is actually redirected to another website they did not intend to visit. This URL spoofing (obfuscation) presents a possible security risk for all Pocket PC users that use Pocket Internet Explorer on the internet or intranet. AirScanner has documented the URL spoofing on their website at http://www.airscanner.com/tests/ie_flaw/ie_attack.htm. Please note that the security risks presented in the URL only works on the Pocket PC however desktop users can read about the vulnerability. Users may notice that the URL looks different because it contains unusual characters and is very long. It appears as a series of large number of % signs and numbers or letters which obscure the real URL. Users cannot use the View - Properties option in Pocket Internet Explorer to confirm that the URL they are visiting is for the same website they expected because the beginning of the url appears correct. Right now there is no utility which can prevent URL spoofing from occurring.
A spoofed URL looks like this (note that the following example does not work):
Also using this technique a url can open local files on your Pocket PC as well. These files are only displayed on your Pocket PC and cannot be uploaded to a web server. From my testing the URL Spoofing and local file viewing security issues do not exist for the Smartphone 2002.
Finally, users should be careful when clicking on website links in e-mails. Since some e-mail is formatted as HTML, the sender can redirect the user to another website. This is because the text on the e-mail appears correct and legitimate while the underlying link is not. At this time there is no way for users to see that they will visit the wrong URL until they click on it. Then Pocket Internet Explorer will display the spoofed URL in the address bar. However since the address bar is not visible by default some users may miss this visual cue. To view the address bar, click on the View menu option and click on the menu item titled Address Bar. Then the address bar will be displayed.
What Survives a Hard Reset?
If you have had a Pocket PC for the past few months, you have experienced the dreaded hard reset. A hard reset is where all the data contained within the ram of the Pocket PC is erased. Well not exactly. Some manufacturers such as Hewlett-Packard have decided to provide you with additional storage built into your Pocket PC. On the HX4700 you will see the iPAQ File Store as a storage card you can keep your data on. The iPAQ File Store does not get erased by a hard reset because it is flash memory. So its contents will still be available to you in the event you are traveling and you lose your data. This ability for users to store and retrieve data such as drivers or program in flash memory may be beneficial.
Since the iPAQ File Store does not get erased, it presents a security risk for any data stored in it. This is because a thief can easily hard reset the Pocket PC and then use it just like you did when you got it out of the box. Please note that HP does not offer a utility which allows the user to “format” the flash storage to ensure that the data has been erased.
In cases where you’re selling or giving your device to someone else, you may want to use a third-party program to completely delete the data to prevent others from having access to it. One such application is MobileEncrypter 2.0 from AirScanner, which provides the ability to “bitwipe” (i.e.: overwrite) all data on your Pocket PC. I recommend that both home and enterprise users consider using software to clear the internal flash storage to ensure that their personal data has been deleted and cannot be recovered.
As always with the world of security, everything is subject to change. So even though you have assessed the current security risks, there are always new ones being found that need to be examined even for the Pocket PC. To help users keep current, I have created a web page with known issues at http://www.cewindows.net/security.htm.