Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Researchers Criticize Security of Windows Mobile



 By: Matt Hines
2006-10-26
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
By failing to encrypt data stored on Windows Mobile devices, as it is protected on other popular handhelds, Microsoft is leaving users open to potential data leakage, wireless researchers say.

A new research report contends that by failing to offer onboard encryption for e-mail files stored on Windows Mobile devices, Microsoft may be putting itself at a competitive disadvantage and leaving users vulnerable to data loss.

According to the latest report published by J. Gold Associates, a Northborough, Mass.-based wireless research firm, Microsofts decision not to offer file encryption capabilities on its Windows Mobile platform reflects poorly on the technology compared to other popular wireless systems.

Unlike the push e-mail systems offered by rival mobile software makers including Good Technology, Research In Motion and Sybase, Microsofts wireless messaging technology doesnt include data protection beyond simple passwords, researchers said.

While the omission wont likely affect consumer adoption of Windows Mobile devices, which are so-called smart phones that offer more PC-like functions than most of todays popular handhelds, enterprises may choose to adopt other platforms based on the lack of more comprehensive security features, said Jack Gold, principal analyst with J. Gold Associates.

Windows Mobile provides for encryption of data while it is in transit to the device, but leaves sensitive corporate data open to access if one of the handhelds has its password hacked, the analyst said.

Resource Library:

Gold specifically highlights an issue in Microsofts Direct Push technology, which is used to move data between the latest versions of Exchange Server and Windows Mobile devices.

Direct Push utilizes AirSync, a derivative of Microsofts ActiveSync, which is used to distribute data to Windows Mobile devices and provide a way for data stored on the devices to be synchronized with back end servers.

The current versions of ActiveSync and AirSync only support specially formatted data sets that meet certain Microsoft data specifications, which means that any transfer of data from Exchange Server to Microsofts Pocket Outlook must be done in an unencrypted file-state.

"The bottom line is that every enterprise is concerned about security these days, and it will be a significant consideration as they adopt new mobile devices," Gold said.

"The way that Microsoft has engineered mobile push e-mail the information is relatively out in the open, such as when doing a sync between Exchange and Pocket Outlook; the use of only a password is a pretty insecure approach, and companies will likely want the ability to encrypt all the data thats being stored there."

Microsoft didnt immediately respond to calls seeking comment on the criticism. However, the company has made a concerted effort to up the security in its next-generation desktop operating system, Vista.

If the company were to add functionality similar to the Windows BitLocker drive encryption feature it has added in Vista to Windows Mobile, users might view the wireless platforms security as more comparable to those offered by its rivals, the researcher said.

However, even if Redmond, Wash.-based Microsoft were to add such tools to Windows Mobile, Gold would like to see the ability for users to encrypt individual files, versus the blanket approach used in BitLocker.

"The problem with BitLocker is that youre forced to encrypt the entire disk or not to use the feature at all, and end users will need the ability to encrypt on a file-by-file basis," Gold said.

"This lack of encryption in Windows Mobile is an architectural flaw that Microsoft should have expected, and they will need to re-architect if they want companies with sensitive data adopt the platform."

Companies such as financial services firms and health care providers that operate under strict data-handling regulations could choose other technologies over Windows Mobile if the software maker doesnt add new encryption capabilities, said Gold.

The analyst would specifically like to see Microsoft re-engineer AirSync, ActiveSync and Pocket Outlook to provide additional security for data being passed through those applications.

Security for mobile devices is becoming a more high-profile issue as smart phones become more widely adopted.

Click here to read more about Nokias efforts to secure its smart phones.

Some 51 million smart phones were shipped in 2005, representing 6 percent of all wireless handsets, according to iGillottResearch. The research company predicts that the devices will account for 21 percent of all handhelds by 2010.

J. Gold Associates contends that smart phones will make up roughly 10 percent to 20 percent of wireless device shipments over the next four years, but expects that for business users the number will be much higher, accounting for as much as 50 percent to 60 percent of all handhelds.

In September, the Trusted Computing Groups Mobile Phone Work Group issued a draft of its Mobile Trusted Module standard, which is meant to establish guidelines that help wireless device and software makers improve the security of their products.

A final draft of the product specifications is expected to arrive before the end of 2006, and the effort aims to dovetail with other wireless security initiatives driven by groups including the Open Mobile Alliance, Open Mobile Terminal Platform and Mobile Industry Processor Interface Alliance.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Researchers Criticize Security of Windows Mobile
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Matt Hines
 


x}v8~z'M񢫭H9-ǚ-ĝݣHJb"9$e[_b|g_bq -|ĖP(T B w? 9wTݴgASGwq 4wv޼yC(7`ɒ:nx#aYj)~W-sl7rak7;#|%oމ;|9|ALTadbIPȋT^alM Lh:qF٤XC#:qrWݼ#~0F0A74Sӱng9PU;34n u[Wr@IRX-UA~_/ܛiL9Z}os"+$\.;gW9@ Pwڷ@ږWUP\ti\v?߉ Á#ð A'߉Fj;}&DeR)$/ Z`hWP u.kzQҏZ-ԕRkIn뙾 3+iD1,K,GQD|6/NM㳣N;l,aZU 2R*]鬘FȏwfU5M{#kr9n>;3ӡ`BәmiuuUZz\߃ v3<,V+r=2Ï'6ǣ1 xS<œ qN {훨-TKۗ9K }xc-> ,_ fAm7u oK'SFE ;@ݰsvfHmPurƒ_̻Fh-Aho*KLr &@SH :6E).exH}/)`I˪ T $嗉mQq>]${SBDgg+A.2)i"(`o{ØWX\E<5KZ:чzlNTW꒮RWb{g(QOK.ϱv}BzW^?]{և6LqJhX7Y`Ap-KE`\T77j 6RZ/JT=|h a`qaѥJ]7F >Ӂf4aN :u|jlx>:AE*ڴbh4@&&h`C:}ҍ&-Ѐ/QpzF![W P@X' : (}9\PlmN5-uhZ`Q 4aCDF˕ }Q #0HQtuNt"AђFe *4 gs#X"C"'Gs`[ΠX;;.˥\.y"M':Ν3r x&,Rȗ\VKᗄLP%i2miڪ/FNl("7(Vn)k`bu4dМ6,'6!&B~M`Z&FH,iocs꺖iA\%nuCf{aMv"Wv6PzT4fs)wdm˴oH\fЛv39n(!)hWi 2cOeUyrt+[Y3nR>}EJ=""ǰ^`'gjŌ$)O}}?ٲJb-Yֽ(UעcP.{KúJr/Hoh m_EڠyeLGyK-# iMPP+ezdx($me6L686b8O>3l{`(`( Hen1ʊT9,Wfn (E`@E} &ʥ ëw@4=".H{kLԀ' 18yy4%2N?CN5,&"fj:i[^ |'-KɁUrqXk0읶ׅ]%υ(̧6ai+D>՜hRF ÑihiHLZ`!?T$iϩ#Y/9-0cY}6adtFV9 CQZ>-L.L{ i pj o>U< đMTUbET;(l];(cXe[9pM9~ :FS.cD[O3 A@OTI}'hk5FzD*(F*6. Q#/Pk ._@?C!E% PT1"&cKcK1SMm0C ^av JM:dbz6}3<ܴg>?CU\f,"jXUcjxSCrZ/j7+|&ˆaJ 54 N|_o60FKxY:7q;ԧn-!WꜺGשXTe1o0kfW#S@*WHF(/> (.KTNr \A7=C fAO(۩6{1 v? k3w kq 5`EQ9??CynR)brdLÖ+C=w7ĚȲ-UޭlF'FA\=CxؽL2685 ÿEuκiYOS)%V$tu| `_sfM<=WkHT05 5~j !KՃZQ߯Y*> (:LT0Kx{ZCA9Sd}tq@l#RqM݌6m"uy@VJXhQwh_/ۡQm(}gnq&mfo^{d[9yn2$8z0JL;%95$_ۂ3JnԹuBItLc`l@<粢=`L4 Ylpg-H]Ӟyu ٔl{nkktX{Wz&[wTv' رuねC-oZ# 0]7=3%(4OQrl2~6mֳ>^#"!9ݩs5!3/ROR4sp>nzJeR)Y)d 1t8:T6uGca luKqHTʌZ%o(QU-qǍJ.,%yN1 Q(v}b;TئʲHG٭XV82V6jRnoAafZ(J] BL$KP}E࣏Su?^fȵڽv?fARTS,.=J%UT-V岔P?ͳ!ݓBpimFB%3-ܛх`@O|k@a>uR9(̖K%4eS/ -9@_׳~3>:L̾~xf;CB!['g·~`}݇?H LӀoB!) Z~pxy"t.Zlb8 } h܃6 8`a8ޫtc!u'qdzVBlZ''5{6|v>72 DHv4|w/8%{޽fGsX+փ u;B&9!hUHv:ڢG)'GXv䕤 g[ZUHN~DCD6OY`0!9+Ra]ȩ|pPuwj3I Di:n;Q =dFn;Z7Ҝ\t} =uF'5I];:'cz,Q&}9lu DaK4Ai8=P.FqgOɍ2sXs\ JCw4U_bxYa)~;Sմr%>iפuja~%GYHRoATh`wnv{.|J(=}![3jxu?1F./zv~ِ1hhkV<? B~o'; ?--8cCR#I1sMIAҭҽUDYd)=QDG㳑)G/?{tH_/lǵ4/ ZmhUѪ?1lTSUڽ/cϤ;lÑ+}1%ҟGӓ 4Ik򖺽EeD*D#1vcew  -1q]˱Iٛdž~;3 + zԴ_J9`e鞓iJ<8ysq[f,:4ʰ3^;-@V#M\`j[ *nE4g3a4ecK)Oux;weyZL S}VVaQpA[Iww[jX*Hɒ+vkH\+R!H%TRf8MT>8)km)ı-ؖǶ֦QHj܇sQaVGF4O3tt<ΥPZj^00} =+. bsU)tVt_d\=Pʋ!ݸÛ@tâ'P6|9:x܈{(Ur1dI?cNvXf3TJTCޔ U!ߥxSU1d#YOa%\BB5-!%;si܃A"RDy%Yur~)QL `n7}c΁X|sx"Ȳ W2Jy)TRa sȒER{gB01@8VjecͯA \T38-!tp9xs  B&8ti>ͭXfuS,&k/.{TGK6"mJ BaDO^5R qbN4dy]K H0VI9Q JѴɵrk( 3-Lo^n|8O`㍧٘G6Q{F}>h1Lo R)u1?0o9,aps$xňў6=(M٥bӤO,$cBcХNrƎko03Qb @b(lap$M(laۘL_H=&ͧ7e+z_|t'wˆ%bMfs Eh}yhЩS0'gMHEӛsHaBZ"Lڷ_ OaI_?νecC:Q0A"Z@mȧ/CB G^V>JxKhρI2Y Xڏ^>av8Ehlۓ77d=)[f!ڶZ=x/Qqٙy4w6k1!"B$5Hcuzr-pۓ(|܋;}t[s<ס_u.1Fcg γ+$\u.jvyX`M{ܮQ~)`+l|?TT 1[]?DN>> v$X{ܸꆜPy͍Qv/П#.t\:4 LЅ\-K LMY ߘ©IbHA"z(4'ݞ!!"@srIwCm.BG7Tks¥0ᓋ9W#I;\|Mҋh!7bVߚqe@oY0>~yZ-t>v@pFOlsCӳ`)I >Phs@'4?ZS%ے-_x}f: TsmQ).@Ȁ2&|pT M;3Wn+_˃sOp`Gp GC `BOIE!7&0gRL_2ڷ,':u0d0 m#'Fs\/ ~5X$ /d#Q 44v̴ $:2@{`pkFk4<ᰯlfgn=9tL7\ۻl~KchR^z:_Q*m0w7 ܰ{ք`ah7l Rc :"i ]|Wݿr鰿tx,[s7qf.qyOꭌUI|2(C sVHmڼmjׅOƒY'Ӄ;_*^3!4TJ \tGo.ZD φcY\qq㪖\-pm\3/ZǃcS@MP!Jjgf6SBk6.MՍ Jn7it`Wٰ:@:!+5=uaieJسgL;c)5^V)SFk(+>̓rbt>`l^Jf4C2EbM$T86)),┊fneK`%3sI4pxfXSpU:z~~yc6&9+AQ-kR^/e#=Ej`%"_˲$y5mcjU,C$&Hm޼xz1C@ nWw#9tmH̆xv{ɅFDɣڊbM$n@¨#vPJC aO88]8cI~c) +hWxB,膆axm Ҳ񦪵0}dbS),rY4Kc&ᕬJU:WK.>%܋%ӊ,ƻ. 2Z.֘1h*B U霴 xk5]RUBI ?}Ώ|^ԙn:k6Dk=!`58?cn&-m'hbzBRKoV;ɣB(MNDJ`h*G| m’-= ;,W@fe^zS|8!xZlSKMܵճAʥ 8IVu3,tsH3Ta6 +E,W*!qݧ"UZIy:joMXieZyr#u]KqGz^.+by[9i SR&Z:<}Q-mEr1&B5g?< h\z1߾JۍkE +U★#AŃap+^c"WmL|:ErbLWDڮR]s˩^@yj4ZψaߙC޾?jqA缷+Kf0Y+ 66mY V7g)ۅ]aiJ %'0srڪm6v4 ?R)!_6~esY x#nO5~V$|ɈVs%LX|J< EC<d  Ƅ16R,6$AeЃ5T?0G/ :{nQگTeG"?{|% d>(Q1IG<['wzԥ7?={N8 `['*>IoH${H]U# `xM(?no_Zsrپ靷u=<ҳLsgD&'x wM$G~ `D0<^È9 CO 2u 1û1Bs\viVкlɦt]u|1[G\(W9Ĝ#Li:hr}ٓ"fbDRw.3؏ah 3yVyxȤ"*4>GJ[!}s uG' 4aBRA~}s<1٦p%z{hx0m͚1;m3@fGw~Oc"1^#*3 P(  H"`( "PF: !YC^bJ MfF·:}3+%&X`42E,CExuփwe޺ c:<2xBo85&knldaQ*I|8+M U߇34ȏ^Klݜ(8Z1I(tCK/Hzs pw'HSbRMJIhR$|:l+R0,^W ; ͊Wb8v VH+^@03*%{KI6'Do`9暭{MZ&GUӽ$G ¶V|G es5OMfbv>L5m+LideAN/[mj ʩ`isYX1K x5< /8l^sФfo%u[@/Aoxpj+ ݌rI;ʏח}N3Pq}Y'eSn&&oon2/9 B< 9k]K(keK"*SV9,.O3t0մ] &JRo-cENikr(%s,2g!h{쫠c3P-JDUQUޜb6,f`0v4e5a;H_ Lf~<&ԊRnOArt tq2; s%>|RGPV=M \ڎvڝEf{ueePsvdmo߆zI_'<+<yVl<- 5.ӼQ3[ LjCs H7ziXV+ >赏?^wkҾlZ=6΃L?A7n"B7Ejo2x s0"wmX=] PN7nޣ97?g 4ɹP))JIoR-W+;5M 'g eE%QIPJE:(PPफ़h[ٞiRoR` YZi8an%[C1aV?&gM&\ʠaCз,%sv[Z0 c|`3i&58W!Z76@c d߻C!/mcx`j 7l>@SxS&3b"s9oє^\C~ƅ2͗X֭2`V{2.#6O,/%O|w wؼO!O0BkNh? / C弡|'oF4{ǻŋrD`am8&QQ6`:}c<oa$-K?X v;i70~98𰙀i4LuOi3A W'Ơ}ֽhD#[#7XYNƀ_֌/Y݈8qefv}L ů]x۰-~mj^\طÏ }MpzUsʱ E ?nǝ)ZK5E 9bW1Th…Idsr(0Iic/ 0_Fv)B n`Z(>/~} 쁦@=osқ`&<ÄLYZʣm&^#%:Bc M=؉kCǹE<4Ǟ"0ـ%NAf*2Ş[ =6}V\s7n8rxmHECR$쭰F'-@d)۹,7,Ý8.ON=[(}c|YVF1:IϐRx܃a PH^0}F_ )4MϫޝEXI%k3,Ŝz J @| S%JuLխVoU^s&n`/Ē_| P 3৯J7Oeԭ-O"NtX9=|Iމn[zQؗE@1gG;Vf*io'@BPh!un'|o#W|B,[#<p@3 >0h93Cp r ,NNM[5 SRJQPٶ2COA3t Oke[ O"OCZ2 W;Kq^'tf#H?Ƌ қY>6:Ɛ9-)0p,\to 96CxeKoz7/;ܨNAEV0yMvRF} ?dtE#bSp!@>pe62QTD Q)ۉYbd휙F69~gsʋ@xqDgPvXGml<^|c [東5X2;vΆOVbek[$| _[0~h+m˕|axYLnR?Jb @gJ mE7=Tt3 %`GiU`Z+r 8 Ghwq#1UVB\ (at!L?Q1?cumnj1uF.xmhT[pWVD'3V-qݼ3^a[_8Vlw9p{e(75wSF \LE s3}v=G mr?q,r?]4MclJSc93a=`>.<'J/a(4LvWLENE,<bSf}')ZO_Xџ_Q>1[Z=H>|E=#;έiwpڟ?vޘ#{P@ x>ա`]e̿ޯׁYL 3_; 0o"fYx/E5(ڇysTo UG8#`Y;(1UOdoNx3x _AJ!OnuVtf`7_cρwِ&yoaXhGS?pq鵂]iȓUAơQkzP;eXFH{з`٩Y  ׷gE0f(hj@rn?5DcvɃE4CwEbaNO_f'3rY*DK6{:A/g?7Z. 1GTG8[&sD Tthxy D/[贙d1\Ks-&OB'V$Vi-Y_Z`P%ihYlYX`CMaTm_nR7BlI' WD 컮w-Rs)Nǻ=<~FP& /xf-6zOau\[.nrhWǘn7rl߰7,nh4nLxL˦6 `Ȥo/Gxov!!ٴM,Xug<>'ctL|qݣj0\~#яՙ};m=bcz+Ҏ*ݡ\@ o):1 '2AA„PrϝZ(:?D" +\vƞ<&Gv7G jM@'-77vvPG#S .efP=iMZC%ԽB-671( N☁b_bZ{d/ x!o%faA.En ,ی^k7It=*ӽ% =a>ϊ{T'_t0"!_RPƁR+Vʁw XWaG) 2E%±s4qa]X:ȭe;MfG KXRMn_Yrp+2FZ4[ SK]5d>8^E!էЕby¼^^ad[hTo9oڝga x:uVGn:vֻjt.?$+-fމ6X4 sX(AUyK0RJE&X([!ɁT1ol0C|}܆m PfȶBS+7k+E۔gS1Qg:Vͷ#+\ K_< :@