I recently acquired a Windows mobile-based Samsung BlackJack smartphone. I absolutely love it but I feel it's quite the liability hanging off my pocket. I can't imagine being responsible for dozens, if not thousands, of these types of systems in larger enterprises. But this is the case for many people – people that are used to only having to secure Windows workstations and servers.
Mobile systems are a glaring weakness within enterprise security and not enough people are concerned about or have the right resources to address this. There's often no direct accountability in managing and securing mobile systems, and they often fall outside the scope of security assessments and audits. Interestingly, there's not a ton of vendor-based solutions to lock down these devices either. The ones that do exist focus on the older versions of PocketPC.
Lack of visibility and limited security solutions aside, the odds are that you have a whole lot of untamed Windows Mobile-based devices floating around your environment. The security risks associated with Windows Mobile systems are really no different than those commonly tied to laptop computers. They include:
- Weak authentication mechanism (if any)
- Lack of encryption
- Virtually unlimited storage capacities
- Potential for malware infections
- System updates and patches (not so many now, but that's bound to change).
The big difference is that you can't really test Windows Mobile systems using traditional security testing tools. It's just the nature of the beast.
These weaknesses not only expose sensitive files and email to whoever comes into contact with the mobile devices, but they also facilitate data leakage and sensitive information exposure by employees who aren't on the up and up. Windows mobile-based systems are that much more vulnerable because they have a greater propensity than the typical laptop to be lost and sprout legs, never to be seen again.
Ensuring that your Windows Mobile systems are properly locked down and are protecting sensitive business assets all starts with policies. I know policies aren't sexy, but regardless of how boring and repetitive they seem, it's an absolute must to make sure your mobile systems fall within the scope of all your other computer systems.
Your mileage will vary but you should at least make sure the following Windows Mobile concerns are addressed in your existing security policies, standards and plans:
- User authorization
- Passwords
- Remote access for RDP and VPN sessions
- Wi-Fi connectivity
- Internet and email acceptable usage
- Information sensitive and content storage
- Encryption requirements (storage and Wi-Fi)
- Physical security
- Incident response in the event of theft or loss
- Disposal
- Security auditing and testing
Beyond policies, here are the essential security must-haves for all Windows Mobile systems in your organization:
- Use power-on passwords and SIM locks where you can. This serves as a good first line of defense against all but the most formidable attackers.
- Require screens to lock with password-based re-entry after a relatively short time period (i.e., 2-3 minutes).
- Ensure you have the latest firmware and software provided by your mobile device manufacturer that likely addresses known security flaws.
- Use the media card encryption feature built into Windows Mobile 6, which has the ability to wipe the system remotely. There are known issues with this, so you may be better off looking at third-party encryption solutions like those offered by Credant, Information Security Corp. and Aiko Solutions.
- Use third-party "tweaking" tools, such as Tweaks2K2.NET and Spb Kiosk. They allow you to adjust various security controls, such as disabling ActiveX, hiding admin passwords and other desktop lock-down features.
- Require secure VPN connections across Wi-Fi networks using tools like the ones offered by Bluefire Security Technologies.
- Be sure you (or your users) are backing up your mobile systems either via standard syncing capabilities or using a third-party tool like Sprite Backup.
In addition to those lock-down practices, be sure to check out Microsoft's Security Model for Windows Mobile 5.0 and Windows Mobile 6 and Security Considerations for Windows Mobile Messaging in the Enterprise.
Locking down smartphones and PDAs is one of those darker places of security, and it's gone unexplored for too long. Whether these systems are business-owned or not, if employees are using them for business email, office applications and file storage, then those systems need to fall under your control. There's no time to drag your feet. Mobile device business risks are bound to rear their ugly heads if they haven't already. Address these issues now. As Windows Mobile usage becomes more widespread in the coming years, you'll appreciate the effort you put forth today for getting things under control.
About the author: Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.
