During the past couple of months some new developments have occurred regarding Pocket PC security. Here are three that you should know about:
1. New Version of ActiveSync
In January Microsoft released ActiveSync 3.8. With ActiveSync 3.8, Microsoft has changed the default installation behavior to not enable network synchronization. By not enabling network synchronization, users with Windows XP, Service Pack 2, or any other software-based firewall will no longer see the prompts from the firewall to allow ActiveSync to use the Internet. While this is more secure by default, users should be aware that enabling the network synchronization may increase the risk to their PC's security. This is because each application that is allowed to bypass the firewall opens up specific TCP/IP ports, and while this allows the particular program to work, a hacker can exploit this opening and attempt to manipulate and compromise the PC. Users who do not need to synchronize via the network should disable this option in ActiveSync. Also, please note that the option to support network synchronization affects users that attempt to synchronize via an Ethernet, Wi-Fi, or dialup (RAS) connection as well, since they all use TCP/IP.
Here is an example of the File > Connection Settings screen for ActiveSync 3.8. Please note that the option titled “Allow network (Ethernet) and Remote Access Service (RAS) server connection with this desktop computer” is not checked.
2. “URL Spoofing” in Pocket Internet Explorer
When browsing the Web via Pocket Internet Explorer, you may click on a link that you think is taking you one place, and wind up on a site you did not want to visit. This malicious redirecting is called “URL spoofing,” and it presents a possible security risk for all Pocket Internet Explorer users using the Internet or on an Intranet. AirScanner has documented the URL spoofing, which they refer to as “URL obfuscation.” For more on this, visit their Web site (http://www.airscanner.com/tests/ie_flaw/ie_attack.htm. Please note that the specific security risks described in this document only relate to the Pocket PC.
AirScanner MobileEncrypter lets you thoroughly wipe out the contents of your Pocket PC's internal flash storage and other storage locations.
How to spot a suspicious URL: you may notice that the URL looks different because it contains unusual characters and is very long. It may contain a large number of % signs and numbers or letters in order to obscure the real URL. Users cannot use the View Properties option in Pocket Internet Explorer to confirm that the URL is correct because the beginning of the URL appears correct. Right now there is no utility which can prevent URL spoofing from occurring.
A spoofed URL looks like this (note that the following example does not work):
http://www.paypal.com&login.rand-%00%01AE67D12EF9090AB933@%36%39%2E%30%2E%32%30%30%2E%31%30%36/
Also, using this technique, a Web page that you visit via Pocket Internet Explorer is able to open up local files on your Pocket PC as well. Luckily, these files are only displayed on your Pocket PC and cannot be uploaded to a Web server, so your data will not leave your Pocket PC. From my testing the URL spoofing and local file viewing security vulnerabilities do not exist on the Smartphone 2002.
3. URL Redirects
Printer-friendly version
