Friday, October 27, 2006
Windows Mobile "Email Security" Criticized, Lacking Details
Posted by Janak Parekh in "NEWS" @ 08:00 AM
"A new research report contends that by failing to offer onboard encryption for e-mail files stored on Windows Mobile devices, Microsoft may be putting itself at a competitive disadvantage and leaving users vulnerable to data loss...According to the latest report published by J. Gold Associates, a Northborough, Mass.-based wireless research firm, Microsoft's decision not to offer file encryption capabilities on its Windows Mobile platform reflects poorly on the technology compared to other popular wireless systems...Windows Mobile provides for encryption of data while it is in transit to the device, but leaves sensitive corporate data open to access if one of the handhelds has its password hacked, the analyst said. Gold specifically highlights an issue in Microsoft's Direct Push technology, which is used to move data between the latest versions of Exchange Server and Windows Mobile devices."
It's hard to figure out what exactly the reporter is saying in this incredibly poorly-written article, and the original report isn't free, but after Googling around and finding another writeup, I think J. Gold Associates is expressing concern that Server ActiveSync/Direct Push writes to an unencrypted Pocket Outlook email store, and that theft or loss of the device leaves only a brute-forceable device password between an adversary and the secure email content on the device, and that is a serious problem with WM security as opposed to RIM devices and others.
I don't know what RIM does beyond the usual password control, and I really can't comment on the report itself, but... this doesn't surprise me. Pervasive storage encryption takes up a significant amount of CPU and slows down device performance, and as it stands, WM devices are pretty slow working out of flash. Second, this is a mitigable situation; out of the box, WM5+MSFP devices have Remote Wipe capability, plus one can implement a password policy that will wipe the unit after a number of tries. So, unless we get more details, I'm forced to conclude this is an inflammatory article that doesn't really illustrate security or the lack thereof with respect to Server ActiveSync and Direct Push. :?
It's hard to figure out what exactly the reporter is saying in this incredibly poorly-written article, and the original report isn't free, but after Googling around and finding another writeup, I think J. Gold Associates is expressing concern that Server ActiveSync/Direct Push writes to an unencrypted Pocket Outlook email store, and that theft or loss of the device leaves only a brute-forceable device password between an adversary and the secure email content on the device, and that is a serious problem with WM security as opposed to RIM devices and others.
I don't know what RIM does beyond the usual password control, and I really can't comment on the report itself, but... this doesn't surprise me. Pervasive storage encryption takes up a significant amount of CPU and slows down device performance, and as it stands, WM devices are pretty slow working out of flash. Second, this is a mitigable situation; out of the box, WM5+MSFP devices have Remote Wipe capability, plus one can implement a password policy that will wipe the unit after a number of tries. So, unless we get more details, I'm forced to conclude this is an inflammatory article that doesn't really illustrate security or the lack thereof with respect to Server ActiveSync and Direct Push. :?
