Jason Langridge has a great post about the latest FUD (Fear Uncertainty and Doubt) that discredits the security available in Windows Mobile 5 and Direct Push. It is suprising that an industry analyst would publish a formal report making strong statements based on completely inaccurate or factually incorrect information, and even more surprising that a reputable publication like eWeek would publish those findings without doing some fact checking. Our PR team is very good about helping press and analysts get the facts right when they are working on an article like this.
My main interest in writing this post is to expand on Jason’s comments on two specific points the analyst expresses
1. ‘….any transfer of data between Exchange and Outlook Mobile must be done in an unencrypted file-state’.
Jason point out that the entire data stream bewteen the device and the Exchange Server is encrypted using SSL. The encryption uses a 128-bit key and is built on a modular architecture that allows different cyphers or encryption algorithms including 3DES and up to 512-bit keys.
2. ‘… the use of only a password is a pretty insecure approach.’
Starting with a new device a user would need information on the server URL, the exchange credentials (username and password). Two-factor authentication is also possible: two factirs can be what you know (a password) and what you have (a digitalc ertificate). Windows Mobiel allows for certificate-based authentication which can require cradled sync to download the certificate making it more secure. The use of Tokens (SecureID for example) is supportes as is S/MIME for encrypted and authenticated email.
If someone were to find a device, say in a taxi cab, there is a PIN that protects the device. After a number of failed attempts the device will be completely wiped returning the device to factory state. PIN strenghth, number of tries and other parameters are policies set by IT on the exchange console. A user who loses his device can call IT or send a “kill pill” from his OWA interface to wipe the device even before someone finds it.
How about on-device encryption you may ask? This is simply not practical for a variety of reasons:
1. I don’t know of any company that encrypts emails on laptops, and laptops can carry a whole lot more information and are arguably easier to lose or steal so it is not logical to have a different security policy for mobile devices.
2. “Other email-centric platforms” provide this functionality but it is seldomly used due to the performance hit. In general Windows Mobiel devcies are powered by more capable CPUs making it viable.
3. Let’s assume your company is really worried about espionage. A malicious person who got their hand on a WIndows Mobile device would have two options to get access to the information on your email (assuming PIN lock is being used and it hasn’t been remotely wiped yet). One would be to dis-assemble the unit, take out the memory chip, connect it to ROm reader, download contents to a PC, figure out file system and how emails are stored in memory and identify targeted info. The second option would be to somehow disable wireless connectivity to avoid remote wipe, cradle the unit to a PC and do an Activesync attack which I have never heard about and would be really difficult. This is of course, very complicated and highly unlikely. Any malicious person would have much easier paths to find confidential information.
However, for organizations that require this level of security, Microsoft works with a number of partners (Trust Digital, Credant, Bluefire and others)that provide this and other security capabilities. Windows Mobile has achieved the government FIPS-140-2 Level 1 certification. If you want to learn more there is a network security whitepaper online with some additional details (this paper may not be updated to Windows Mobile 5 MSFP).