There are a lot of misconceptions about security in WIndows Mobile and BalckBerry. I recently posted about an article on eWeek with a lot of inacurracies on the subject. Later, eWeek published an article to help get the record straight.
I will start by saying that WIndows Mobile security is not perfect. In fact no security is perfect, with the right resources, tools and persistence any security can be cracked. And the easiers way is usually through social engineering. “Good” security for me means a platform makes it impractical for hackers to get to your confidential stuff.
Having said that, there are increasing reports on the press about BalckBerry security challenges, the latest one published also by eWeek here. But that is not the only one, there have been many more, like this one .
BlackBerry’s security architecture creates an encrypted and trusted channel between the device, the NOC and the BES server inside the firewall. The BES server is usiually set up by IT with super administrator privileges with the Exchange Server. If someone cracked one BlackBerry device, as described in the eWeek article, a malicious intruder could gain complete access to the Exchange Server and the Active Directory.
In my opinion, the fundamental problem is that the encrypted channel between the NOC and the BES server is “owned” by BlackBerry. An IT department has no tools to secure it beyond what RIM provides. There is no way to inspect what is coming in or to prevent an attack like the described scenario. The Windows Mobile architecture uses the same security model that companies for Outlook Web Access and to protect themselves from internet attacks: a firewall and an ISA server. The ISA server opens every packet being sent and inspects it ensuring the content is what is it supposed to be. In other words, anything that does not like a Windows Mobile device asking for email will probably be flagged and stopped by the ISA server.
This is the equivalent of having a tunner between the outside world and your server room that is entirely controlled by a third party company and you can’t even send a security guide to check it out. When I have explained this to RIM customers their usually reaction is “wow – you are right, this is pretty scary”
The older eWeek article reads “Because the communications channel between the BlackBerry server and any connected handheld devices is encrypted and cannot be scoured by most network intrusion detection tools, unsuspecting administrators could overlook the exploit, which could be used to steal private information or deliver other forms of malware.”