Windows Mobile Enterprise Security Best Practices

Windows Mobile Enterprise Security Best practices John Rhoton Mobile Technology Lead HP Services

But just what is mobility ?

Devices:

Mobility = Mobile phones?

Mobility = Smart phones?

Mobility = PDAs ?

Wireless:

Mobility = Wireless LANs?

Mobility = GSM/GPRS?

Applications:

Mobility = Form-factor adaptation?

Mobility = Synchronisation?

Facets of Mobile Security management devices air transmissions PAN LAN WAN public networks private networks applications mobility wireless traditional security 1 2 3 VPN 4

Agenda

Mobile devices

Air interfaces

Bluetooth, 802.11b, WWAN

Remote Access

Tunnels (VPNs), Roaming

Perimeter Security

Compartmentalization, Access Controls

1 2 3 4

Device Security (Windows Mobile)

Threats to Mobile Devices

Stolen information

Host intrusion, stolen device

Unauthorized network/application access

Compromised credentials, host intrusion

Virus propagation

Virus susceptibility

Lost information

Lost, stolen or damaged device

Source: Trend Micro Mabir Win CE DUTS Win CE BRADOR 29Dec04 1Feb05 Locknut (Gavno) Vlasco 21Nov04 Skulls 20June04 Cabir 17Jul04 5Aug04 8Mar05 Comwar 7Mar05 Dampig 12Aug04 Qdial 4Apr05 Fontal 6Apr05 Drever 18Mar05 Hobbes 15Apr05 Doomed 4Jul05 = Symbian OS (Nokia, etc) = Windows CE (HP, etc)

Mobile Device Security Management

Platform selection and configuration

Policy enforcement

Passwords

Device lock

Policy updates

User support

Device lockout

Backup/restore

Security Usability

Windows Mobile Content Protection Access Control Approaches

Simple Lock-out

Encryption

Private key storage?

Smartcard / TPM

Hash private key (dictionary attack)

Couple with strong password policies

Prevent insecure boot

Analogous to BIOS password and Drivelock

Choice depends on

Sensitivity of data

Sustainable impact on usability and performance

Trust in user password selection

iPAQ Content Protection Access Control Solutions

Native Pocket PC

Biometric Authentication

HP ProtectTools

Pointsec

Credant

Enterprise Requirements

Integrated Management Console

Directory (AD/LDAP) integration

Centralized Policies

Policy polling

User cannot remove

Screen-lock / Idle-lock

MSFP Messaging and Security Feature Pack

Exchange 2003 SP2

Windows Mobile 5.0

(Persistent Storage)

S/MIME

Certificate-based Authentication

Policy Enforcement

Local wipe

Remote wipe

Summary of Access Control

Credant

Centralized Management

Adopted by HP IT

Personal Edition bundled with iPAQ

Pointsec

Centralized Management

Multi-platform

Windows Mobile and Windows (Full Disk Encryption)

HP ProtectTools

No encryption

Government certification

Secure boot

Mobile Device Security and Mobile Device Management are tightly connected in a comprehensive enterprise solution!

Air Interfaces: Bluetooth

Pairing & Authentication

Access to both devices

Manual input of security code ("PIN")

No need to store or remember

Pairing Based on stored keys No user intervention Authentication

Bluetooth Security

Acceptable Security Algorithms

Initialization

Authentication

Encryption

Prevention of Discoverability, Connectability and Pairing

Proximity Requirement

K AD A B C D M K MC K MA K MD K MB

Multi-tiered security

PIN Attack

Often hard-coded

Usually short (4-digit)

Bluejacking

Bluesnarfing

Virus Propagation

Centralized Policy Management is critical in the Enterprise !!

Bluetooth vulnerability

Air Interfaces: WLAN

Needs determine security SSID MAC Filter WEP WPA/802.11i

Requires management of authorized MAC addresses

LAA (Locally Administered Address) can override UAA (Universally Administered Address)

MAC Filters

Equipment of a Wi-Fi freeloader

Mobile device

Linux

Windows

Pocket PC

Wireless card

Orinoco card

Prism 2 card

Driver for promiscuous mode

Cantenna and wireless MMCX to N type cable

Increasing the transmission range DEFCON 2005 WiFi Shootout

Large dishes

High power levels

Line-of-sight

200 km

Bringing the “War” to War Driving

Tools

NetStumbler—access point reconnaissance

http://www.netstumbler.com

WEPCrack—breaks 802.11 keys

http://wepcrack.sourceforge.net/

AirSnort—breaks 802.11 keys

Needs only 5-10 million packets

http://airsnort.shmoo.com/

chopper

Released August 2004

Reduces number of necessary packets to 200-500 thousand

Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner…

NetStumbler screen capture – Downtown Sacramento

WiFiFoFum

Airsnort cracked the WEP key – About 16 hours

chopper reduces by an order of magnitude

Ten-minute WEP crack

Kismet

reconnaissance

Airodump

WEP cracking

Void11

deauth attack

Aireplay

replay attack

Source: tom’s networking

Wireless LAN security evolution 1999 2003 2005+ WEP WPA 802.11i / WPA2 Timeline Privacy: 40 bit RC4 with 24 bit IV Auth: SSID and Shared key Integrity: CRC Privacy: Per packet keying (RC4) with 48 bit IV Auth: 802.1x+ EAP Integrity: MIC Privacy: AES Auth: 802.1x+ EAP Integrity: MIC Security

WiFi Protect Access (WPA)

Temporal Key Integrity Protocol

Fast/Per packet keying, Message Integrity Check

WPA-Personal

WPA-Enterprise

IEEE 802.1x Explanation

Restricts physical access to the WLAN

Can use existing authentication system

Supplicant Authentication Server Authenticator Client Access Point RADIUS Server RADIUS 802.1x EAP EAP TKIP / MIC

Ratified June 2004

AES selected by National Institute of Standards and Technology (NIST) as replacement for DES

Symmetric-key block cipher

Computationally efficient

Can use large keys (> 1024 bits)

Cipher Block Chaining Message Authentication Code ( CBC-MAC or CCMP) complements TKIP

RFC 3610

May require equipment upgrades

Some WPA implementations already support AES

Update for Windows XP (KB893357)

802.11i / WPA2

Enterprise WLAN Security Options

WPA – Enterprise

Eventual transition to 802.11i

Requires WPA-compliant APs and NICs

VPN Overlay

Performance overhead (20-30%)

VPN Concentrator required

RBAC

Additional appliance and infrastructure

Most refined access

Home WLAN: WEP key rotation, firewall, intrusion detection

Public WLAN: MAC address filter, secure billing, VPN passthrough

Rogue Access Points

Highest risk when WLANs are NOT implemented

Usually completely unsecured

Connected by naïve (rather than malicious) users

Intrusion Detection Products

Manual, Sensors, Infrastructure

Multi-layer perimeters

802.1x

RBAC, VPN

Internet Intranet Access

Air Interfaces: WWAN

Wireless WAN (Wide Area Network)

GSM, GPRS, HSCSD, EDGE, UMTS

CDMA 1XRTT, EV-DO, EV-DV, 3X

802.16, 802.20

2G -> 2.5G -> 3G -> 4G

Bandwidth 9.6kbps - <2Mbps

Large geographical coverage

International coverage through roaming

GPRS phone GPRS iPAQ e-mail pager GSM/GPRS PC card http://h18004.www1.hp.com/products/wireless/wwan/WWAN-Security.pdf

Mobile Network Scenarios 1 1 2 2 4 PAN Zone WLAN Zone 3G Zone GPRS Zone Surfing: Person 1 improves bandwidth by moving into a 3G area MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4 3 Satellite Zone At sea: Person 5 maintains coverage via satellite after leaving GPRS range 5 5 Columbitech Birdstep Ecutel

Unauthorized Wireless Bridge

Perimeter Security