Microsoft responds on security hole in MPx200 - OFFICIALLY
www.msmobiles.com
read here:
http://msmobiles.com/news.php/1642.html
... sory folks, I just went for the weekend, started
reading my eBooks and then came this story.
see you on monday ! this time for good.
The PocketTV Team
"www.msmobiles.com" <nos...@msmobiles.com> wrote in message
news:054401c3ab24$ede424b0$a401...@phx.gbl...
>
> read here:
>
> http://msmobiles.com/news.php/1642.html
>
"AT&T Wireless has a consistent policy about allowing customers to load
applications across the range of smart devices it offers and the policy has
not lead to security issues. "
>>> the policy has not lead to security issues <<<
That's gonna change when some smart guys writes malicious applications for
the MPx200 that snoop on the phone's contacts, emails, etc and send all that
out on the net.
I would be very worried to know that any application can access all the
privileged API's on the phone without me knowing.
They have not explained why they felt it's better to turn OFF security
completely, rather than providing a "minimum" security like Verizon does on
the i600, i.e. still protecting the privileged API's.
Yes, of course, you can tell people that if they install a virus or
malignant app, it's their fault. But is that what people want to hear ?
Or do people want their devices to be somehow secure so that their private
data are safe (especially contacts), while at the same time is it not
totally application-locked.
That "official" answer from Microsoft worries me about as much as the
security hole itself.
The PocketTV Team
news:054401c3ab24$ede424b0$a401...@phx.gbl...
>
> read here:
>
> http://msmobiles.com/news.php/1642.html
>
<<Since applications must be installed by the customer they cannot run on
customers’ phones without their knowledge.>>
In fact this is absolutely NOT TRUE!!!
It is possible to run an application without installing it on any Pocket PC
or Smartphone.
Just make it "auto-run" on an SD Card (call it autorun.exe and place it in
the 2577 folder on the Card). Insert the SD Card in the device et voila!
The application will run on the MPx200 with Kernel privileges.
If the application does not show any window, you cannot even tell that it is
running. So you can install a virus, troyan or any malicious application
just by inserting an SD Card in your phone.
It would be easy to make a Windows-CE virus that replicates itself by
writing itself on each SD card you insert in your device. You don't need the
MPx200 to do that, it would actually work with any Smartphone and Pocket PC.
But on the MPx200, such a virus could be more dangerous since it could
access all the privileged API's. Also the case on any Pocket PC, by the way
(since there is almost no security on Pocket PC's).
Microsoft has some guts to write <<the policy has not lead to security
issues>>.
Well, they say "has not", not "does not" or "will not"... Hummmmm...
Robert Levy [MVP]
So when was the last time you let a stranger pop their SD card into your
phone?
--
Robert Levy
http://RobertLevy.NET
http://SmartphoneThoughts.com
Microsoft MVP - Mobile Devices, Smartphone
"The PocketTV Team" <do-not-rep...@pockettv.com> wrote in message
news:uVPcnuyq...@TK2MSFTNGP09.phx.gbl...
The PocketTV Team
"Robert Levy [MVP]" <ms...@distopia.org> wrote in message
news:erMNS2yq...@TK2MSFTNGP11.phx.gbl...
> [removed crosspost to .pocketpc]
>
> So when was the last time you let a stranger pop their SD card into your
> phone?
I do that all the times to exchange audio and video files.
It would probably easier with blue-tooth, but most of my devices don't have
that, and Infre-Red is way too slow to transfer files of more than a few KB.
Do you have another way to excahnge large files ?
I have seem *many* SD cards move around from device to device at the last
CTIA Wireless in Last Vegas...
The PocketTV Team
"Robert Levy [MVP]" <ms...@distopia.org> wrote in message
news:erMNS2yq...@TK2MSFTNGP11.phx.gbl...
> [removed crosspost to .pocketpc]
The cross-post to Pocket PC was relevent, since the auto-run security issue
also affects them.
Monkey Wrench
SD card into your
>> phone?
>
>I do that all the times to exchange audio and video
files.
Ah.. BTW, are those audio and video files copyrighted
material ??? ;-) In that case, u probably deserve to
have a virus on ur phone .. LOL
Michael Thwaite
state of affairs in the desktop world. I wonder if my suspicions of the
Smartphone division being under-funded could be why or what has lead to
these comments.
Smartphone is, to most of the world, a new product and whilst I think that
Orange went a little to far on the app signing front and as a developer I
can't afford to have all my apps tested (Pocket PC team have made some very
sounds points on that subject) a balance needs to be struck.
We all know that if we write, say a web app that takes payments and someone
hacks the payment companies DB WE will take the blame, it's just life...
you'all remember the Poodle in Microwave urban rumor!
If AT&T ships a phone with a potential exploit... Well, let's be assured
that I'm not the only one typing right now.
I urge MS and AT&T to revisit this promptly because the MS detractors and
the press at large would eat up the first Smartphone exploit and they'd not
paint a pretty picture!
I'd hate to see Smartphone being beaten at birth.
Michael
PS: could always bundle the patch in the 2003 Update ;-)
"The PocketTV Team" <do-not-rep...@pockettv.com> wrote in message
news:uVPcnuyq...@TK2MSFTNGP09.phx.gbl...
Eric Hoffman
other identity. Even if the SmartPhone OS just appeared in the States, it
has been deployed over one year ago in Europe, so you cannot call it
something new or with 'teething problems' anymore. It only show how juvenile
is the whole approach to security taken at Microsoft. Before they attempted
to lock everything down, now everything is open.... judge for yourself.
Eric
"Michael Thwaite" <nn...@Thwaite.NET> wrote in message
news:bp5o8...@enews3.newsguy.com...
Robert Levy [MVP]
> that I'm not the only one typing right now.
Let's be clear on something... this is no more of a "potential exploit" than
is the fact that people can write desktop or even Pocket PC Phone Edition
apps that can interact with hardware, the registry, and the file system
without restrictions. I think this whole thing is being blown far out of
proportion.
Here's what it boils down to: AT&T is now selling a Smartphone device that
is just as secure as any Pocket PC Phone Edition device.
Was this intentional? I don't know. Is it going to cause you and problems?
Highly unlikely unless somebody writes a virus, puts it on an SD card, and
manages to put that SD card into your device. One thing is for sure
though - I've never seen a virus on my Pocket PC and those things have been
out for a long time with significant market share.
We've complained about Orange locking their devices down so tightly. We've
complained about Microsoft making poor choices as to which APIs should
require special permission from mobile operators. We've complained about
bugs in the way that Mitac and Samsung have implemented a partial lockdown.
And now we're complaining that AT&T fully empowers developers?
--
Robert Levy
http://RobertLevy.NET
http://SmartphoneThoughts.com
Microsoft MVP - Mobile Devices, Smartphone
"Michael Thwaite" <nn...@Thwaite.NET> wrote in message
news:bp5o8...@enews3.newsguy.com...
The PocketTV Team
> material ??? ;-) In that case, u probably deserve to
> have a virus on ur phone .. LOL
Yes, of course they are copyrighted, but they are also FREE - this is not
incompatible. There is lot of audio and video content that is free albeit
copyrighted.
For example www.pocketmovies.net has lots of video formatted for Smartphone
that is free.
I also produce video myself using a Mini DV Camera.
Anyway that's off topic!
The PocketTV Team
> > If AT&T ships a phone with a potential exploit... Well, let's be assured
> > that I'm not the only one typing right now.
>
> Let's be clear on something... this is no more of a "potential exploit"
than
> is the fact that people can write desktop or even Pocket PC Phone Edition
> apps that can interact with hardware, the registry, and the file system
> without restrictions. I think this whole thing is being blown far out of
> proportion.
>
> Here's what it boils down to: AT&T is now selling a Smartphone device that
> is just as secure as any Pocket PC Phone Edition device.
You meant to write "as insecure as any Pocket PC"... since Pocket PC's are
not secure at all. On the other hand Smartphone were supposed to have a
certain level of security. The lack of security on Pocket PC is not really
a big problem as long as the devices are not connected. But when they have
a permanent wireless connection, it may become a problem (i.e. security of
Contacts, Documents and other personal/confidential info in the device may
be easiely compromised).
> Was this intentional? I don't know.
We'd like to know! If it was not intentional, it's amazing that AT&T and
Motorola did not run any basic test to check the security configuration of
the MPx200. And I think they have a way to correct that OTA (Over the Air),
don't they ?
> Is it going to cause you and problems?
> Highly unlikely unless somebody writes a virus,
Someone will.
> puts it on an SD card, and
> manages to put that SD card into your device.
Or put it in a popular downloadable freeware game, or better, make it so
that it can propagate from phone to phone without having to be installed
(would you swear that there is not another security hole allowing to do that
? there were many such holes in Windows desktop versions!). It's so easy
to download a file by clicking on a link on a web page. You can download
CAB files. On the Pocket PC, you can have CAB files that install silently,
with no message displayed! - is that not possible on Smartphone ?
> One thing is for sure
> though - I've never seen a virus on my Pocket PC and those things have
been
> out for a long time with significant market share.
It's not "fun" to make a virus unless millions can be infected. Pocket PC
is still a "small" market, most are not well connected to the network.
Smartphone will be connected permanently to a network, and there will be
many of them. Wait and see.
> We've complained about Orange locking their devices down so tightly.
That's the choice made by european carriers. It's their choice.
> We've
> complained about Microsoft making poor choices as to which APIs should
> require special permission from mobile operators.
... and from developers. Yes, I wish this could be reviewed by MSFT, i.e.
there are some API's that are privileged and should not be (e.g. getting the
processor type, getting the device unique ID, and similar API with no
decurity risk).
> We've complained about
> bugs in the way that Mitac and Samsung have implemented a partial
lockdown.
So ? They made mistakes. They did not test well, maybe because MSFT did not
provide some tests to check the security configuration.
> And now we're complaining that AT&T fully empowers developers?
Yes. It would have been better to have the minimum level of security. I
would prefer, really. Of course it's cool that apps can detect the
processor type and get the device unique ID on the MPx200, but that could be
possible without turning the security OFF completely.
And when applications require privileged certificates, it should be easier
to obtain those. Currently it is impossible, the privileged certificates
are locked in the manufacturer's and carrier's safes.
I think the current solution chosen by AT&T is not the best. The best would
be to:
- Have some level of security (i.e. like all other un-locked Smartphones)
- That MSFT redefines the privileged API's so that no API is privileged
unless it really has a security risk. They should do that in the next OS
version.
- Make it easier for reputable developers to get access to (revocable)
privileged certificates when they need them.
The PocketTV Team
> Orange went a little to far on the app signing front and as a developer I
> can't afford to have all my apps tested (Pocket PC team have made some
very
> sounds points on that subject) a balance needs to be struck.
You mean PocketTV Team ?
You don't need to have your application tested in order to get it signed.
All you need is to purchase "signature events" from Geotrust. Then your app
will run fine on all locked smartphones.
Testing is for "logo certification", i.e. to get the official "seal" that
allows your app to be listed in the Microsoft-sponsored M2M (Mobile to
Market) catalog.
There are many problems currently with logo certification and M2M, so of
which are mentionned in this document:
http://www.pockettv.com/smartphone-logo-bugs.html . But that's off-topic
here.
Signing Smartphones applications is not a problem, but this does not give
you access to any privileged API. For that, you need a privileged
certificate, and it seems almost impossible to get those.
The PocketTV Team
"Comments from Microsoft on the decision of AT&T Wireless to allow customers
to load applications onto their Motorola MPx200 phones at their own
discretion"
That's not the issue!!!
All the other unlocked Smartphones (e.g. Verizon/Samsung i600) *also* allow
the user to install Smartphone applications at their own discretion,
including applications that do not have a Smartphone certificate.
The issue with the MPx200 is that it allows application to run in "Kernel
mode" with un-limited privileges, rather than running them in "User mode"
and preventing them to access a the "Privileged" API's (that are authorised
only to trusted applications). If any application can access the Privileged
API's, the device is unsafe and the user's data is not even remotely
protected agains tampering. I believe that you need to use a Privileged API
to access the contacts and phone numbers stored on the phone. On the MPx200,
any application can access all your contect info.
So Microsoft did not yet really answer this specific security issue with the
MPx200...
The PocketTV Team
<<Privileged Trust means the application has a valid signature and a
certificate that allows it access to all system resources. Very few
applications will need this level of trust.>>
<<If code-signing is not enforced then unsigned applications will default to
the Unprivileged Trust level. However operators will still have to provide a
signing mechanism for applications that need access to resources at the
Privileged Trust level.>>
But on the MPx200, every application has the Privileged Trust level!
I really don't know how we should thank AT&T... maybe a nice bouquet of
flowers ?
From http://download.baltimore.com/download/pdf/BaltimoreSmartPhone.pdf :
<<Privileged APIs may include sensitive functionality such as accessing the
SIM card, the telephony API or the Operator network. An application that
hasSIM card, the telephony API or the Operator network. An application that
hasuncontrolled access to these APIs may (intentionally or unintentionally)
disrupt anOperator’s network and cause customer dissatisfaction.
uncontrolled access to these APIs may (intentionally or unintentionally)
disrupt an Operator’s network and cause customer dissatisfaction. >>
From
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsmtphn/html/devappsp.asp
<<Security measures that can be added to Smartphone include [...] preventing
untrusted EXEs and DLLs from accessing critical system resources; [...]
These and other security options are designed to prevent the most likely
security issues related to Smartphone use, including spoofing, tampering,
information disclosures, and denial of service.>>
Now, let's see what interesting things can be done by taking advange of the
unlimited trust level nicely provided by AT&T on the MPx200...
Any good idea, anyone ? :)
Nicolas Bacca (invalid email)
the
> unlimited trust level nicely provided by AT&T on the MPx200...
>
> Any good idea, anyone ? :)
>
>
Run a Flash player :)
btw let's hope no virus will be written - with privilegied access the OS
EEPROM can be flashed, which is not very nice (especially if the bootloader
is erased)
The PocketTV Team
No, the question: how many days/months before we see one...
"Nicolas Bacca (invalid email)" <nicola...@libre-en-anglais.fr> wrote in
message news:uwFKF4J...@TK2MSFTNGP10.phx.gbl...
Robert Levy [MVP]
same level of security
--
Robert Levy
http://RobertLevy.NET
http://SmartphoneThoughts.com
Microsoft MVP - Mobile Devices, Smartphone
"The PocketTV Team" <do-not-rep...@pockettv.com> wrote in
message news:uDslp7Jr...@TK2MSFTNGP10.phx.gbl
The PocketTV Team
> Let's not forget that the clock is still ticking for Pocket PC which has
the
> same level of security
I know... and that was not a problem when most of the Pocket PCs had no
network connectivity.
Now, with all those new Phone Edition, WiFi and Bluetooth Pocket PC's, it
may become a problem.
Robert Levy [MVP]
--
Robert Levy
http://RobertLevy.NET
http://SmartphoneThoughts.com
Microsoft MVP - Mobile Devices, Smartphone
"The PocketTV Team" <do-not-rep...@pockettv.com> wrote in
message news:OV0snJKr...@TK2MSFTNGP12.phx.gbl