looks at security issues related to mobile phones running on the Windows OS
Copyright © 2005 Virus Bulletin
So, I got myself a smartphone with a 400 MHz Intel Xscale CPU, 128 MB of memory and a fast, EV-DO Internet connection that hits 7-800kbit/s at times. It's brilliant. With it, you can load and edit Word and Excel files, run a fair few executables and read your email, as well as wonder why website designers don't take into account us poor sods with 320 x 240 screens (yes, I know about Bitstream Thunderhawk and its 800 x 600 virtual resolution display).
Sites do load fast though, even if I can't actually make out a great deal of many. On top of that, the music, video, MSN IM, and Skype capabilities mean that I hardly ever use the smartphone for making mobile phone calls.
The phone is, however, a device that runs Windows as its operating system. More specifically, Windows Mobile 2003 Second Edition build 14132. I'm cool with that, but where's that Windows Update function to keep it safe and sound? After all, it does run Internet Explorer (albeit sans active content) and Outlook.
Before the current smartphone, I had another one that ran (and still runs) Windows for Pocket PC 2002. However, I can't upgrade that to Windows Mobile 2003 SE.
Does this lack of updates mean that Microsoft's programmers have created an impenetrable device with which I can stumble around the Internet? I understand that this is an entirely different hardware platform from Intel IA32, but still, it has a powerful processor and fast Internet access, so surely it must be a juicy target for malware writers.
I decided to put my concerns to Microsoft. My first port of call was Microsoft's New Zealand office (MSNZ), where I was told that it is the vendor and/or the device manufacturer's responsibility to furnish customers with updates. Next, I tried contacting the vendor and the manufacturer of the smartphone with my concerns, but drew a blank with both, so I went back toMicrosoft with my doubts.
This time around, Brett Roberts, MSNZ's manager of platform strategy and security, took some time to explain how it all works and to allay my fears of a hacked smartphone with thousand dollar bills (the monopoly telco in New Zealand charges an arm and a leg for mobile data).
First, Brett told me: 'the first thing to consider is the difference between Windows Mobile and our operating system on the desktop, and in turn the resulting difference in upgrade venues and frequency.'
He added: 'Microsoft's relationship with PC owners is direct in many ways - we update software through Windows Update. In the mobile world the operator or device maker owns the device image and is responsible for updating the software.'
He was keen to stress Microsoft's dedication to improving software and security though, saying, 'I stress that Microsoft is continually updating its software and providing updates to operators and OEMs which they, in turn, can use for new devices and those already in the hands of customers. The updates we provide are mostly based upon direct customer (OEM, Operator) feedback in terms of 'fixes'.'
I didn't feel that the answers I had been given had really told me very much, so I decided to fire some more specific questions at Brett regarding smartphone updating. In the following dialogue I am Mr Q, and Brett is Mr A.
Is it safe to use my Windows Mobile device without updates?
'Strategically, there are three key areas with respect to security on the Windows Mobile platform:
'Across each of these areas are secure software development processes, training and testing as part of the larger Microsoft Trustworthy Computing Initiative to help ensure that Windows Mobile software is secure. Additionally, Microsoft works to ensure that we enable a rich ecosystem of third-party security providers to provide additional security that may be required beyond what is provided natively in the platform.
'As an end-user, two of the most important things you can do to protect your device are:
'Perimeter defence can be as simple as taking advantage of the strong password support provided natively in the platform or employing third-party solutions that enable you to wipe the device data if too many incorrect passwords are entered. Similarly, just as you exercise caution in the type of applications you download on to your PC, you should exercise the same care with your mobile device. If you don't trust the source of the application, you should not download it.'
What is different about the Pocket PC that makes it 'invulnerable' so that it does not require regular updates?
'Microsoft believes that no software is invulnerable to security threats. As mentioned above, employing the functionality that exists natively is the primary line of defence. Using a device PIN for perimeter security and knowing the source of the applications you download and run are the most important things that an end user can control.
'Depending on the nature of security required, third-party security solutions may provide an additional level of security - for example, data encryption. Microsoft does provide periodic updates to the Windows Mobile software to our device-maker partners. Depending on where device makers are in their development cycle and commercialisation process, they may or may not elect to make these updates available.'
Why is it so easy to update Windows (and other OS) regularly, and why is it not the same for the Pocket PC?
'The ease of updates for Windows on the desktop has been a convergence of two important factors:
'Windows Mobile software is different in several ways from that of the desktop software with respect to updates. First, it is important to understand how the handheld device differs from the PC. Windows Mobile is a rich platform that provides an integrated telephony, PIM (Protocol Independent Multicast) experience. The robustness of the platform also enables unique solutions and applications to be built upon it. When a device manufacturer creates a Windows Mobile-based device, they integrate the Windows Mobile software with their own hardware, ensuring that the drivers (which interface between the software and the hardware) are optimised for their hardware and ensure integration with any applications or solutions experiences they might be adding.
'For connected devices (i.e. telephony-enabled devices), further optimisations may be required for each device model for each mobile operator network, in effect creating numerous similar, yet distinct products. Because the smartphone/connected-device space is so nascent, there is still a lack of standardisation of device drivers between hardware manufacturers. In addition, unlike PCs where the operating system is on a hard drive, Windows Mobile images are flashed to ROM, meaning that the update process requires a unique flashing mechanism on each hardware platform.
'This has significant implications on ubiquitous updates: mobile software updates must work seamlessly across a permutation of unique hardware and mobile operators' network optimisations. Accordingly, any software update must currently occur via tight integration of the software provider, the device maker and the mobile operator.
'Until the mobile device hardware reaches a sufficient level of maturity, the most effective and reliable way to deploy updates is for the platform provider to provide a software update to the device maker, who in turn creates a specific update for a specific device on a specific mobile operator, who then would roll out to the end customer.'
Does Microsoft have any plans to provide an update service like Windows Update for Windows Mobile-based devices?
'While we cannot comment on specific plans for future releases, Microsoft continues to investigate ways to provide a more seamless update experience of Windows Mobile-based devices for device makers, mobile operators and end users.'
Sony provides regular updates to its mobile phone operating systems, incidentally. Should, perhaps, Microsoft work with vendors to ensure that they release regular updates and not just abandon year-old products?
'While we cannot comment on competitors' practices, for Windows Mobile products, we certainly make upgrades available to OEMs who have in the past offered it to end users. However, the decision on whether or not to make an upgrade available to their customers is a decision on the part of the device maker who must create the upgrade and the mobile operator who will help roll it out.'
Could you elaborate on Microsoft's commitment to security on the Windows Mobile platform?
'Microsoft takes the security across all of its products seriously and Windows Mobile is no exception. Windows Mobile software is part of Microsoft's larger Trustworthy Computing Initiative. As part of that initiative, later versions of Windows Mobile software have been undergoing rigorous security reviews during development and developers are given special training on secure software development practices. We also strive to provide a rich open platform that enables our valued partner ecosystem to develop additional software applications and solutions to help respond to security needs in the marketplace.
'Microsoft utilises a multi-pronged strategy to empower businesses and users with a more secure mobile computing experience.