Default Security Policies For HTC Touch Pro Not So Secure

Recently I bought a new cell phone: the HTC Touch Pro. Great mobile phone. Opera Mobile Web surfing is handled great. The Sprint EV-DO Rev A network is fast and it’s the most stable smart phone I’ve had so far. As a security researcher naturally I had to dig deeper into how secure this mobile phone actually is. I quickly found out things that make me wonder if the mobile handset industry has learned anything from the desktop industry as far as protecting consumers.

The first thing I did was look at the default security settings of the mobile phone. Microsoft mobile keeps the policies in the registry under HKLM\Security\Policies\Policies. These policies are also documented at http://msdn.microsoft.com/en-us/library/ms890461.aspx along with the recommended settings to use as a security baseline at http://msdn.microsoft.com/en-us/library/ms889564.aspx. The first thing I noticed is that some policy settings on my phone are, by default, different from the recommended settings. Below is the analysis on two of these changed policy settings:

SL Message Policy
Recommended Default: 2048 – SECROLE_PPG_TRUSTED
Value on HTC Touch Pro: 0000100c: 2112
Changed Value: (SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

SI Message Policy
Recommended Default: 3072 – (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED)
Value on HTC Touch Pro: 0000100d: 3136
Changed Value: (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

These policy settings define WAP Push SI (Service Indication) and SL (Service Load). WAP was designed to be used by operators, administrators, and others to push software updates or even ringtones directly to the phone. For some unknown reason the HTC Touch Pro has broken from the recommended security policy and added a flag (SECROLE_USER_UNAUTH) that allows unauthenticated WAP Pushes from anyone. What does this mean? It means that an attacker can send a WAP push telling you to install spyware, like FlexiSpy, which gives them full control of your mobile handset. Once installed, the attacker can obtain your private data, your passwords, call logs, and even eavesdrop using the microphone. Sound familiar? And don’t think that it has to be a WAP push with a WAP gateway etc. That’s not the only impact these settings have. A specially crafted SMS can have the same effect as sending the WAP push through a gateway. A binary SMS message can contain a WAP SL Push (using SL as it can be used to force the downloading of spyware without user intervention or prompts) that instructs the mobile handset to go to a specific URL, get the spyware, and run the spyware after receiving it. In this case, all the attacker would need is the mobile handset phone number to send the binary SMS message to.

Further research showed that binary SMS doesn’t seem to work on Sprint’s CDMA network. Although, it is reported it does work on GSM networks such as AT&T. This makes me wonder what the default security policy is for WAP Pushes on AT&T’s version of the HTC Pro Touch, the HTC FUZE. In any case, unless you know you absolutely need this flag, set these security policies to the Microsoft recommended default value of 2048 and 3072 respectively. I use PHM Registry Editor although any registry editor for Windows Mobile can be used.