A vulnerability in Microsoft ActiveSync 4.x has been found that allows an attacker to discover the device password of a Windows Mobile smartphone. Normally you can lock your Windows Mobile phone by setting a password. Even if someone uses ActiveSync to connect to your phone they still need to enter the password before they get access to your email and private data.
The vulnerability is in the method ActiveSync uses to encrypt the password it sends to the phone. The attacker can sniff the USB cable network connection and capture the password. Due to the way the password is encrypted the decryption key is effectively included multiple times, one copy of the key for every character. Once the attacker has the decryption key, they’ve also got your password.
Fortunately, while this is an interesting vulnerability it’s not likely to be heavily exploited. There are a few obstacles in the attacker’s way.
First, the attacker needs to have physical access (a USB connection) to your Windows Mobile phone. They can only sniff the network from the ActiveSync host PC.
Secondly, the vulnerability only applies to the password that is sent to the phone. If the attacker can’t get the user to enter the correct password, they won’t be able to steal it. The Windows Mobile phone does not send the password to the ActiveSync PC.
At McAfee Avert Labs we have been looking into other possible attacks on Windows Mobile smartphones, especially those performed with malware. We’ve recently published some of our research in a white paper titled “Mobile Malware: Threats and Prevention “.
Among the topics it covers:
- Text Messaging (SMS interception)
- Audio and Video (Remote eavesdropping)
- File format attacks (Malicious .DOC,.XLS files)
We’ve also included a number of ways to prevent these attacks.