- More porn sneaks onto the iPhone
- 'Swatting' case shows need to ban caller-ID spoofing
- Why the iPhone can't be "killed"
- Nortel enterprise chief wants to bring back Bay
- US sets final emergency responder wireless pilot
A European company has released software that corrects a possible weakness in the way Windows Mobile 6 encrypts memory cards plugged into smartphones.
Without the software, data encrypted by Windows Mobile 6 on an SDcard can become unreadable. That’s because the Microsoft software stores the encryption keys in the phone’s internal flash memory and doesn’t keep a copy of them.
If a user has to do a hard reset, which deletes all records and entries on the device and restores factory default settings, the encryption keys are lost. Data on the card, encrypted by those keys, can’t be unscrambled.
Aiko Solutions has just released Version 1.1 of its SecuBox for Pocket PC, an encryption program for Windows-based handhelds. The new version specifically creates an encryption key backup feature. The backup can be stored on the user’s PC or on any other storage media, according to the vendor, which is located in the Republic of Moldova.
For security purposes, the key backup can itself be encrypted and password-protected.
Microsoft introduced the media card encryption feature, and the ability to wipe the data remotely, when it unveiled Windows Mobile 6 earlier this year. Microsoft developers blogged about the new capability, which uses the powerful AES 128 encryption algorithm. Encryption is enabled by simply selecting a checkbox. The operating system encrypts the data on the card and places a key in the device’s internal flash memory.
But a blog entry also noted that this step now ties the storage card to that specific device. “The encryption is tied to a unique ID created upon Hard Reset of the device. You cannot move the encrypted card to another device without first decrypting the card.”
A subsequent FAQ, by another Microsoft developer, acknowledged “If the device is reset and internal flash is cleared, the decryption keys are lost. If the keys were preserved, it would be easy to access the storage card of a stolen device by just cold booting the stolen device and clearing its storage, then re-inserting the stolen card.”
“There isn't any key escrow or recovery in this release. We realize this is very important to many enterprise customers,” the developer wrote.
No fooling. “It is difficult to recommend a feature like this for widespread adoption when there is really no way for the enterprise to implement any measure of systemic solution for key escrow and recovery,” said one blog poster, identified as Wayne Anderson. “This is one of the critical components of implementing an effective PKI solution and use of EFS [Microsoft Encrypted File System] in the enterprise.”
Comments (2)
Where's the problem?!By Anonymous on August 31, 2007, 5:40 amWho cares - it's a mobile handset! The data on the card is nearly always an end-users personal photo's, music and other guff. Any business related files are on...
Reply | Read entire comment
Windows Mobile 6 encryption fix is pitchedBy Microsoft Subnet on April 13, 2007, 6:33 pmA European company has released software that corrects a possible weakness in the way Windows Mobile 6 encrypts memory cards plugged into smartphones. Without the...
Reply | Read entire comment
View all comments