Windows Mobile 6 encryption fix is pitched

A European company has released software that corrects a possible weakness in the way Windows Mobile 6 encrypts memory cards plugged into smartphones.

Without the software, data encrypted by Windows Mobile 6 on an SDcard can become unreadable. That’s because the Microsoft software stores the encryption keys in the phone’s internal flash memory and doesn’t keep a copy of them.

If a user has to do a hard reset, which deletes all records and entries on the device and restores factory default settings, the encryption keys are lost. Data on the card, encrypted by those keys, can’t be unscrambled.

Aiko Solutions has just released Version 1.1 of its SecuBox for Pocket PC, an encryption program for Windows-based handhelds. The new version specifically creates an encryption key backup feature. The backup can be stored on the user’s PC or on any other storage media, according to the vendor, which is located in the Republic of Moldova.

For security purposes, the key backup can itself be encrypted and password-protected.

Microsoft introduced the media card encryption feature, and the ability to wipe the data remotely, when it unveiled Windows Mobile 6 earlier this year. Microsoft developers blogged about the new capability, which uses the powerful AES 128 encryption algorithm. Encryption is enabled by simply selecting a checkbox. The operating system encrypts the data on the card and places a key in the device’s internal flash memory.

But a blog entry also noted that this step now ties the storage card to that specific device. “The encryption is tied to a unique ID created upon Hard Reset of the device. You cannot move the encrypted card to another device without first decrypting the card.”

A subsequent FAQ, by another Microsoft developer, acknowledged “If the device is reset and internal flash is cleared, the decryption keys are lost. If the keys were preserved, it would be easy to access the storage card of a stolen device by just cold booting the stolen device and clearing its storage, then re-inserting the stolen card.”

“There isn't any key escrow or recovery in this release. We realize this is very important to many enterprise customers,” the developer wrote.

No fooling. “It is difficult to recommend a feature like this for widespread adoption when there is really no way for the enterprise to implement any measure of systemic solution for key escrow and recovery,” said one blog poster, identified as Wayne Anderson. “This is one of the critical components of implementing an effective PKI solution and use of EFS [Microsoft Encrypted File System] in the enterprise.”

“My personal experience with the volume of key recovery requests over time would lead me to believe that implementation of a security schema to protect on-board storage without some measure of protection of the users from themselves is doomed to data loss,” Anderson wrote.

Aiko’s SecuBox is an encryption application for protecting user passwords, corporate and customer data, security codes and so on loaded on Windows-based handhelds. The software encrypts selected data and decrypts files on the fly as the user calls for them. When a decrypted file is saved, it’s automatically re-encrypted. It includes a software ‘meter’ that calculates and shows the relative strength of a given password chosen by the user.