Protecting the Passwords
When you use a program that requires a password, you assume it will be kept secure. This assumption is dangerous, especially on a Windows Mobile device. Typically, third party passwords are not encrypted. If they are, then it is a fairly simple matter to crack many of the encryption methods, thus exposing the original value. In this section we will highlight how you can find these passwords, with numerous examples to prove the point.
There are several tools that will assist in your registry viewing. The first is the registry viewer included with Visual Studio. This program is not free, but you can obtain a 120 day trial version from Microsoft's website. To augment this program, we also used an internal (Airscanner) tool that dumps the entire registry, and a free program called PHM Registry Editor (http://www.phm.lu/Products/PocketPC/RegEdit/).
The first group of examples stores the user account information in plaintext right under their registry key in the HKLM\Software or HKCU\Software branch. Figure 1 illustrates how a program called VeriChat stores your user information.
Figure 1: VeriChat User/Pass storage
If you note, both the username and password are very simple to read.
The following is a list of programs that were examined and found to have similar issues. Some store the information in the registry, and others simply keep it hidden in a configuration file.
- VeriChat — Chat program
- IM+PPC — Chat program
- \Program Files\IMPlus\implus.cfg
- Agile — Chat program
- MSN Messenger Force
- Imov Messenger — Chat program (Enterprise version is encrypted)
- File Transfer Anywhere — File transfer program
- \HKLM\Software\TTXN\File Transfer Anywhere
- NeoFTP — FTP client
- \Program Files\neoFTP\FTP_Hosts.lst
- Thunderhawk — Web browser
- RemoteKeyboard — PC to PDA keyboard
The above list represents those products that do not protect the user information. The key thing to realize is if someone was able to gain access to a PDA for even a few seconds, the listed registry entries could be quickly viewed or copied out to an external memory card.
Password Exposure Bugs
To help protect against such easy attacks, some programs do encrypt the user information. Unfortunately, these protections are sometimes flawed, which results in exposed account information. This can occur either through a software bug, or by implementing a weak/flawed proprietary method of encryption. The following illustrates a few examples.
BullGuard is an antivirus program that requires a valid account to update the virus database. Each time the update occurs, the AV software sends the email address and password used to register the software via an encrypted channel to their server. This protects that information during transmission. Unfortunately, a weak encryption scheme is used to protect that password that is stored on the local device.
In addition to being able to decrypt existing passwords, we discovered that certain passwords are "shortened" thanks to a flawed encryption algorithm. Figure 2 illustrates this bug. The highlighted data is where the encrypted password of "ssssssss" should be posted. Note that there is nothing between the semicolon and the 0x0D and 0x0A. As you can see, the password is basically blank! Unfortunately, this represents just one of many such defunct passwords that could be selected.
Figure 2: BullGuard Registry Entry
Although not related to password storage, it is important to note BullGuard stores its virus pattern matching information in a plaintext file that lists the virus and its pattern. For example, the following is the entry for the WinCE Duts virus.
The reason this is a bad idea is because a malicious program can simply patch the virus definition file with an incorrect value, thus ensuring it won't be considered a virus. Secondly, BullGuard includes an auto delete function that could become an attack tool if malicious program inserted a pattern that matched all executable and dll files on the PPC (i.e. ReallyBadVirus=4d5a9000).
Abidia and OAnywhere
The mobile device is an excellent tool for remotely monitoring services. In the case of Abidia and OAnywhere, this service is eBay.com and Overstock.com account monitoring. Once the PDA software is installed and configured, the application will poll the online auction websites for updates on items selling, buying, etc.
The dangers for this type of program are three fold. First, the user account information must be securely stored on the device. Second, if the program ever has to handle the sensitive data, then it must be able to ensure the confidentiality of that information during program execution. Third, the program must securely transmit the data to the service provider.
In the case of Abidia, the user information is stored in an XML file in the program directory. Fortunately, the eBay account data is encrypted (e.g. ebaypass="2F6DD0EEDA6168A7FE2A3AC47436A8720399FB4797DE422E"). After reviewing the encryption scheme, we determined that it appeared to be secure enough given the time involved to crack it. However, during this investigation, we discovered that the executable file itself could be used to decrypt the password. As previously mentioned, if a program stores a password, it must maintain the confidentiality of the data at all times. In the case of Abidia, it was fairly simple to follow the execution path and hook into the program after it decrypted the password, which we then were able to display on the PDA's screen.
Finally, we examined the data communication process to ensure the user account information was securely transmitted. We discovered that the program interacts with an API interface on Abidia's servers, which serves as a proxy to eBay. The following is an actual capture of the plaintext HTTP POST request send from our Windows Mobile device.
POST /api/get.php?user=sethfogie&pass=mypassword&serial=&imei=22363230F84031111800%2D0050BFE45CE5&site=US&dbg=y&name=buy HTTP/1.1 Host: api.abidia.comUser-Agent: Abidia-Wireless/2.5.3 (PocketPC; 240x320; WindowsMobile/5.1.70)Accept: text/htmlContent-Language: en-USConnection: CloseContent-Length: 93 Content-type: application/x-www-form-urlencoded
In case you missed it, take a close look at the POST string. Abidia does not encrypt the user or password. Since this was all performed over a regular HTTP session, anyone in the data transmission path — including Abidia — can capture the account information. It is dangerous enough to trust a third party company with user account information, but the fact the username and password are sent as plaintext is very insecure; particularly if you are using a wireless connection and/or a public hotspot.
Windows Mobile WEP Key
The Odyssey client included with the original (WM2003) Dell X50v stores the WEP keys as an encrypted strings in the registry. When the network connection is made to the secure network, the driver pulls these values from the registry, decrypts them, and then incorporates the key into the communication process. However, during this process, the driver writes the decrypted value back into the registry. The problem is not Odyssey's, as that program does encrypt the key, but is instead a flaw in how all three (Windows Mobile, Dell wireless driver, Odyssey) work together.
The following illustrates: Byte 5-9 list my entered WEP keys for each entry.
KEY1=aabbccddee "HTCWEPDefaultKey1"=hex: 01,00,00,00,aa,bb,cc,dd,ee,8c,f6,36,1d,af,90,17,5b,00,f6,36, 1d,af,00,00,00...
After we notified the vendors, this problem was fixed in current versions of Windows Mobile, and there is a ROM update that will correct the problem for the Dell Axim X50v.
According to the website, "PocketMoney is the most robust financial management tool for the Pocket PC." With it, you can "Store the institution, phone, account number, expiration date, limit, fee for each account. Now you can even password protect your PocketMoney data from prying eyes!"
To keep the information safe, PocketMoney requires a user to enter a password before opening its data file. An "encrypted' version of the password is stored in the registry at the HKLM\SOFTWARE\Handmark\PocketMoney\Password key. Unfortunately, the password is protected via a ROT-N function using the following seed value:
0x21 0x70 0x6d 0x6f 0x6e 0x65 0x79 0x21 Ë NAK p m o n e y NAK.
In other words, the protection of the password (and the financial data) is tied directly to the word "pmoney' (sound familiar?). Despite the key selection, a ROT-N scheme is always a bad idea because it is trivial to do a pattern analysis on the encrypted data and deduce the key.
In this section we looked at several examples of how not to protect user account information. Unfortunately, this problem is wide spread through out Windows Mobile programs. Be sure you understand the dangers associated with trusting a program to keep your user account information secure, and always use unique passwords.