Talk: Windows Pwn 7 OEM – Owned Every Mobile?

René Pfeiffer/ September 19, 2011/ Conference

Windows Phone is an operating system for mobile phones. Similar to other operating systems it has security features such as sandboxing applications, APIs for exchanging data across applications and isolation of storage built in. It also offer methods for encrypting data on the phone itself. There’s more documentation out in the Internet or directly available at Microsoft’s web site. So, this is good, right? In theory, yes. In practice currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices. This does not refer to the documentation. It’s all about assessing risks, and risk assessment can’t be done by looking at APIs.

Alex Plaskett will talk about WP7 security in-depth. He will address the ever increasing challenges and stages of exploitation an attacker has to overcome to achieve full compromise (implying that there might be something like a compromise). The talk will outline the implementation of these security features and will demonstrate weaknesses and vulnerabilities an attacker could use to bypass the multiple levels of platform security. You will hear about a number of OEM manufacturer weaknesses (widely known as „features“ among security experts) and how these “features” can be abused in conjunction with conventional exploits to achieve full compromise of the phone (did we mention demonstration yet?). OEM phone manufacturers can weaken the security posture of an otherwise strong granular security model, so your risks is tied to your actual vendor. Targeted attacks can be made which leverage this OEM “functionality” to compromise sensitive information (useful for deployment of Windows Phone in companies and attacks against these companies).

Even though security design has entered the mindset of mobile platform developers, there are still vendor implementations deliberately or accidentally weakening security. If you plan to deploy or have deployed mobile devices based on Windows Phone, you need to know what you are dealing with.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.