Securing your PDA or Pocket PC running Windows Mobile
Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.
If you’re like me and travel with a PDA or Pocket PC, you likely keep data on it that requires some privacy protection and security. If your PDA is also a phone, you may have additional problems keeping it safe. Securing your PDA or Pocket PC doesn’t have to be difficult, with the right tools.
Locking your device
For a couple of years, I carried around two separate devices, a PDA and a mobile phone. At the time, the PDA that I was using was a Hewlett-Packard iPAQ Pocket PC. Most HP PDAs at the time had a tool called “HP ProtectTools” built into their firmware. This protected the data on the PDA with either a simple four digit PIN, or a strong passphrase combined with AES encryption.
The ProtectTools package secured the device whenever it was put to sleep, or the device could be configured to lock itself after a period of inactivity. This encryption was so deeply embedded that it would even survive a hard reset of the device. If you lost the device, you could be sure that not only would no one be able to access your data, but that no one would be able to use the device either. Whomever recovered your device wouldn’t be able to get past the “My Info” page, where your contact information and your offer for a reward for the device’s return is displayed. As long as the person in possession of your device couldn’t use it, I always figured that they might be inclined to actually return it.
Approximately six months ago, I retired my PDA and my mobile phone when I upgraded to a single HTC brand PDA phone. This new device was running Windows Mobile 6, which supports encryption without any additional software from the device manufacturer.
Windows Mobile 6 supports a simple PIN, or a strong passphrase, however it doesn’t use encryption. The protection is soley reliant on the software lock feature. Although the device can’t be operated without the unlock code, the data could likely be accessed by disassembling the device. Although this lock doesn’t survive a hard reboot, the fact that my device is a phone that uses an ESN, means that I can simply report the phone as stolen and it couldn’t be used by someone else on the same network. Although, it could still be used as a PDA. I don’t see any real incentive for anyone finding my device to return it, however.
Windows Mobile 6 supports encrypting the data on any removable flash memory cards, so that the memory cards can only be read on the device. This prevents someone from simply removing a memory card to steal data. This version of the Windows Mobile also supports remotely resetting an unlock code or remotely wiping the device when used together and synced with a Microsoft Exchange server (running Exchange 2003 SP2 or newer).
When setting an unlock code, it’s important to use a strong passphrase, and not just a four digit numeric PIN.
On The Fly Encryption (OTFE)
One problem with locking a PDA that is also mobile a phone is that you can’t call anyone when the device is locked, except for 911, and it’s very difficult to type in a passphrase while driving. While some people may find it useful to prevent others from using their phone and accessing their contact list without their permission, I simply find this annoying.
I could care less about people using my phone or calling my friends and relatives should they get ahold of my PDA. I don’t store customer contacts in my phone, and I only care to protect the application data on my PDA. It’s very annoying that there isn’t a locking mechanism just for the PDA features of the device that leaves the phone features unlocked. As a result, I don’t use the locking feature that comes with Windows Mobile 6.
To only encrypt my PDA data, I use on the fly encryption, also known as OTFE or real time encryption. On the fly encryption allows one to encrypt a partition or file. The encrypted data can be accessed freely by ”unlocking” it at the beginning of the session.
I use OTFE to create an encrypted partition on my PDA where I store all of the data for my PDA applications. When I access the PDA features of my device, I mount the encrypted volume by typing in my passphrase. Once mounted, the encrypted partition acts like a regular directory. When I’m done with the PDA features, I unmount the encrypted volume, securing it again.
The software package that I use is called FreeOTFE, which is a free open source program that runs on Windows Mobile 5 and Windows Mobile 6. It has numerous hash and encryption algorithms to choose from, and many advanced security features. One important feature that it lacks, which some commercial products have, is automatically unmounting of the encrypted volume after a period of inactivity. If I were to lose the device while the encrypted volume was mounted, or if I were to forget to unmount it when I was done, my data would be vulnerable unless the device was turned completey off, and not just put to sleep.
I e-mailed Sarah Dean, the software project owner, about the plans for adding this important functionality, but haven’t had a response. That doesn’t stop me from highly recommending this software to people with PDA phones, however.
Leave a Reply