Is the Handheld PC really Anti-Virus?

Chris Tilley | Editor-in-Chief
August 28, 2006

Windows CE is an interesting breed. It is only two years younger than the desktop Win32 (on which Windows XP is based), and yet unlike its more widespread counterpart there has not been a single destructive virus, worm, Trojan, hijack or exploit in its entire history. This is a record that Windows XP can only dream of.

So what is the secret of Windows CE’s security success? It goes without saying that CE is written no better (or worse) than its desktop counterpart. Both products came out of the same Microsoft coding policy; later generations of both operating systems are products of the Microsoft Secure Programming initiative and on the face of it, many of the API’s involved are almost identical.

The real success behind Windows CE’s security and its trustworthiness is a disparity between common sense and good luck. Windows CE has proven more trustworthy because mobile devices are traditionally disconnected, have a small footprint, experience fast turnover, and come from a multi-processor heritage.

Shoe Size

As an embedded operating system the entire ethos of the platform is to minimise the devices footprint, as a result Windows CE lives up to its name as an Embedded Operating System. Due to the expectation that the hardware is limited in memory, and that it will only serve as a client device, system developers are not offered a number of the familiar system services which they provide for mainstream Windows. Those that have been carried over are scaled down, restricted and reduced API versions of their larger counterparts. What this means in practice is that with a Windows CE device, there are far fewer ways in which it can be attacked. The system is listening on far fewer communication ports than Win32, and, crucially, the network layer is exclusively one way - this is why you cannot access your Handheld PC from another PC over a network file share.
The reduced number of services results directly in fewer exploitable components with vulnerabilities. This in turn makes the propagation of malicious code between devices much harder, as while one device may be compromised by a network virulent nasty that is actively seeking targets, by default it is less likely that any other given CE device is listening or for that matter vulnerable to infection.

TrustworthIE computing

Of the entire series of publicly acknowledged mainstream Windows exploits over the last couple of years, the majority fall into three categories.

  • Buffer under runs/overruns
  • Internet Explorer weaknesses
  • Service exploits

While service exploits, particularly in the RPC service have proven the most high profile and embarrassing for Microsoft, it is Internet Explorer that is by far the most troublesome part of the Microsoft mix.
The browsers’ quirks are long and deep rooted, and while pundits on both sides can offer strong arguments, ultimately Internet Explorer's weakness is its own success. It is popular with users and so it offers exploiters a large target audience; after all, every day your Web browser - no matter what browser it is - touches hundreds if not thousands of lines of other people’s code. For this reason alone, it makes an appealing target. This is not the case, however, with Windows CE.
The embedded version of Internet Explorer, whether it be Pocket Internet Explorer or Internet Explorer CE, may look very similar to its desktop counterpart, but it is in fact a completely different set of code, written to a different HTML, JScript, VBScript and XML engine. The CE version is not as closely linked with the system shell, and can be removed easily by OEMs. Since Internet Explorer 4.0, Microsoft has increasingly tied together the user environment and the browser on the desktop, in some cases making them virtually indistinguishable - and therefore offering more chances for malicious code to probe deeper into the system. Under Windows CE the browser was rewritten, and throughout its successive enhancements and updates has retained its original mantra - to run on a small form factor. Pocket Internet Explorer under Windows CE .NET takes up as little as 4.3 MB of your device’s ROM image, compared to between 25 and 80 MB on the desktop. Quite simply, exploits designed to target the desktop version by sheer volume of statistics will not apply on Windows CE.

E-mail scripting exploitation are likewise all the more difficult, since the native Inbox client is disconnected from the scripting capabilities of Internet Explorer. Infection through e-mail becomes a matter of getting the user to run an application in an attachment, instead of getting them to click on a link or open a message.
Despite the small uncertainly involved, there have been two notable exceptions to this rule; wherein a microcosm of an exploit on the desktop has filtered down to its mobile counterpart. The first surrounds password caching security, and the second, higher-profile instance was a URL obfuscation exploit discovered by AirScanner (www.airscanner.com/tests/ie_flaw/ie_attack.htm). Both provided no means to damage the device or its contents, targeting instead the end user and probing for information (phishing); though they serve as a reminder of the necessity of considering security on any platform.

Out With The Old

The next problem for the prospective virus writer is the generational change between CE devices. With every step in the platform release cycle, and even the core release cycle, Microsoft make significant changes to the underlying operating system. Any Windows CE user who has upgraded through several generations of device will know that ultimately there are going to be programs that cease operating. Whether we like it or not, PDAs are still something of a niche market - particularly the H/PC, reducing the potential scope for an attack. Although device volumes have increased drastically over the last two years, seeing Microsoft emerge ahead of Palm for the first time, their dominance has been enshrined over several platform releases. Historically Microsoft announces a platform release every 12 months and delivered one on average every 18 months. Once that happens, older models become obsolete, the already small target device yield falls and malicious coders have to seek new exploits, write new code and find new delivery systems in order to target the latest platform.
The only reliable way for malicious coders to insure longevity of their questionable wares is to ignore the system’s API and target its fundamentals. Programmers can achieve this by writing the code in the processor’s G1L assembly language, attempting to bypass the OS as much as possible. This is fortunately something that the vast majority of programmers are unable to do, and in some ways can limit exploitable routes into the system (while opening a small number of new ones).

One cannot discuss security on an embedded platform without looking at the sociological safeguards. Windows CE has traditionally been a disconnected platform. In the past, if a device was connected to the Internet at all, it was for short periods of time, and over very slow connections. The connectivity model has changed markedly in recently years; however, the fact remains that the majority of users will remain disconnected the majority of the time. Having targets that are disconnected for extended periods rules out mobile devices as an appealing target for Trojan and most worm writers, as they will ultimately have little to no access to the device for their mischief.

The Uniformal ARM

Before the end of 2001 there was an additional turn-off to wannabe virus writers. It may be simple to write a virus for the x86 PC and wreak havoc because there is a chance you are knowledgeable in that processors architecture. Before the release of Pocket PC 2002, the volume of Windows CE based devices was shared among a number of different processor architectures. For every processor architecture introduced, be it StrongARM, SH3, or MIPS, a completely different set of code is required and, in the case of G1L, a completely different programming method.
The biggest hindrance to the programmer is that ultimately the disparate systems will mean the malware will not be able to cross propagate a payload, and so the appeal of writing code for a further diluted group of devices is lost.

After the 2001 release of Pocket PC 2002, Microsoft changed tactic and began to push for a unified processor standard. This standard became the SA1100 architecture – better known as StrongARM - and its hybridised successor the PXA250, aka XScale. The move in all but Core OS releases consolidated the resources of the Windows CE developer base, reducing many of the problems in compiling and testing which had dogged Windows CE from its early days. Conversely, the move ushered in the first steps at getting CE noticed as a viable target, with its consumer popularity blossoming to new heights.

Windows Mobile 5.0 Closes Doors

With the release of Windows Mobile 5.0, it should also be noted that Microsoft is in a far better position to respond to any significant threat opened up by the increasing use of network and wide-area network connectivity. Unlike previous versions, where a patch was a intrusive drain on precious ‘Storage Memory’ resources, or a difficult, expensive (for the OEM) and often risky image re-flash, Windows Mobile 5.0 allows for patches to be dynamically be integrated into the FlashROM. Such a facility should, if ever needed to be called into use, rapidly reduce the time it has traditionally taken to get Microsoft and OEM’s to respond to CE security problems. It is far cheaper and safer for the end user, and therefore in the best interest of the OEM to provide the update. Distribution outlets could be issued with alerts ensuring that they provide the buyer with knowledge of the update at the point of sale – or even apply it for them. This will help stop malicious exploits dead in their tracks.

Windows CE: The Windows Without The Danger

If you are a Windows CE user, then you should feel pretty safe in your mobile computing lifestyle. Firstly, there is far less to go wrong, and it is also far less likely that someone will attempt to exploit or attack your PDA to begin with.
However, as the SAS say “He who dares wins”. No computer can ever be completely safe from the most determined of minds. There have been a small number of concept viruses created to prove that Windows CE can be exploited just as with any other operating system. CE viruses the likes of WinCE4.Dust (www.airscanner.com/pr/dust0715.html) were simply proof-of-concept and largely unworkable as anything other than a case in point. There has been a single instance of a successful Trojan (the so named Backdoor.Brador.A), however its talents required manual interaction from the user to install it, and propagation came through conventional means rather than through a security exploit.

Windows CE remains an exceptionally safe platform. There were no newly reported virus or Trojan activities during 2005 and so far this year, just as was the case during 2003 and 2002. The flurry of warnings that made headlines in 2004 were the exception, not the rule.
On the surface it all seems good for Windows CE users. Unfortunately it is not quite as rosy as it seems. The concept cases of 2004 demonstrate that it is possible to launch a considered attack on the Microsoft Windows Mobile device community. Despite the mastery and eloquence of the Windows CE concept, it is a platform that offers little to no corporate level security considerations in either the activities of the operating system or from the perspective of user interactivity.
One of the best quotes that I have heard summing up Windows CE’s security misgivings comes from Cyrus Peikari, CEO of Mobile Security firm AirScanner, who when commenting on the implications of the Brador Trojan stated “the Windows CE architecture is about as secure as a default Windows 95 was a decade ago.” (www.informit.com/articles/article.asp?p=337069).

There is a real and credible threat to Windows CE right now, for any generation of device and for any user. Anti-virus companies realised early on that the biggest threat to the PDA is from a Trojan. Unlike most system Trojans however, it is the device itself which acts as the mule. Windows CE may be oblivious to the presence of malicious code lurking in the recesses of your device, but the PC you synchronise with every day certainly is not. If you synchronise mobile content, surf the web, download files or even sync your PIM you are opening up a trusted connection between two systems, and in the absence of credible security software, what passes between the two can potentially be anything but inviting.

The risks outlined here are currently negligible, but that situation can change overnight; and with it the face of mobile computing.
As mentioned at the beginning of this article, Windows CE’s saving graces have been its ‘disconnected’ background, the fact that there is less to be exploited, the intrinsic difficulty in getting the code onto the system in the first place, and plain good luck.
The one lesson that people should take away with them from this article is that there is community of malicious computer users who are mindful of the rise in popularity in mobile technologies, and are thinking actively about ways to exploit it.

So we must fall back onto the old adage that prevention is the best form of cure.

I am not an advocate of using Anti-virus scanners on PDA class devices. It’s detrimental to battery life, and in the modern age of solid-state storage chips and FlashRAM, repeated scanning of the storage area may not be ideal for preserving the life span of your investment. I prefer to rely on a host solution, one that will monitor the sync transfers, provide heuristic scanning capabilities, and can make use of the greater resources of the PC for easier scans of the PDA. For future generations of always-connected Windows CE devices however, it may not be this straight forward, and the ideal may in itself have to be - through necessity - relegated to the day-dreamers dustbin.

In the meantime, no matter what breed of device you use, you should take advantage of the security capabilities already built into your device. Ensure that your important data is backed up, and sync with a host PC regularly. Protect your device. No matter how much the mobile community changes in response or reaction to what lies ahead, the biggest security threat to your PDA will never be from the incorrigible virus writer, or the hords of script kiddies which plague the good repuation of the Internet. The real danger is from the opportunist, the reprobate who snatches the device off the table and heads off at a sprint while you are sipping coffee in a café on a lazy summer afternoon.
Ultimately proactive thought and pre-emptive actions is all it takes to stay safe with your PDA. So don’t let the thought of your Handheld PC device catching some unpronounceable bug keep you up at night… at least not for the time being.

 

Want to let us know what you think of this article? Click here to have your say in the Forums!