I’m Feeling Insecure

The other day I was looking for a free yet decent GTalk client. Found something on Google and though the project’s homepage TLD was .ru I installed it anyway, banged in my gmail account and password, signed on, didn’t have anyone to GTalk with, signed off and uninstalled the software. The next morning I couldn’t log into my Gmail account; apparently the password had been changed.

I’m not going to identify the software’s name or developer in this article because that’s just not enough evidence to go ahead and accuse someone of this sort of crime on a blog and there are many other possible explanations to account for this. But because this had never happened to me before, because I had a strong Gmail password that I don’t use on anything else, because my computer appeared to be clean and because of the timing of the two events and that .ru TLD, it has spooked me into addressing an issue of vulnerability to which Windows Mobile users are especially vulnerable. Again, I’m not saying it was necessarily the Russians. Could have been the Chinese.

I’ve cleaned my share of phone-home viruses from many a Windows computer in my life. Sometimes I fire up a DOS prompt and glance at a netstat to make sure my machine didn’t open up a connection to Lithuania upon booting. Think about it: It has got to be a piece of cake for the people behind such software to do the same for Windows Mobile, the biggest hindrance that I can think of being that because cell phones tend to be behind bizarre NAT and proxy setups and don’t run too many services with open ports so the only vector of attack would be a user manually installing software. Still, that’s good enough if you want to collect some Gmail accounts and have a torrented copy of Visual Studio.

Due to its unique openness in the user’s ability to do whatever he wants with the phone without having to go through a centralized software distribution system, that user will do what I did, wander around Google to find software to install without thinking twice about something like a signed certificate or a sandbox environment. We presume we’re pretty safe from this dark world and I think we’re right. Why? Because there just aren’t enough of us to make it worth the hackers’ while. We’re not a high-value target it seems. We’ve had a negative net growth since what, 2004? Windows users have traditionally used that logic, that we only have a clean track record because no one cares about trying to hack into our zone, on offense when attempting to criticize Macs as being just as inherently insecure in accounting for the lack of viruses Macs and Linux relative to Windows but I never bought that. In this case however I do, that we are the dog so deeply underneath everyone else that even though we are wide open to identity thieving software it’s not something we worry about but perhaps we take this security through obscurity a little too much for granted, particularly those of us who have any sensitive data on their phones. I’m startled by this revelation and perplexed that it took this long for this to occur to me.

You may hear here and there Windows Mobile touted as the most secure FIPS-passing operating system trusted even by the military. But if the user knows what a cab is and has a USB cable while using Google and warez sites to grab random programs left and right, it doesn’t sound difficult at all for someone to whip up a phone home keylogger masquerading as a SIM unlocking tool, register a domain, start distributing it and watching the passwords and credit card numbers flow in. And a long time would pass before anyone would discover the threat to call the developer out on it somehow, warning the rest of us effectively which is another hard thing to do in the Windows Mobile world. Put an app store into the mix, complete with a team of professionals to vet the software initially and a community to do the same subsequently, and only let the user install software through that system, enforcing the use of a Verisign-like SSL certificates for domains but with software, the valve is almost completely closed on this threat.

My point? Just a heads up on the subject. Maybe some of you have information to add to this as I am mostly speculating again. I am especially rattled by this because I’ve handed out a whole lot of cabs to people and I didn’t exactly hex edit all of them to make sure nothing phishy was going on before putting them on my site. So if you’re in the military using Windows Mobile devices to bang in coordinates when calling in air strikes or you make a habit out of banging in social security, credit card and checking account numbers into your phone, go easy on the cabs.

Doug Simmons