[Janak Parekh]

http://www.airscanner.com/security/...tivesync371.htm

The folks at Airscanner have done some careful research on AS 3.x's network syncing, and have found that it's possible to send a packet to a machine running AS with LAN sync enabled that makes AS ask the user for the Pocket PC's password, and then returns the result to the attacker. While this doesn't imply a compromise per se (unless they manage to steal your Pocket PC as well), it could be problematic if people reuse their passwords for multiple resources (e.g., a bank PIN).

What does this mean for you? Here are some "best practices" given the scenario.

• If you're not using LAN/WiFi ActiveSync, make sure it's turned off in the connection settings in AS (this is now the default for new installs of AS 3.8 ).
  
• Use a unique password for your Pocket PC. Be careful as to when you type it in (i.e., don't randomly type it in if you're not syncing).
  
• If you're using ActiveSync on a home network behind a router/firewall, you're probably fine, as the attacker wouldn't be able to access port 5679.
  
• If you're using ActiveSync on a machine directly connected to the Internet, either turn off LAN sync or firewall it.
  
• And finally, if you're in a large corporate network, exercise caution (and firewall the AS port if you can -- while outside attackers are the first priority, one could have an internal attacker in a large network).

There's no exploit code at the above link, but a determined attacker could certainly write some. I'm sure this is one of the integral scenarios that Microsoft envisioned when disabling LAN sync in AS 4.0. I hope the Mobile Devices group does see fit to do a redesign and reintroduce this feature in later versions.

[Janak Parekh]

http://www.airscanner.com/security/...tivesync371.htm

The folks at Airscanner have done some careful research on AS 3.x's network syncing, and have found that it's possible to send a packet to a machine running AS with LAN sync enabled that makes AS ask the user for the Pocket PC's password, and then returns the result to the attacker. While this doesn't imply a compromise per se (unless they manage to steal your Pocket PC as well), it could be problematic if people reuse their passwords for multiple resources (e.g., a bank PIN).

What does this mean for you? Here are some "best practices" given the scenario.

• If you're not using LAN/WiFi ActiveSync, make sure it's turned off in the connection settings in AS (this is now the default for new installs of AS 3.8 ).
  
• Use a unique password for your Pocket PC. Be careful as to when you type it in (i.e., don't randomly type it in if you're not syncing).
  
• If you're using ActiveSync on a home network behind a router/firewall, you're probably fine, as the attacker wouldn't be able to access port 5679.
  
• If you're using ActiveSync on a machine directly connected to the Internet, either turn off LAN sync or firewall it.
  
• And finally, if you're in a large corporate network, exercise caution (and firewall the AS port if you can -- while outside attackers are the first priority, one could have an internal attacker in a large network).

There's no exploit code at the above link, but a determined attacker could certainly write some. I'm sure this is one of the integral scenarios that Microsoft envisioned when disabling LAN sync in AS 4.0. I hope the Mobile Devices group does see fit to do a redesign and reintroduce this feature in later versions.

[Ed Hansberry]

Quote:

Originally Posted by Janak Parekh

And finally, if you're in a large corporate network, exercise caution (and firewall the AS port if you can -- while outside attackers are the first priority, one could have an internal attacker in a large network).

Of course, wouldn't that be the same as disabling LAN sync since your WM device wouldn't be able to reach AS on your PC?

[Janak Parekh]

Quote:

Originally Posted by Ed Hansberry

Of course, wouldn't that be the same as disabling LAN sync since your WM device wouldn't be able to reach AS on your PC?

Not if you have a dedicated IP address for your Pocket PC. Alternatively, one can exercise caution and disable LAN sync when it's not being used...?

--janak

[rmasinag]

Does this only apply to WiFi synching or wired too?

I synch via BT just long enough to update Avantgo? Is that long enough for a hacker to get my pin?

Finally, if I disable LAN via synch would that affect Avantgo in terms of updating my PPC?

Thoughts would welcome guys, thanks

[Ed Hansberry]

Quote:

Originally Posted by rmasinag

Does this only apply to WiFi synching or wired too?

This applies to all TCP/IP based syncing, which is wired CAT5, wireless, modem, etc. It does not apply to bluetooth, IR or USB/Serial cable though because those all come through a serial port.

Janak - who has a dedicated IP address for their Pocket PC? Are any major corporations not running DHCP? :wink:

THis is a hole. I guess the bigger the company, the more the risk hacker Johnny is down in IT playing around.

[r0l0e]

Well, I had wished they included the option to choose whether it's a corp. or personal installation on AS4 instead of rushing the release.

[Janak Parekh]

Quote:

Originally Posted by r0l0e

Well, I had wished they included the option to choose whether it's a corp. or personal installation on AS4 instead of rushing the release.

Yeah, but who knows if this is the total set of security troubles with ActiveSync. I'd like to think that they only reluctantly removed the LAN support after they decided there was no choice. :| Still, I would have preferred a redesign in time for WM5/AS4.

--janak

[Jerry Raia]

MS software insecure :?: Say it isnt so :!:

[Dave Beauvais]

Quote:

Originally Posted by Ed Hansberry

Janak - who has a dedicated IP address for their Pocket PC? Are any major corporations not running DHCP? :wink:

I use "static DHCP" on my router, which always assigns the same IP address to a MAC address. When my iPAQ connects wirelessly to my access point, the router always assigns it the same address. Essentially I have a static IP address without the hassle that a real static IP address would cause on a Pocket PC.

[r0l0e]

Pretty much the same here also. I have had the same IP address from my AP ever since I connected my Xda on it about 5 months ago. So I figured, I might as well assign it a static IP, then switch back to dhcp when wardriving or at the cafe.