05-21-2002, 08:49 AM
|
|
Pontificator
Join Date: Aug 2006
Posts: 1,177
|
|
Security flaw in Pocket PC Phone Edition?
http://www.theregus.com/content/4/24981.html
I never thought I'd ever link to a "The Register"-article again. They get facts wrong in about 99% of their articles, so I caution you now. This might be true, and it might not be... According to the article, the Pocket PC Phone Edition has a security flaw involving the SIM PIN number. The SIM PIN is the four digit number you enter to be able to use your mobile phone.
"Pocket PC Phone Edition implements this with a check box to turn the PIN on and off. When you select the phone dialer with the PIN enabled the dialer asks you to enter the PIN before it will go any further, if however you then select the browser and start a GPRS browse session it will connect (although it shouldn't). If you then run another instance of the dialer you can make voice calls."
Given the source, I have my doubts about this report which is not very detailed. It might in fact be a design decision. Assume that the user has already entered the PIN. Using that point of validation, the Pocket PC Phone allows network access for all sessions from that point forward. I am not sure about this, since I don't have a Pocket PC Phone Edition (!), so I can't verify how this really works. Anyone else?
|
| |
|
|
|
05-21-2002, 10:22 AM
|
|
Pupil
Join Date: May 2002
Posts: 34
|
|
If the phone circuit is off when machine is off (as it should be), it is impossible to operate the circuit again and use voice or data call without entering the PIN again. The reason is that PIN is necessary for the phone to work, it is not only a password.
My opinion, this new is a hoax.
|
| |
|
|
|
05-21-2002, 11:17 AM
|
|
Ponderer
Join Date: Oct 2003
Posts: 53
|
|
Gawd, Andy, I can't stand the Register. They are so sloppy (and such obvious Microsoft-haters) that ARGHEHHHH!
Anyway, the article is too vague to be useful. It would be good to try it, but I wonder if they aren't confusing the 'phone off' condition with the 'PDA off' condition.
__________________
Jeff McKean
Marketing Manager
Mobile Devices Division
Microsoft
|
| |
|
|
|
05-21-2002, 11:43 AM
|
|
Pontificator
Join Date: Jul 2003
Posts: 1,468
|
|
The Register article info is taken from a review of the O2 XDA (Wallaby) in the UK magazine 'What Mobile'.
This ability to get aound the PIN via using the GPRS is something the reviewer was able to do (I read the review and the Register has reported it accurately).
So - no hoax and no sloppy journalism (not this time!).
|
| |
|
|
|
05-21-2002, 01:05 PM
|
|
Intellectual
Join Date: May 2002
Posts: 140
|
|
Re: Security flaw in Pocket PC Phone Edition?
Quote:
|
Originally Posted by Andy Sjostrom
It might in fact be a design decision.
|
:lol: :lol: :lol: :lol: :lol: :lol: :lol:
That has to be the quote of the year!
BTW: If The register is so unreliable, why refer to them for articles such as the China deal?
|
| |
|
|
|
05-21-2002, 01:59 PM
|
|
Thinker
Join Date: Jun 2003
Posts: 312
|
|
I've used the xda too and was not able to reproduce that...
However, it's not only a question of MSFT impements the PIN request but how GSM networks operates and if the SIM card didn't sent the keys, the mobile device can not attach to the network. Not for GSM nor for GPRS...
I think they are talking about switching off the PIN security... ;-)
__________________
Cheers ~ Arne, MS MVP - Mobile Devices
Editor in Chief the::unwired - where mobility meets wireless
http://www.theunwired.net |
| |
|
|
|
05-22-2002, 04:37 PM
|
|
Neophyte
Join Date: May 2002
Posts: 1
|
|
Reg article
Sticking my head above the parapet. I wrote both the What Mobile review and The Register article.
The phone certainly did allow me to make first a GPRS and then voice connection. In more detail. I powered it on, ran up the dialler, which asked for the pin but which I didn't enter, then I called up explorer and was able to make a GPRS connection.
Then when I called up the dialler it ran a second instance which then made a voice call. When I quit the dialler the first instance was still there still asking for the PIN.
I was able to reproduce this.
However the device has since gone flat and lost all the settings, and I am in the US this week and the device is in London so I can't try it at the moment.
On reflection the first instance of the dialler may have crashed while asking for the pin and that is what caused the second instance to both initiate (rather than its going to the first) and to not read the check box that said 'ask for PIN'.
I don't check this board very often, if you want to solicit comments with anything like a prompt response you'll find me in the forum at www.blah.com
Simon
|
| |
|
|
|
|
|
|
Linear Mode
