Introduction and Overview of the Last Article

Our last article examined in greater detail the threats that are posed to the iOS Operating System, which in turn affects all of the wireless devices, which primarily include those of the iPhone and the iPad.

There is often this feeling of safety when using these devices. The major part of this reasoning is that in reality, Apple has not been afflicted as much with Cyber-attacks as much as the Samsung and the Windows mobile devices have been.

Security experts have noted that Apple goes to extraordinary lengths to ensure that their devices are as hacker proof as possible. For example, there are extremely rigorous Quality Control processes in place, as well as other systems of checks and balances to ensure that only the authorized end user is accessing his or her own iPhone or iPad.

To this extent, Apple has even introduced the use of Biometric Technology to provide a Two-Factor (also known as “2FA”) security approach. This can also be thought of as a “Multi-Modal” approach as well. Really, any Biometric could work in this regard, but Apple chose to make use of Fingerprint Recognition because not only of its strong levels of Ease of Use but also it is the most widely accepted Biometric Technology worldwide.

This push by Apple only came to fruition after it bought a Biometrics Vendor known as “Authentic” in a Merger and Acquisition (M&A) activity. At the time, Authentec was the premier provider of Fingerprint Recognition Sensors to the Biometrics industry, with a specialty in manufacturing Optical based Sensors.

In fact, this same technology is even being used in the “Apple Pay,” which is basically Apple’s version of the Mobile Wallet. This and the use of Biometric Technology in the Smartphone will be topics of separate articles in the future.

However, as our last two articles have shown, Apple can be just as prone to Cyber-attacks as well. The first article looked at uploading rogue mobile applications onto the App Store by manipulating the Digital Certificates, which are granted to an end user after they have created an account for themselves. The second article examined other Cyber based attacks, which include the following:

  1. A Malicious Configuration Profile:

    Most wireless devices consist of this file for it to make the end user to properly set up their Apple wireless device correctly the first time quickly and easily. However, the Cyber attacker has found a way in which to create a malicious Configuration Profile and inject that into the iPhone or the iPad.

  2. The WebKit Vulnerability:

    This is a software package, which is used to power the Safari Web Browser. In fact, Apple is not just using it; Google in their Chrome Web Browser is also using it. However, despite the efforts to safeguard this package, the Cyber attacker has found ways in which to inject malicious .exe files into it, with the end result being that the end user is redirected to a spoofed Website.

  3. The Zero Day Attack:

    In these situations, the Cyber attacker has advanced knowledge of a weakness or a vulnerability in the Source Code and takes full advantage of it before the Vendor even knows about it.

In this article, we continue with the theme of Security threats, which are posed to Smartphones-but this time, the focal point is on the Windows Mobile devices.

The Windows Mobile Operating System


Yes, we have all heard of the Windows Operating Systems. By far, it is the most widely used OS in the world, ranging from the Workstation to the Server editions. These have ranged all the way from Windows 95 to Windows XP to Windows Vista to the latest version now, which is running, Windows 10.

When compared to just about any other software application or OS (including even the Open Source ones such as that of Linux), Windows has been the most sought after prize of the Cyber attacker.

For example, just about every piece Malware, Spyware, Adware, and even Trojan Horse has found its way into it. However, unlike the other Wireless Vendors that have made a separate and unique Operating System for their Smartphone product lines, Microsoft took an entirely different approach, utilized their existing Operating Systems, and modified so that it would be the OS for their mobile phone line.

For example, since the latest version is Windows 10, Microsoft simply took the underlying Source Code of that and modified it fit their Smartphone models, and rebranding it as merely “Windows 10 Mobile”. This Operating System is now available on the Lumia line of Smartphones, which include the Lumia 635, the Lumia 730, and the Lumia 830.

Microsoft’s fundamental reason for taking this approach is that it wanted to “. . . share many of the same features as its desktop version, including the same kernel, UI elements, menus, Settings, and even Cortana.” (SOURCE: 1).

But however, there is one fatal flaw in taking this kind of approach: The same type of Cyber threats and risks which are posed to the Windows Operating Systems on the Workstations and Servers can also be used to manipulate the OS’s which reside on the Windows line of Smartphones.

Therefore, on a theoretical plane, the effects of one Cyber-attack on a Windows platform will thus be greatly proliferated onto the mobile devices, and vice versa.

The Risks Posed to the Windows Mobile Operating System

Ethical Hacking Training – Resources (InfoSec)

  1. Making Network based Files and Shared Resources available to everybody:

    Although the Windows 10 Operating System has put in extra safeguards to protect private and confidential files of businesses/corporations and even the end user, the rights, which are granted to access them, seem to be misconfigured at times, and this is an escalating trend that is of grave concern. This can happen for a wide myriad of reasons, such as employees who really do not know how to assign permissions properly, or even the Network/System Administrators who are so overloaded in their work that he or she does not double check the permissions that they grant. However, more often than not, it is also the work of the Cyber attacker who is also misconfiguring these specific rights and permissions as well. What is interesting about this trend is that the Cyber attacker is not out for personal gain in these matters; rather their main intent is to cause financial loss to a business or a corporation when their files and resources become available to the public at large. This type of attack is especially worrisome on the Windows Mobile devices, as many employees now use this tool to store both personal and work related files, as literally millions of wireless devices can fall victim in just a matter of minutes. It should be noted that the primary target in this kind of attack is in exposing the “Everyone Group” directory in the Windows 10 Operating System.

  2. Lack of Enablement of the Personal Firewall:

    As it was described in the last article, Apple develops a specific Configuration File for the end user to set up their iPhone properly. A major component of this is also making sure that the Security features have been enabled as well. This even includes the Personal Firewall. In sharp contrast, although the Windows 10 Operating System does have a feature related to the Apple Configuration File, the Security features which come on it are not all preset. In other words, the end user has to configure all of this themselves manually. Even though Windows 10 has a highly GUI centered approach for doing this both on the workstation and Mobile Device, it can still be very confusing if not daunting for the end user to configure the Security features and the Personal Firewall properly. As a result, they often give up, thus making their Wireless device that much more prone to a Malware or Spyware Attack. But on the flip side, the Personal Firewall on the Windows 10 OS has been deemed to be a powerful to use, such as when it comes to protecting the IPC$ and ADMIN$ share files. It has also been known to block out effectively any type or kind of Wireless Intrusion Attacks.

  3. Unaccounted for Systems which are running in the background:

    Because the Windows 10 Operating System is deemed to be in some ways “bloated” because of its Closed Source platform, there is one Security weakness it possesses that can affect both the workstation and the mobile devices: It’s lack of accounting for those resources which run in the background. What this means essentially is that the OS may not even be “aware” at times of the services and other related software applications which are running in the background. This very often includes the Internet Information Services (also known as the “IIS”-this is the Web Server software) and the SQL Server Express (this is the free and “watered down” version of the SQL Server Database). Because of this lack of unaccountability, a Cyber attacker can take advantage of this very quickly, and insert a malicious payload, which can spread itself very quickly.

  4. There are no minimum Security Thresholds or Standards which have been established:

    As described, although the Windows 10 Operating System does indeed come with a robust set of Security features, there is still another area in which it is severely lacking –a lack of Best Standards for the businesses and corporations to adopt which make use of this OS on their Windows Mobile devices. Because of this, the IT Staff at many organizations are often left to their own guises to experiment which Security features of Windows 10 are needed and those that are needed to come into compliance with the Security Policies, which have been set forth and established. As a result, there can be significant periods of when the “Security guard is let down,” thus making a very fertile time period for the Cyber attacker to launch a wide-scale attack upon the organization.

  5. The Windows 10 for Mobile Phones cannot be tested using the traditional tools:

    Sure, the Windows 10 OS can be tested to make sure that it does indeed come into compliance with the Security requirement and needs of the business entity. However, since this is the latest version from Microsoft, it requires the latest tools to test. The companies with the bigger budgets could probably afford to have these tools, and perhaps even hire top of the line Penetration Testers. Nevertheless, the truth of the reality is that many of the smaller to medium-sized businesses cannot afford this, and as a result, are forced to test their Windows Mobile with outdated testing tools. This leads to incomplete and very often inaccurate results, which will make the Windows Mobile device that much more vulnerable to a Cyber based attack. Another problem compounding this issue is that Windows 10 is based on a Closed Source platform (just like the older OS versions and other Microsoft products), so trying to conduct a Penetration Test on the Source Code is very difficult, if not impossible, to accomplish.

  6. Automated Updates and Patches:

    Windows 10 is notorious for this feature. It often occurs at the most inconvenient times. Although the primary intention of this is to keep the Windows Mobile device up to date with the latest Security Patches, there is a chance that one of those updates could very well be a rogue application (such as a Malware or a Spyware) inserted into the process by a sophisticated Cyber attacker. Unfortunately, there is no way of knowing of this until it is too late. For instance, the Windows 10 OS will only notify you which specific updates and/or patches have been installed after the fact.

Conclusions

In summary, this article has examined the Security threats and risks which are posed to the primarily to the Windows 10 Operating System (OS). As it was discussed earlier, this OS is not only available for the workstation and PCs, but it has also been modified and restructured in such a way by Microsoft that it is also available on their Windows Mobile phone product line as well.

Although this might have proven to be an effective strategy regarding cost savings, it also presents a double-edged sword when it comes to Security: For instance, the same threats, which are inherent to the workstation and PC versions, are also targeted to the mobile phone versions of the Windows 10 OS.

Thus far, in this series, we have examined the Security Vulnerabilities to all three major mobile phone OSs:

  1. The iOS
  2. The Android OS
  3. The Windows 10 Mobile OS.

A future article will examine how an end user, or even a business entity, can take preventative steps to make sure that their Smartphone does not become the target for a Cyber based attack. Our next article will focus on another Security concept of the Smartphone – “Jailbreaking.”

Resources

  1. http://www.windowscentral.com/windows-10-mobile
  2. http://www.techradar.com/reviews/phones/mobile-phones/windows-10-mobile-1286717/review
  3. http://www.sersc.org/journals/IJSIA/vol10_no2_2016/2.pdf
  4. http://searchenterprisedesktop.techtarget.com/tip/The-10-most-common-Windows-security-vulnerabilities
  5. https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10
  6. https://blogs.microsoft.com/microsoftsecure/2014/09/11/risk-meets-reward-windows-phone-8-1-security-overview/
  7. https://hackernoon.com/the-2017-pentester-guide-to-windows-10-privacy-security-cf734c510b8d
  8. https://securityintelligence.com/news/windows-10-update-the-security-risks-and-safeguards-everyone-should-know/
InfoSec Institute
Rated 4.3/5 based on 302 customer reviews.
InfoSec Resources