How secure is Windows CE?

Will Windows CE become the next big thing? Before you answer that question, you need to understand the issues that surround the security of Windows CE. Brien Posey discusses the limitations of palmtop security and offers advice to palmtop owners.

There are many people who say that Windows CE is going to be the next big thing. To examine this claim, I decided to work extensively with Windows CE. All in all, I’m very happy with Windows CE, and my palmtop has become an indispensable business tool. A few days ago, however, I was using Windows CE to manage a server on my network, and I began to wonder just how secure Windows CE really is. I’ll discuss what I discovered, and I’ll explore some of the areas of Windows CE where a security breach could become a problem.

Local security
You may be wondering why security is even an issue. After all, how many of us leave our palmtops plugged into the network all night? Even if some people do, when was the last time that a hacker broke into a network just to access the contents of someone’s palmtop? As with any computing platform that contains sensitive data, however, Windows CE security is a real issue. You may not have to worry about an attack that’s targeted specifically against Windows CE, but what happens if someone steals your palmtop from your coat pocket? How safe is your data?

If your Windows CE device contains sensitive data, then you should have protected it with a password already. The password for a Windows CE machine is particularly effective because you must enter it at power on. There’s really no way of bypassing the password directly because Windows CE doesn’t allow you to boot off of a floppy (which might enable you to run some sort of hacking program). The only way to remove a password from a stand-alone machine is to clear the memory, which also deletes any data that you’ve stored on the device.

Of course, it’s possible to break into a Windows CE machine through other means. All you have to do is plug the device into a desktop PC via a serial cable. During the initial phase of the connection, the desktop PC will require you to enter a password for the Windows CE device, but some programs can exploit this connection and bypass the password protection. Thus, it stands to reason that your data is safe only as long as your palmtop is run as a stand-alone machine but that it isn’t necessarily safe if the device is connected to a PC.

There’s one more thing that you need to consider. To expand the capabilities of their Windows CE devices, many people use a flash card to store their files. By its very nature, a flash card is insecure. Data that’s stored on a flash card can be read if someone plugs the card into another machine with a card socket. Your Windows CE password will protect the data on your flash card only as long as the card remains in your Windows CE device. The data that’s stored on a flash card is neither encrypted nor password protected.

Secure connections
Now that you know a little about local Windows CE security, you may be wondering about other types of security. After all, one of the coolest things about Windows CE is that it can connect you to your network or to the Internet.

When you connect to your network, Windows CE uses your Windows NT servers to validate the login. Of course, Windows NT stores passwords in encrypted form inside the Registry. If you use Windows CE to log in, however, the security of your password may become compromised. Although Windows NT stores the password in an encrypted format, Windows CE transmits your password to the Windows NT server in basic clear text format, and anyone monitoring the network with a packet sniffer can read your password.

Another issue with Windows CE is the way in which it connects to the Internet. Windows CE makes some provisions for connecting to Web pages via a secure connection. However, it seems that this algorithm may be outdated. Often, when I try to use a secure connection with Windows CE, I receive a discomforting message, which tells me that a secure connection can’t be made and that an insecure connection will be used instead. (Yikes!)

It may sound as if I were telling you never to use Windows CE. That’s not the case. This information is intended to make you aware that Windows CE has certain limitations. Once you understand these limitations, you can use Windows CE in a way that won’t compromise your data. For example, you should never store passwords on your Windows CE machine—especially those passwords that you use to automate Internet or Terminal Server logins. Likewise, be careful about which documents you store on your Windows CE device—just in case its security is ever compromised.

Brien M. Posey is an MCSE who works as a freelance technical writer and as a network engineer for the Department of Defense. If you’d like to contact Brien, send him an e-mail. (Because of the large volume of e-mail he receives, it's impossible for him to respond to every message. However, he does read them all.)

The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.