Analyst group Gartner has claimed that Microsoft 's Pocket PC 2002
software does not address critical security issues and could make
sensitive corporate data stored on personal digital assistants and
desktop PCs vulnerable to theft and loss.
Companies that use Pocket PC-based devices should turn to
third-party products to protect their data, a Gartner research note
said.
Microsoft is contesting Gartner's analysis of Pocket PC security.
"Gartner mistakenly blames the Pocket PC for potential security
breaches that are, in reality, related to insecure usage of desktop
PCs," a Microsoft representative said.
Improving security has been a major focus for Microsoft since
January, when company chairman and chief software architect Bill
Gates said building an environment of "trustworthy computing"
should be Microsoft's top priority.
But while Microsoft has put the security of many of its flagship
products, such as the Windows operating system, Office and Visual
Studio .net, under the microscope, Pocket PC is not yet part of its
Trustworthy Computing initiative, according to Gartner.
One vulnerability identified by Gartner is that the Pocket PC
default setting does not require a password and passwords and the
password policy cannot be synchronised with a desktop PC. In
addition, configuration settings of Pocket PC-based devices cannot
be secured and when the system is reset all settings are
lost.
Other areas of vulnerability claimed by Gartner include:
- The ability to install a Pocket PC device on a desktop PC
without requiring a password, which gives the device the ability to
access data in Outlook, as well as other applications.
- Users cannot encrypt files with the Crypto API (application
programming interface) that is included in Pocket PC.
- No security is provided for removable storage devices, such as
memory cards;
- The software lacks policy features that could be used to
restrict a user's ability to run applications on a Pocket PC-based
device.
Microsoft said Gartner was "incorrect" to claim that a Pocket PC
device could be easily installed on a computer and used to download
data from applications such as Outlook.
"A Pocket PC cannot be installed onto a password-protected PC
without using the PC's password to secure access," a spokesman
said.
"A PC without password protection is at a much greater risk of data
loss to high-capacity storage cards than with a Pocket PC."
For other areas of concern, both Microsoft and Gartner agreed that
third-party applications could be used to address many of the
security vulnerabilities identified in the research note.
But Gartner said that relying on third-party products was not a
sufficient answer for many corporate users and urged Microsoft to
take steps to improve the security of Pocket PC.