Microsoft's Direct Push mobile email has at least one major
security hole, and that should be a matter of concern for any
company looking to use or deploy Windows Mobile-enabled devices.
According to Jack Gold, president and founder of Northborough,
Mass.-based research and advisory firm J. Gold Associates, messages
received through Microsoft's Direct Push Technology wireless email
are encrypted over the air but stored on the device without
encryption. The problem was found in Direct Push that uses the
latest version of Exchange Server 2003 and devices running Windows
Mobile.
"Anyone who can get into the device can read it," Gold said.
"Microsoft will say that's not a flaw, but it is a significantly
lower level of security when the files aren't encrypted on the
device."
Media representatives for Windows Mobile and Direct Push did not
return phone calls.
Direct Push works like this: It sends an email from the Exchange
Server to the Windows Mobile Device; while in transit, the data is
encrypted; when it reaches the device, it is decrypted and
stored.
That model differs from other major push email providers such as
Good Mobile Messaging and BlackBerry-maker Research In Motion Ltd.,
which encrypt everything in the local store.
"If you have confidential information, you want to have it
encrypted on the device," Gold said. He noted that someone would
probably need a password to log in to a device in order to access
the unencrypted messages, but that would be the case only if device
password protection were turned on.
"If you're Bank Of America, if you're Merrill Lynch, you want to
have that second layer of security," he said. "Companies need to
understand that this is a flaw and err on the side of more, not
less, security."
Direct Push uses AirSync, an over-the-air derivative of
ActiveSync. AirSync is used for synching data with all devices
running Microsoft's Windows Mobile and provides a way for a data
store on the device to be synchronized with a data store on a
server or PC.
Gold said that the flaw arises because the current versions of
AirSync and ActiveSync can only do a file synch of specially
formatted datasets that meet certain Microsoft data specifications.
For example, any transfer of data from Exchange Server to Pocket
Outlook must be done in an unencrypted file-state because file
encryption would not allow ActiveSync to perform properly. That
means Direct Push, which uses AirSync, must transfer unencrypted
data files between the server and device. While the transmission is
secured using SSL encryption, it is stored on the device in an
unencrypted state.
And even that SSL connection doesn't always do the trick.
Peter Rysavy, president of Rysavy Research, a consulting firm
specializing in wireless networking, said recent trials with Direct
Push found that a misconfiguration could disable the SSL connection
of Direct Push and transfer data in the open, unprotected. If that
happened, he said, it would be unbeknownst to end users.
Current Analysis analyst Kathryn Weldon noted, however, that
Direct Push is still not technically push email anyway.
"In general, the differences [between Direct Push and other push
email solutions] include the fact that Direct Push isn't really
direct push, no matter what it's called," she said. "It's actually
still frequent and automated pull."
Because of the way Direct Push is implemented, where an
ActiveSync, or AirSync, session is set up to ask whether there are
any updates on the server, and the TCP/IP session remains open,
Windows Mobile devices also experience poor battery life.
Rysavy agreed, adding that Direct Push drains battery power
because a lot of the data moves through the radio, and each byte
consumes power.
"This is contrary to how the major wireless email third-party
applications currently perform, where all data transferred to the
device is in an encrypted file format in addition to encrypting the
transmissions," Gold wrote. "In the Direct Push scenario, although
the transmission of data files across a network is secure, the
storage of data files on the devices is not."
Companies can buy add-ons that can encrypt everything on the
device, according to Gold, but that disables the email's push
capability, meaning that end users must log in and check their
email. Weldon added that some software companies -- Sybase, for
instance -- have added their own workarounds to their platforms to
try and fix the problems with Direct Push.
"If you do that, you break direct push and go to pull," Gold
said. "It's a mixed bag."
Companies need to be on-message, he said, and should take the
time to think about whether using Direct Push is a wise choice.
"Most end users have sensitive data within their emails, and
although devices can be protected with passwords, this is generally
not a high enough level of protection for sensitive data," Gold
said. "Companies with substantial information security needs --
financial services, healthcare, life sciences, government -- would
do well to explore alternatives to Microsoft Direct Push wireless
email until Microsoft has fixed the inherent security problems
within the application and brought it up to par with the other
wireless email solutions available on the market."