Tuesday, May 21, 2002
Security flaw in Pocket PC Phone Edition?
Posted by Andy Sjostrom in "NEWS" @ 12:49 AM
http://www.theregus.com/content/4/24981.html
I never thought I'd ever link to a "The Register"-article again. They get facts wrong in about 99% of their articles, so I caution you now. This might be true, and it might not be... According to the article, the Pocket PC Phone Edition has a security flaw involving the SIM PIN number. The SIM PIN is the four digit number you enter to be able to use your mobile phone.
"Pocket PC Phone Edition implements this with a check box to turn the PIN on and off. When you select the phone dialer with the PIN enabled the dialer asks you to enter the PIN before it will go any further, if however you then select the browser and start a GPRS browse session it will connect (although it shouldn't). If you then run another instance of the dialer you can make voice calls."
Given the source, I have my doubts about this report which is not very detailed. It might in fact be a design decision. Assume that the user has already entered the PIN. Using that point of validation, the Pocket PC Phone allows network access for all sessions from that point forward. I am not sure about this, since I don't have a Pocket PC Phone Edition (!), so I can't verify how this really works. Anyone else?
I never thought I'd ever link to a "The Register"-article again. They get facts wrong in about 99% of their articles, so I caution you now. This might be true, and it might not be... According to the article, the Pocket PC Phone Edition has a security flaw involving the SIM PIN number. The SIM PIN is the four digit number you enter to be able to use your mobile phone.
"Pocket PC Phone Edition implements this with a check box to turn the PIN on and off. When you select the phone dialer with the PIN enabled the dialer asks you to enter the PIN before it will go any further, if however you then select the browser and start a GPRS browse session it will connect (although it shouldn't). If you then run another instance of the dialer you can make voice calls."
Given the source, I have my doubts about this report which is not very detailed. It might in fact be a design decision. Assume that the user has already entered the PIN. Using that point of validation, the Pocket PC Phone allows network access for all sessions from that point forward. I am not sure about this, since I don't have a Pocket PC Phone Edition (!), so I can't verify how this really works. Anyone else?