ActiveSync TCP/IP and 802.11b wireless vulnerabilities of WinCE-based PDAs

摘要

Researching the vulnerabilities and security concerns of WinCE-based Personal Digital Assistants (PDAs) in an 802.11 wireless environment resulted in identifying CAN-2001-{0158 to 0163}. The full understanding and demonstration of some vulnerabilities would have required reverse engineering ActiveSync, which was beyond the scope of this research. Moreover, the WinCE IP stack demonstrated unstabilities under a number of attacks, one of which produced symptoms in hardware. The inaccessibility of the 802.11b standard documentation was a source of delays in the research; however, we created three proof-of-concept applications to defeat 802.11b security. One collects valid MAC addresses on the network, which defeats MAC-address-based restrictions. Another builds a code book using known-plaintext attacks, and the third decrypts 802.11b traffic on-the fly using the code book.