While we know Android is riddled like Swiss cheese with security exploits, Windows Phone 7, except for the jailbreaking scene, has been left more or less alone.
At Deepsec in Vienna security researchers will be discussing methods to attack OS security in Windows Phone 7 by exploiting the special privileges OEM applications have.
The talk will aim to provide an introduction into the Windows Phone 7 (WP7) security model to allow security professionals and application developers understand the unique platform security features offered. Currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices.
The ever increasing challenges and stages of exploitation an attacker has to overcome to achieve full compromise will be discussed. The talk will outline the implementation of these security features and will demonstrate weaknesses and vulnerabilities an attacker could use to bypass the multiple levels of platform security.
A number of OEM manufacturer weaknesses, â€œfeatures?â€ will be discussed and a demonstration of how these â€œfeaturesâ€ can be abused in conjunction with conventional exploits to achieve full compromise of the phone will be performed. The talk will demonstrate how OEM phone manufacturers can weaken the security posture of an otherwise strong granular security model and also demonstrate how targeted attacks can be made which leverage this OEM â€œfunctionalityâ€ to compromise sensitive information.
We already know the jailbreaking community is using the same route using Microsoft.Phone.InteropServices, a hole which Microsoft is already trying to close. However while Microsoft gives OEM special privileges their security will only be as good as the implementation of those OEMs.
Read more about Deepsec here.