5 Urgent Security Issues for Legacy OS Rugged Devices

Cyber security is an arms race. Criminals are constantly looking for new technologies and approaches to attack IT infrastructure. Businesses, meanwhile, are employing innovative ways to ensure they are not outgunned by the criminals, so they can keep the gates firmly shut and valuable data safe.

This situation is a real and present danger for every business. But what if it was compounded by your company using an outdated OS for rugged devices that has fallen way behind current standards for protecting you from cyber attack?

This is the situation businesses using Microsoft Windows Mobile operating systems (which include Windows CE and Windows Embedded) find themselves in. They are deploying technology for rugged devices no longer suitable for modern security requirements. With data breaches costing businesses on average £3m in the UK, or £11,000 for small businesses, the price for procrastinating on that essential OS upgrade could be significant.

Legacy operating systems can lead to costly security breaches

We look at five ways businesses using legacy operating systems for their rugged devices are vulnerable to attack. We hope this post will encourage you to do the right thing for your business, its data and its customers, and plan an OS upgrade for your tech as soon as possible.

1. No OS Updates for Rugged Devices

Mainstream support has ended or is ending imminently for all versions of Windows Mobile. Extended support, relating to security patches, is now phased out for every model apart from Windows Embedded Compact 13, which will end in October 2023.

What does this mean in practice? Put plainly, without regular security patches there is no one working to protect your device from attack. Any security vulnerabilities that exist on your OS will, by definition, never get fixed.

The range of potential attacks is dizzying: viruses, trojans, ransomware, hacking and adware, to name the big offenders. Now imagine a whole fleet of unsupported devices. The ‘attack surface’ for cybercriminals – the sum of the different points where an unauthorised user can infiltrate ­– is huge.

Once a criminal gains entry via your rugged devices, they can potentially threaten your entire IT infrastructure. This is a tangible threat: 98% of UK organisations surveyed by Carbon Black reported an increase in cyber attacks on their business in the past 12 months. OS vulnerabilities were the top cause of these breaches.

2. No OS Level Encryption

When you enter a PIN code into your phone, you’re doing more than just unlocking it: you are also decrypting the data so it is readable.

Android Enterprise devices have strong encryption enabled by default. Without your password, data cannot be accessed even if the storage media is removed from the device and plugged into another computer, or factory reset.

You can probably guess where we are going with this now. Windows Mobile does not have any capability for device-level encryption. While you can still choose to encrypt individual files, it’s a manual and often slow process. There will also be many files on the device (particularly those concerning the OS) that won’t be encrypted, which could be a security risk.

Imagine the implications of a criminal given unfettered access to files on lost or stolen company rugged devices, and you can see why this gap needs to be plugged.

Android rugged devices are encrypted by default

3. Out of Date Cryptography

At the top of the article, we referred to security as an arms race. Nowhere is this metaphor more apt than in the case of cryptography.

Encryption software transforms data in ways that make it hard to decipher. Most if not all operating systems protect data this way. However, as criminals try to crack the code, best practice is constantly changing and updating to improve security. For example, when Windows CE was released, it was standard practice to use the MD5 hashing algorithm. This is now obsolete and has been superseded by methods such as SHA2 and SHA3.

This is not just a problem at the operating system level. Much of the software that was written for Windows CE also used MD5. Unless your software is being regularly maintained there is a strong chance that it is still using outdated cryptography and needs to be updated to stay secure.

4. No OS Features to Prevent Theft and Misuse

If you’re an Android user, your rugged devices have built-in technology to help you protect lost or stolen phones.

The location of a lost phone can be found via GPS. Since GPS won’t necessarily give you a precise location, you can even make the phone ring at full volume for five minutes to help find it. This is possible even if it was previously set to silent or vibrate. Other helpful features include the ability to lock your phone remotely (and even set a lock if you don’t have one) and add a message or phone number to a missing phone’s lock screen.

Should you suspect foul play or just decide it’s not worth taking a chance with your business data, you can remotely wipe your phone.

All of these features are available as part of your system settings. By contrast, legacy Windows Mobile phones have no similar features as part of their OS and locating or safeguarding lost and stolen phones is never going to be as easy.

GPS can help you to find lost Android rugged devices

5. No Path to Security Certification

Our final point doesn’t concern a security breach, but it could have big financial implications for your company.

Using Windows Mobile or other legacy systems for your rugged devices means that you are, or will be, using an OS that is no longer receiving security updates. Therefore, you are not properly protecting data and will almost certainly not qualify for security accreditations such as ISO 27001 and Cyber Essentials. Customers, particularly if you are a business-to-business (B2B) organisation, will pay close attention to your cyber-security policy. Failure to meet these standards could cost you clients and revenue.

It’s also important to note that all businesses must comply with UK GDPR regulations. If you are handling personally identifiable information on devices running Windows CE you cannot be GDPR compliant and the devices need to be upgraded as a matter of urgency.

Nuffield Technologies helps businesses of all sizes upgrade their rugged device fleet from legacy systems to Android. For a full overview of what to do to get started, read our white paper ‘How to Upgrade Windows® CE Mobile Apps to Android™: A Step by Step Guide for Businesses’.