OBEX Security (Windows Embedded CE 6.0)
1/6/2010
Object Exchange Protocol (OBEX) has the following potential security risk:
- OBEX supports plug-in services from third-party vendors. If these extensions do not use proper security and authentication procedures, they could compromise the security of a device or local network.
OBEX is a session layer protocol that allows devices to exchange data in a simple and spontaneous manner. The protocol can be supported over a variety of transports. In Windows Embedded CE, the supported transports are over IrDA and Bluetooth transmission technologies. OBEX provides security support by incorporating an authentication mechanism that uses a challenge and response scheme. Any connection attempts that do not pass the authentication procedure are disallowed.
Best Practices
Turn on authentication in OBEX by default
Although authentication is an option for OBEX, Microsoft recommends that you turn authentication on by default to allow only authorized individuals to make connections and exchange data with the server.
Turn on Bluetooth encryption when running OBEX over Bluetooth
Sensitive information can be encrypted prior to being sent over the network. This prevents unauthorized users from viewing data in transmitted packets.
Use Bluetooth authentication as appropriate when transferring sensitive data
The server can ask for authentication in response to a connection request. Once a connection is established, authentication can be challenged for various requests. Both Kerberos and Secure Sockets Layer (SSL) authentication mechanisms are supported.
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.
For OBEX registry information, see OBEX Registry Settings.
Ports
No specific ports are used for OBEX.