IP: Passwords don't protect Palm data, security firm warns: [risks] Risks Digest 21.26

[David Farber <dave () farber net>]

Palm acknowledged the problem djf

> Date: Fri, 02 Mar 2001 17:41:00 -0500
> From: yan () storm ca (Yves Bellefeuille)
> Subject: Passwords don't protect Palm data, security firm warns
>
> At http://news.cnet.com/news/0-1006-202-5005917-0.html:
>
> Passwords don't protect Palm data, security firm warns
> By Robert Lemos
> Special to CNET News.com
> March 2, 2001, 11:45 a.m. PT
> http://news.cnet.com/news/0-1006-201-5005917-0.html?tag=prntfr
>
>
> People who rely on passwords to keep strangers from poking through the
> data stored on their Palms actually have no protection at all, a network
> security company warns.
>
> In an alert posted Thursday, @Stake pointed to a back door in the Palm
> operating system that allows anyone with developer tools to access data
> on handhelds that have been "locked" with a password.
>
> If someone finds or steals a Palm, the owner's data is basically an open
> book. And the theft of mobile devices for their data is becoming more
> common.
>
> "This is the nail in the coffin of the notion that the Palm has any
> security for your data," said Chris Wysopal, director of research and
> development for Cambridge, Mass.-based @Stake.
>
> "Any attacker with a laptop and a serial (syncing) cable is pretty much
> able to access everything on the device," he said.
>
> Handspring's Visor handhelds and Sony's Clie use the Palm OS.
>
> Palm representatives would not immediately comment on the advisory.
>
> The security flaw is actually in the OS for a reason. Palm software
> engineers and many of its application developers use the back door to
> debug applications running on the handheld. Many of them do not consider
> it to be a security issue, Wysopal said.
>
> However, few people who use the devices realize that using a password
> will keep only the casually curious from looking at their data.
>
> For that reason, @Stake said, it released the warning.
>
> "It's equivalent to adding a password to your PC's screensaver. "There's
> no true security in that," said Wysopal, who is known in the security
> community by his hacker handle, Weld Pond.
>
> Last September, @Stake discovered that the encrypted password used by
> Palm OS to protect so-called private records from prying eyes could
> easily be broken. With the discovery of the latest back door, it would
> seem that no data is safe.
>
> With a laptop loaded with developer tools and a sync cable, anyone who
> obtains access to a handheld can access the owner's data, add or delete
> applications, and format the memory card.
>
> Even Palm handhelds protected by encryption software could be
> compromised by using the back door to load a program to record all
> passwords as they are entered.
>
> Wysopal warned that weak Palm security could lead to other compromises
> as well.
>
> "You have corporate administrators keeping their company's critical
> passwords on their Palm because they think it is secure," he said.
>
> The back door affects all current versions of the Palm OS, Wysopal said.
> Palm OS 4.0, due later this year, is expected to correct the problem.
>
> Yves Bellefeuille <yan () storm ca>, Ottawa, Canada



For archives see: http://www.interesting-people.org/