Crackers can zap data off Palm Pilots

[InfoSec News <isn () C4I ORG>]

http://www.vnunet.com/News/1116644

By Ian Lynch  [19 Jan 2001]

Security consultants @stake have added to the weight of expert opinion
that business use of PDAs such as a Palm Pilot may be a security risk.
@stake, a US-based security consultant, has written a piece of
software code that can zap passwords off targeted Palm Pilots through
taking advantage of the PDA's hotsync function. Hotsync is used to
transfer data between the user's PC and a Palm Pilot.

Called Notsync, the code fools the targeted Palm Pilot into thinking
it is talking to the user's desktop computer, rather than a hacker's
PDA. The hacker then downloads the target's password via the target
machine's infrared port.

Infrared ports have a range of 50cm to 100cm, but @stake said
amplifying systems can increase the range threefold.

The consultant said its Notsync code could be written by any competent
hacker, and is warning firms to make sure they know what company
information is being held on their employees' PDAs.

Notsync's author, Mudge, vice president of R&D at @Stake, said: "They
are completely vulnerable."

According to handheld manufacturer Psion, 70 per cent of IT managers
are concerned about how to integrate mobile working and applications
into office networks. The firm said around 75,000 people received
handhelds for Christmas.

@stake believes the line between personal and corporate information on
mobile technology is becoming blurred, and that this may put sensitive
data at risk through exposing links to corporate networks.

The firm believes that users often use the same password on their PCs
as other devices, thus exposing the corporate LAN from the Palm Pilot.
It says organisations should make it standard practice that employees
use different passwords for their various computers.

Mudge said: "Wireless is extending the frontier of the corporate
network and lowering the level of security, while magnifying the
problems."But he added: "We're not trying to scare anyone here. We're
trying to stress that companies must adopt a strategic approach to
wireless security.

"There's an opportunity with wireless to accentuate security and have
it thought of as an enabling activity rather than as an after-the-fact
reaction."

"Companies may not need to increase their security budget," said
Mudge, "but they do need to focus more intensely on where they are
spending. They need to know which data is sensitive to them, where it
is and what it's doing."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".