Passwords don't protect Palm data, security firm warns

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1006-201-5005917-0.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com
March 2, 2001, 11:45 a.m. PT

People who rely on passwords to keep strangers from poking through the
data stored on their Palms actually have no protection at all, a
network security company warns.

In an alert posted Thursday, @Stake pointed to a back door in the Palm
operating system that allows anyone with developer tools to access
data on handhelds that have been "locked" with a password.

If someone finds or steals a Palm, the owner's data is basically an
open book. And the theft of mobile devices for their data is becoming
more common.

"This is the nail in the coffin of the notion that the Palm has any
security for your data," said Chris Wysopal, director of research and
development for Cambridge, Mass.-based @Stake.

"Any attacker with a laptop and a serial (syncing) cable is pretty
much able to access everything on the device," he said.

Handspring's Visor handhelds and Sony's Clie use the Palm OS.

Palm representatives would not immediately comment on the advisory.

The security flaw is actually in the OS for a reason. Palm software
engineers and many of its application developers use the back door to
debug applications running on the handheld. Many of them do not
consider it to be a security issue, Wysopal said.

However, few people who use the devices realize that using a password
will keep only the casually curious from looking at their data.

For that reason, @Stake said, it released the warning.

"It's equivalent to adding a password to your PC's screensaver.
"There's no true security in that," said Wysopal, who is known in the
security community by his hacker handle, Weld Pond.

Last September, @Stake discovered that the encrypted password used by
Palm OS to protect so-called private records from prying eyes could
easily be broken. With the discovery of the latest back door, it would
seem that no data is safe.

With a laptop loaded with developer tools and a sync cable, anyone who
obtains access to a handheld can access the owner's data, add or
delete applications, and format the memory card.

Even Palm handhelds protected by encryption software could be
compromised by using the back door to load a program to record all
passwords as they are entered.

Wysopal warned that weak Palm security could lead to other compromises
as well.

"You have corporate administrators keeping their company's critical
passwords on their Palm because they think it is secure," he said.

The back door affects all current versions of the Palm OS, Wysopal
said. Palm OS 4.0, due later this year, is expected to correct the
problem.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".