Sharp's Zaurus PDA suffers security holes

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1040-943163.html?tag=fd_top

By Richard Shim 
Staff Writer, CNET News.com
July 11, 2002, 12:50 PM PT

Sharp's Linux-based, business-oriented Zaurus handheld suffers from
security holes that could let hackers grab private data off a
corporate network, according to researchers at Syracuse University.

In an advisory posted Wednesday to a Syracuse University
computer-science Web site, researchers said they had found
vulnerabilities in Sharp's Zaurus SL-5500 and Zaurus SL-5000D
handhelds. The flaws let attackers take control of the device's file
system, giving them the power to overwrite files or lock the device so
no data can be input through the keypad or touch screen.

The biggest potential threat, though, exists when the device is
wirelessly connected to a company's network, where sensitive data
might be stored. The flaws would enable attackers to download and
upload files.

"These vulnerabilities mean that the Zaurus can be used as a launching
point to attack the network," said K. Reid Wightman, one of the
researchers who worked on the advisory.

Security holes are not likely to help Zaurus' already delicate
prospects.

Large businesses are the company's target audience with the device,
but, being Linux-based, the gadget was already at risk of being
overlooked by corporate IT buyers. Though Linux has become a fact of
life in the computing world and has been adopted for limited use by a
number of companies, Linux handhelds remain a rarity.

The Syracuse researchers notified Sharp of the vulnerabilities,
according to the advisory, and Sharp spokeswoman Nancy Boyle Levene
said the company is working on a patch. It's not yet clear, though,
when the fix will be available, she said.

"Thus far, (the Zaurus has) been primarily a consumer product, so it
isn't a major problem for businesses." Levene said, adding that Sharp
anticipates greater business interest in the Zaurus once the company
makes its mobile services available in October.

Linux is an open-source operating system, giving developers equal
access to the code. Many consider that an advantage in a situation
like this, as security flaws are found quickly and fixes and other
software improvements can be added by a whole community of
programmers, not just those employed by a particular company. However,
Sharp has not released the source code for the Zaurus' particular
operating system to the open-source community, nor has it integrated
any community updates to its OS, choosing instead to go a more
proprietary route.

"Sharp committed to Linux and the open-source community, but they've
realized that they don't want to live the lifestyle," said a source
familiar with the company's plans.

The source added that there is an OS in the open-source community,
called OpenZaurus, that is compatible with the software included on
the Zaurus. Sharp is using a modified version of Lineo's Embedix Plus
PDA OS in its Zaurus handheld device. The Embedix Plus PDA OS is built
around the Linux kernel.

Wednesday's advisory is part of a Syracuse University research project
aimed at analyzing the security of the Zaurus and its use as a hacking
tool, according to Syracuse University's Center for Systems Assurance
Web site.

According to a source familiar with Sharp's plans, the company's
next-generation Zaurus device, due this fall, will address the
vulnerabilities. The gadget will come with Intel's 400MHz XScale
PXA250 processor and a larger battery than the one found in Sharp's
currently available Zaurus SL-5500. The Zaurus SL-5500 uses Intel's
206MHz StrongARM SA-1110 processor.

The vulnerable Zaurus SL-5000D and the Zaurus SL-5500 are nearly
identical, but the 5500 comes with 64MB of memory, while the 5000D
comes with 32MB. The 5000D is the developer's version of the Zaurus.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.