Penetration Testing mailing list archives
Re: [PEN-TEST] Palm Pilot Security
From: Aviram Jenik <aviram () BEYONDSECURITY COM>
Date: Fri, 26 Jan 2001 11:10:36 +0200
Hi. Apart from L0pht's notsync (which was already mentioned) there is an almost trivial way to bypass the password protection if you have physical access to either the Palm device or the computer that the Palm is sync'ed with. The ingredients are an extra Palm device (besides the device you're trying to break into) and physical access to the device or PC. The procedure is simple, and outlined in our article: http://www.securiteam.com/securitynews/Gaining_easy_access_to_private_Palm_r ecords.html (NOTE: URL might be wrapped) The Palm was clearly not designed to prevent an attack where an attacker has physical access to the PDA. Maybe OS4 will fix that? -- Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com ----- Original Message ----- From: "Mike Ahern" <mc_ahern () YAHOO COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Thursday, January 25, 2001 7:43 PM Subject: Palm Pilot Security
A Quick Question... Does anyone have any real life experience in evaluating the security of Palm Pilot systems? Someone is proposing using the Palm along with RSA/Security Dynamics soft token, and as a method of gaining some remote network access. I am being asked to sign off on it. I understand that the Palm units may be password protected, but that on the original Palm Pilots you could remove the batteries to reset the unit & password. Also I understand that new Palm 5 units use an internal lithium rechargable battery, and have a reset button that can be used to "reboot" the Palm Pilot. I also am aware that the L0pht guys found a way in the past to undermine the security of the Cryptocard soft token. Anybody aware of methods to hack past the password protection on the Palm? I assume that like anything else, physical access equals potential for 100% system compromise. Anyone aware of any RSA/Security Dynamics soft token security issues on the Palm Pilot? Any thoughts or experiences shared (lessons learned) would be appreciated... - Mike __________________________________________________ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/
Current thread:
- [PEN-TEST] Palm Pilot Security Mike Ahern (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Crist Clark (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Rory (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Aviram Jenik (Jan 29)
- <Possible follow-ups>
- Re: [PEN-TEST] Palm Pilot Security Mitch James (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Ng, Kenneth (US) (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Wall, Kevin (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security sporty o'one (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Scott Treacy (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Walsh, John (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security DK (Jan 29)
- Message not available
- [PEN-TEST] BIND 8 - TSIG Bug Exploit Jason Witty (Jan 29)