Penetration Testing mailing list archives
Re: [PEN-TEST] Palm Pilot Security
From: Scott Treacy <scott.treacy () HARRIERZEUROS CO UK>
Date: Fri, 26 Jan 2001 16:12:18 -0000
Rory, Wrong link. You sent the one on the SafeWord e.iD Palm Authenticator PIN Extraction. The one for the NotSync password retrieval is http://www. () stake com/research/advisories/2000/index_q3.html#092600-1 where you'll find downloads for the tools used and the proof of concept. Anyway, their is no way I'd use a Palm on any other PDA for a SoftToken. Scott --- Scott Treacy Tel: +44 (0) 1256 760 081 Technical Consultant Fax: +44 (0) 1256 760 091 Harrier Group PLC DDI: +44 (0) 1256 382 819 Cromwell House Mob: +44 (0) 7866 757 273 Hook scott.treacy () harrierzeuros co uk
-----Original Message----- From: Rory [SMTP:nazgul () CSN UL IE] Sent: Friday, January 26, 2001 12:59 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Palm Pilot Security There is a tool on the @stake website that steals passwords from palms you have to get pretty close but it effectively makes the target palm think that it is talking to a computer when infact it is another palm her is the link to it http://www. () stake com/research/advisories/2000/index.html#121400-1 cheers, Rory On Thu, 25 Jan 2001, Mike Ahern wrote:A Quick Question... Does anyone have any real life experience in evaluating the security of Palm Pilot systems? Someone is proposing using the Palm along with RSA/Security Dynamics soft token, and as a method of gaining some remote network access. I am being asked to sign off on it. I understand that the Palm units may be password protected, but that on the original Palm Pilots you could remove the batteries to reset the unit & password. Also I understand that new Palm 5 units use an internal lithium rechargable battery, and have a reset button that can be used to "reboot" the Palm Pilot. I also am aware that the L0pht guys found a way in the past to undermine the security of the Cryptocard soft token. Anybody aware of methods to hack past the password protection on the Palm? I assume that like anything else, physical access equals potential for 100% system compromise. Anyone aware of any RSA/Security Dynamics soft token security issues on the Palm Pilot? Any thoughts or experiences shared (lessons learned) would be appreciated... - Mike __________________________________________________ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/
Current thread:
- [PEN-TEST] Palm Pilot Security Mike Ahern (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Crist Clark (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Rory (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Aviram Jenik (Jan 29)
- <Possible follow-ups>
- Re: [PEN-TEST] Palm Pilot Security Mitch James (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Ng, Kenneth (US) (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Wall, Kevin (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security sporty o'one (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Scott Treacy (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Walsh, John (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security DK (Jan 29)
- Message not available
- [PEN-TEST] BIND 8 - TSIG Bug Exploit Jason Witty (Jan 29)