Penetration Testing mailing list archives

Re: [PEN-TEST] Palm Pilot Security

From: Scott Treacy <scott.treacy () HARRIERZEUROS CO UK>
Date: Fri, 26 Jan 2001 16:12:18 -0000

Rory,
Wrong link. You sent the one on the SafeWord e.iD Palm Authenticator PIN
Extraction. The one for the NotSync password retrieval is
http://www. () stake com/research/advisories/2000/index_q3.html#092600-1 where
you'll find downloads for the tools used and the proof of concept.
Anyway, their is no way I'd use a Palm on any other PDA for a SoftToken.
Scott
---
Scott Treacy           Tel: +44 (0) 1256 760 081
Technical Consultant   Fax: +44 (0) 1256 760 091
Harrier Group PLC      DDI: +44 (0) 1256 382 819
Cromwell House         Mob: +44 (0) 7866 757 273
Hook            scott.treacy () harrierzeuros co uk

-----Original Message-----
From: Rory [SMTP:nazgul () CSN UL IE]
Sent: Friday, January 26, 2001 12:59 AM
To:   PEN-TEST () SECURITYFOCUS COM
Subject:      Re: [PEN-TEST] Palm Pilot Security

There is a tool on the @stake website that steals passwords from
palms you have to get pretty close but it effectively makes the target
palm think that it is talking to a computer when infact it is another palm
her is the link to it

http://www. () stake com/research/advisories/2000/index.html#121400-1

cheers,
Rory
On
Thu, 25 Jan 2001, Mike Ahern wrote:

A Quick Question...

Does anyone have any real life experience in
evaluating the security of Palm Pilot systems? Someone
is proposing using the Palm along with RSA/Security
Dynamics soft token, and as a method of gaining some
remote network access. I am being asked to sign off on
it.

I understand that the Palm units may be password
protected, but that on the original Palm Pilots you
could remove the batteries to reset the unit &
password. Also I understand that new Palm 5 units use
an internal lithium rechargable battery, and have a
reset button that can be used to "reboot" the Palm
Pilot.

I also am aware that the L0pht guys found a way in the
past to undermine the security of the Cryptocard soft
token.

Anybody aware of methods to hack past the password
protection on the Palm? I assume that like anything
else, physical access equals potential for 100% system
compromise. Anyone aware of any RSA/Security Dynamics
soft token security issues on the Palm Pilot?


Any thoughts or experiences shared (lessons learned)
would be appreciated...


- Mike




__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.
http://auctions.yahoo.com/

Current thread:

[PEN-TEST] Palm Pilot Security Mike Ahern (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Crist Clark (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Rory (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Aviram Jenik (Jan 29)
- <Possible follow-ups>
- Re: [PEN-TEST] Palm Pilot Security Mitch James (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Ng, Kenneth (US) (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Wall, Kevin (Jan 29)
  - Re: [PEN-TEST] Palm Pilot Security sporty o'one (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Scott Treacy (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Walsh, John (Jan 29)
  - Re: [PEN-TEST] Palm Pilot Security DK (Jan 29)
  - Message not available
    - [PEN-TEST] BIND 8 - TSIG Bug Exploit Jason Witty (Jan 29)