IP: Passwords don't protect Palm data, security firm warns: [risks] Risks Digest 21.26

[David Farber <dave@farber.net>]

Palm acknowledged the problem djf

>Date: Fri, 02 Mar 2001 17:41:00 -0500
>From: yan@storm.ca (Yves Bellefeuille)
>Subject: Passwords don't protect Palm data, security firm warns
>
>At http://news.cnet.com/news/0-1006-202-5005917-0.html:
>
>Passwords don't protect Palm data, security firm warns
>By Robert Lemos
>Special to CNET News.com
>March 2, 2001, 11:45 a.m. PT
>http://news.cnet.com/news/0-1006-201-5005917-0.html?tag=prntfr
>
>
>People who rely on passwords to keep strangers from poking through the
>data stored on their Palms actually have no protection at all, a network
>security company warns.
>
>In an alert posted Thursday, @Stake pointed to a back door in the Palm
>operating system that allows anyone with developer tools to access data
>on handhelds that have been "locked" with a password.
>
>If someone finds or steals a Palm, the owner's data is basically an open
>book. And the theft of mobile devices for their data is becoming more
>common.
>
>"This is the nail in the coffin of the notion that the Palm has any
>security for your data," said Chris Wysopal, director of research and
>development for Cambridge, Mass.-based @Stake.
>
>"Any attacker with a laptop and a serial (syncing) cable is pretty much
>able to access everything on the device," he said.
>
>Handspring's Visor handhelds and Sony's Clie use the Palm OS.
>
>Palm representatives would not immediately comment on the advisory.
>
>The security flaw is actually in the OS for a reason. Palm software
>engineers and many of its application developers use the back door to
>debug applications running on the handheld. Many of them do not consider
>it to be a security issue, Wysopal said.
>
>However, few people who use the devices realize that using a password
>will keep only the casually curious from looking at their data.
>
>For that reason, @Stake said, it released the warning.
>
>"It's equivalent to adding a password to your PC's screensaver. "There's
>no true security in that," said Wysopal, who is known in the security
>community by his hacker handle, Weld Pond.
>
>Last September, @Stake discovered that the encrypted password used by
>Palm OS to protect so-called private records from prying eyes could
>easily be broken. With the discovery of the latest back door, it would
>seem that no data is safe.
>
>With a laptop loaded with developer tools and a sync cable, anyone who
>obtains access to a handheld can access the owner's data, add or delete
>applications, and format the memory card.
>
>Even Palm handhelds protected by encryption software could be
>compromised by using the back door to load a program to record all
>passwords as they are entered.
>
>Wysopal warned that weak Palm security could lead to other compromises
>as well.
>
>"You have corporate administrators keeping their company's critical
>passwords on their Palm because they think it is secure," he said.
>
>The back door affects all current versions of the Palm OS, Wysopal said.
>Palm OS 4.0, due later this year, is expected to correct the problem.
>
>Yves Bellefeuille <yan@storm.ca>, Ottawa, Canada



For archives see: http://www.interesting-people.org/