Handhelds Might Be a Security Risk

Posted By: Ed Monday, January 22, 2001 10:08:14 AM

vnunet is quoting Security consultants @stake who point out that Palm handhelds are vulnerable to having passwords stolen from them wirelessly. @stake has written an app that takes advantage of the Palm's ability to HotSync via its infrared port. Notsync tricks a Palm into thinking it is connected to its owner's PC, rather than a hacker's PDA. The hacker then downloads the target's password.

While this simple app doesn't try to grab any other information off the target Palm, it is a fact that many people use the same password for everything, including accessing secure corporate networks.

Notsync's author, the vice president of R&D at @Stake said, "Wireless is extending the frontier of the corporate network and lowering the level of security, while magnifying the problems." But he added, "We're not trying to scare anyone here. We're trying to stress that companies must adopt a strategic approach to wireless security."

Permalink |

Article Comments

(10 comments)

The following comments are owned by whoever posted them. PalmInfocenter is not responsible for them in any way.
Please Login or register here to add your comments.

Comments Closed
This article is no longer accepting new comments.

Well put

I.M. Anonymous @ 1/22/2001 8:19:42 PM #

However I think the major problem is that to integrate smth like a public/private key system into hotsync isn't feasable due to the fact that the Palm processors are only 16-20 MHz and this form of encryption is rather processor intensive.

Also if Palm supplied 128 bit (or higher) encryption into it's IR functions then it couldn't export them out of Canada and the US so you can't really blame them for not trying.

128-bit encryption is exportable...

I.M. Anonymous @ 1/25/2001 4:05:59 PM #

...except for places like Cuba and Iran, etc.

Only as secure as...

nospam@home.go @ 1/23/2001 2:13:00 AM #

Only as secure as practices.
After my going to a palm-related
show and finding I had acquired 50
new contacts, I set my "beam"
preference off. (I also lock mycar
door).

Keep it on you

Queen Of Swords @ 1/23/2001 6:14:08 AM #

My palm is only a security risk when they pry it out of my cold, dead fingers. If you keep it with you at all times, and have a cover that obscures the IR port, this new trick is easily prevented.

?

I.M. Anonymous @ 1/23/2001 11:23:40 AM #

This seems as rather a non-issue. Unless I am mistaken, and someone please correct me if I am, you must initiate a hot synch from the Palm or its cradle. No one is going to be able to surreptitiously come up to you and steal your data without your active [and ignorant] involvement. While it (sounds) feasible that you could trick a Palm into thinking it was synching, the above exploit would require a series of events and a setup that is just plain unlikely...

Lets get real

George Brink @ 1/23/2001 11:58:27 AM #

Putting this in perspective, the risk is only if you Hotsync by IR and I think most people who do this might just spot someone standing less than a metre away pointing their Palm at you while you sync.

Bluetooth

GrouchoMarx @ 1/23/2001 2:53:45 PM #

OK, it may seem crazy now. But just wait for when Palms come Bluetooth enabled, or 802.11b enabled. Automatic, wireless, transparent networking with any other deivce within 10 meters that it can find. With the current state of Palm security, that's a big neon "hack me" sign.

--GrouchoMarx

RE: Bluetooth

PMYirrell @ 1/23/2001 5:49:00 PM #

So maybe people should find other places than their Palm to store sensitive data!! Otherwise someone will have to develop VERY good encryption or security software. Maybe if Palm made it impossible to transfer memos etc., when they are marked private.
Anyone Know if this would be possible?