PDA Defense: the Best Offence Against Stolen Data

Posted By: Ed Thursday, October 11, 2001 8:27:15 AM

Handhelds are increasingly used to carry sensitive information. This includes not just credit card numbers but documents with company secrets worth millions. However, those familiar with the Palm OS are aware that the security built into the operating system is fairly minimal.

With this in mind, Asynchrony has introduced PDA Defense, which has been designed to secure the contents of Palm OS handhelds in case they get lost or stolen. It comes in a standard version for $20 and a professional version for $30.

It encrypts the contents of the handheld's memory and password protects them.

Only an encrypted form of the password is stored using an MD5 hash. PDA Defense erases the encryption key after the device is locked. The encryption key will be generated when user enters the correct password, and there is no way to recover an encryption key from the stored password hash.

There is an option to use a sequence of hardware buttons as the password, rather than using Graffiti.

Databases are decrypted only when they are needed, instead of all at once. This increases performance and response time.

PDA Defense is activated even after a soft reset on a locked device, requiring the user to provide a password to gain access. It also prevents use of system shortcuts to access the Palm OS debugger.

PDA Defense disables data transfer mechanisms, such as HotSync and IrDA, when the device is locked.

The standard version uses 64-bit Blowfish encryption. The professional one uses 28-bit or 512-bit.

The pro version has other features not included in the standard one. It prevents "brute force" attacks by limiting the number of attempts to unlock the device. When the user exceeds the maximum number of attempts, PDA Defense's "Bomb" feature bit-wipes all RAM databases without a user prompt. It can also be set to wipe the contents of memory if a device is not HotSynced within a specified time frame.

If an application uses multiple databases, the user can choose to encrypt only certain databases.

Neither version is able to encrypt the contents of expansion memory cards.

Article Comments

 (30 comments)

The following comments are owned by whoever posted them. PalmInfocenter is not responsible for them in any way.
Please Login or register here to add your comments.

Comments Closed Comments Closed
This article is no longer accepting new comments.

Down

what good is encryption for?

I.M. Anonymous @ 10/11/2001 8:46:14 AM #
I use PDA Defense Pro, and it works great.

But I still dont understand the purpose of encrypting data. What are the scenario that encryption data is for?

RE: what good is encryption for?
I.M. Anonymous @ 10/11/2001 9:59:46 AM #
Are you asking why the data is encrypted or why the password is encrypted?

Either way I guess the answer is the same... so that if someone pulled out the data and tried to read it, all they would be looking at is a bunch of seemingly random characters and numbers etc.



RE: what good is encryption for?
I.M. Anonymous @ 10/11/2001 4:16:33 PM #
An ever increasing amount of PDA use is being seen in the corporate and business markets. The PDA is not just a consumer product anymore. One of those business markets that is seeing tremendous growth in PDA use is HealthCare. An increasing number of physicians and medical professionals are utilizing the mobility of PDA to increase their accessibility to data...PATIENT DATA. Due to government regulations like HIPAA (Health Insurance Porability and Accountability Act of 1996), securing patient data as well as other forms of corporate data is of an ever increasing importance.

Hence the ever increasing need for better Security on all forms of computing devices.

Any password based encryption in Palm is not secure

I.M. Anonymous @ 10/11/2001 9:34:10 AM #
Any password based encryption in Palm is not secure, period, no matter how good the encryption algorithm. People just don't choose long and good passphrases.

Please expain this more?
I.M. Anonymous @ 10/11/2001 9:52:04 AM #
Thanks.

RE: Any password based encryption in Palm is not secure
I.M. Anonymous @ 10/11/2001 10:49:18 AM #
In short, cracking a password is easier than you want to believe. So, instead of attacking the encryption algorithm (which is hard), the attackers just "guess" the passwords. There are many techniques to do this.

TealLock, PDADefense, passwords, etc
epetrack @ 10/11/2001 11:00:30 AM #
Of course nothing is *totally* secure. But for those in various medical, business or other professions who need "reasonable" security, these are decent apps. I use TealLock, which has the advantage over PDADefense of still being locked and offering name/phone number on splash screen after a *hard* reset. On the other hand, I really wish it could also password protect some apps individually (which PDADefense can).

In my view, a major issue is still the reality that NONE of these apps can secure data on the MMC/SD card. Many are now backing up their palm to these cards, and that information is easily readable using a card reader. Making the data on the card secure would be a big step forward for those concerned with palm security....

Attempts at Password Limited
I.M. Anonymous @ 10/11/2001 11:21:38 AM #
PDA Defense limits the number of times you can attempt the password (3 to 10). After that it will erase the entire Palm. I have to believe that this would prevent all but the luckiest from accessing your Palm. It's a very good product.

RE: Any password based encryption in Palm is not secure
epetrack @ 10/11/2001 11:34:54 AM #
I would agree that erasing the RAM after 3 "bad" attempts at the password sounds very good. Unfortunately, it still does not address the problem of data and backups on the card.....

RE: Any password based encryption in Palm is not secure
I.M. Anonymous @ 10/11/2001 12:00:57 PM #
Erasing the RAM after three trials does not work. The attackers would first read the hashed password from the ram, then use a desktop computer to crack the password (offline).

RE: Any password based encryption in Palm is not secure
I.M. Anonymous @ 10/11/2001 12:09:40 PM #
You guys gotta be kidding me. Are you keeping state secrets on your Palm? Of course someone can hack almost anything if they want to. I think this program works just fine for the rest of us who just want to protect personal info.

RE: Any password based encryption in Palm is not secure
I.M. Anonymous @ 10/11/2001 12:45:00 PM #
Read the main article carefully. it said "Only an encrypted form of the password is stored using an MD5 hash". Hashed password is supposed not to be a secret. But, it is used for password cracking. False sense of security is worse than no security.

RE: Any password based encryption in Palm is not secure
I.M. Anonymous @ 10/11/2001 2:38:13 PM #
Checkout Gridlock Pro. It offers device-level protection (no protection for expansion cards) and the key is a sequence of squares on a 5 x 5 grid. It disables the system-level shortcuts which provide the trap door, and if you lose it, the only way to get the data is thru the grid. If you don't know the pattern, you have to do a hard reset which purges the RAM (a drawback if you forget your grid pattern). There is a freeware version which does not show the owner info and the pro version for $9.95 which does. The grid is easy to remember and it keeps your on-board data fairly secure. If you want data on an expansion card to be secure, it'll have to be encrypted. www.pdabusiness.com

RE: Any password based encryption in Palm is not secure
I.M. Anonymous @ 10/11/2001 2:40:07 PM #
Actually I feel a lot better knowing that 99.9% of the people picking up my lost handheld will not be able to get the information on it. That is not a false sense of security. Do you think I'm going to be less careful with my Palm just because I have this program on it?

RE: Any password based encryption in Palm is not secure
I.M. Anonymous @ 10/11/2001 4:45:59 PM #
You can achieve the same without spending $20 or $30. That is the difference.

RE: Any password based encryption in Palm is not secure
I.M. Anonymous @ 10/11/2001 4:57:04 PM #
Most of these comments indicate how tunneled our vision is.
Electronic Security i.e. Data Encryption, Password/PassPhrase required accessibility, is only a piece of an overall security policy. There are several other facets of securing information that must be incorporated.

The bottom line is that Security of information will only be as good as the amount of effort you put into it.

RE: Any password based encryption in Palm is not secure
I.M. Anonymous @ 10/11/2001 9:51:17 PM #
With the erasing data off a Palm after X attempts is a bad idea for me. It is my luck I forget the password and haven't hotsynced my data! That is why I prefer TealLock over PDA Defense. And you can have text on the screen when you lock it (w/ TealLock).

RE: Any password based encryption in Palm is not secure
I.M. Anonymous @ 11/10/2001 6:48:27 AM #
But PDA Defense lets you turn off the bitwiping, so if you are too scared of losing data, you don't have to use that feature. However, if you end up on the streets of New York and get worried about your Palm being lifted, it is good to be able to turn on "the bomb"

Other options

I.M. Anonymous @ 10/11/2001 12:49:29 PM #
I use TealLock with FlashPro. I've got TealLock and the setting file it allows you to generate in Flash. Even after a hard reset, my palm is locked. The databases are also encrypted but only after the devices locks. Makes it faster to access then while using your palm.

Encrypting SD Card

I.M. Anonymous @ 10/11/2001 1:48:27 PM #
Does anybody know if PDA Defense will have a feature for encrypting SD Card?

I found a lot of people leave their hotsync application on their laptop at work. That means people can get *ALL* of your Palm content without your knowledge.


RE: Encrypting SD Card
I.M. Anonymous @ 10/11/2001 5:59:18 PM #
For Securing and Encrypting your Synchronized Palm Data on your PC desktop or laptop. Check out Trust Digital's Forever Secure.

RE: Encrypting SD Card
I.M. Anonymous @ 10/11/2001 7:57:57 PM #
I asked this question before I bough PDA Defense PRO. They did indicate this was a future option.

Thanks Ed!

I.M. Anonymous @ 10/11/2001 2:20:04 PM #
Dear Ed:

Thanks for removing the offending postings from the handera geeks.

Ed you rock!!

PDA Defense the Best Offense Against Stolen Data ?

I.M. Anonymous @ 10/11/2001 5:46:46 PM #
I use PDA Secure from Trust Digital (www.trustdigital.com) The current version is v1.5 and has been in the market longer than PDA Defense. The features between these two product are almost identical, but I favor the user interface of PDA Secure.

Check it out.

RE: PDA Defense the Best Offense Against Stolen Data ?
Ed @ 10/11/2001 5:57:44 PM #
Yes but "PDA Secure the Best Offense Against Stolen Data" doesn't play off the cliché. Don't read too much into the title; I sometimes can't resist the urge to use too-clever headlines.

---
News Editor
RE: PDA Defense the Best Offense Against Stolen Data ?
I.M. Anonymous @ 10/11/2001 6:25:00 PM #
:)

RE: PDA Defense the Best Offense Against Stolen Data ?
I.M. Anonymous @ 10/12/2001 12:08:13 PM #
PDA Defense has a bitwiping feature that I think no other software has. It can be set up so that if someone enters a wrong password a certain number of time, all data on the device will be erased. It can also erase if the device isn't hot synced within a user-specified period of time.

RE: PDA Defense the Best Offense Against Stolen Data ?
I.M. Anonymous @ 11/19/2001 6:35:04 AM #
"The current version is v1.5 and has been in the market longer than PDA Defense."

You aren't right. PDA Defense is new name of PDA Bomb which was released at Jan 2001. BTW, PDA Defense uses transparent database decrypting in opposite to PDA Secure. This feature allows to resolve some conflicts between security application and 3-rd party application which accesses to the databases with another creator ID. Just read users opinion at Handango.com about PDA Secure.

Question

PIC mobile user @ 3/18/2002 4:13:42 PM #
Is there any program whose protects certain applications or progams once the system is unlocked, you know there is always budies who ask for playing the PDA and they end sniffing in your expense programs

Stay away from PDA Defense

djasonpenney @ 1/11/2003 1:07:27 PM #
DO NOT DOWNLOAD THIS APPLICATION! My teenager tried it on his Palm m105, and within two weeks his palm was so corrupted that he had to rebuild it completely from scratch. At the time I thought it may have been something else he did, so I just tried it on my Visor Neo. Within a week I started getting hard crashes after a HotSync, clicking on AvantGo raised an internal Preferences menu for another program, etc. I had to restore from a 2-week-old backup. STAY AWAY!!!

Top

Account

Register Register | Login Log in
user:
pass: