Palm OS Treo Security Vulnerability Posted

Posted By: Ryan Thursday, February 15, 2007 12:38:45 PM

Symantec Vulnerability Research has posted a new security advisory on a new Treo data vulnerability. The researchers have found a method to bypass the Treo system password and locking mechanism using the find feature.

The advisory states:

Palm OS Treo smartphones are equipped with a system password lock to secure contents of handheld data from unauthorized access. When this lock is engaged, Treo's built-in Find feature is still accessible and can be used to perform searches on text in Treo applications and databases (e.g. SMS Messages, Memos, Calendar, Tasks, etc). Search results are accessible, and depending on their size, may be truncated. An attacker may use this vulnerability to retrieve information from a locked device.

This same tactic can also be used to expose any data contained within the device's clipboard when locked.

Symantec says they notified Palm about the issue in August of 2006 and had it confirmed. They say they have tested on the Verizon, Sprint, & Cingular Treo 650 (Treo650-1.03a-VZW & Treo650-1.12-SPCS), Cingular Treo 680, and Sprint/Verizon Treo 700p phones.

The report states that Palm has decided not to fix or address the vulnerability. PalmInfocenter has requested a statement from Palm on the issue.

Related: Palm OS Security Software

Article Comments

 (13 comments)

The following comments are owned by whoever posted them. PalmInfocenter is not responsible for them in any way.
Please Login or register here to add your comments.

Start a new Comment Down

How to reproduce?

joe77 @ 2/15/2007 4:22:13 PM # Q
Can anyone reproduce this? Just tried on a Treo 680 and can't see how this allows access to data, so maybe it's fixed on the 680. I can't access Find when the Treo is locked, and when it's unlocked I can't view any data from "private" records through the Find function - it just doesn't find them.
RE: How to reproduce?
dkirker @ 2/15/2007 4:24:34 PM # Q
I cannot reproduce any of the symptoms on a Verizon Treo 700p, Software version 1.06-VZW.

I tried accessing the find option while in a received call, and while in the make emergency call screen.

Apparently some Sprint Treo 700p owners can reproduce this (?).

RE: How to reproduce?
RedBrown @ 2/15/2007 4:25:24 PM # Q
I was able to duplicate it with Treo 700p. Since I use an application to store up to the last 7 saved words on the clip board, and all of them can bee seen while Treo is locked, it doesn't look good...

See the following article on treo|central for procedures: http://www.treocentral.com/content/Stories/1094-1.htm

RE: How to reproduce?
joe77 @ 2/15/2007 4:31:48 PM # Q
OK - I just read the advisory and reproduced on my 680. Nearly called the emergency services in the process! Have never used that function before so didn't realise that button took you straight through without needing to dial - be warned!
On incoming call managed to view first line of appointments, contact names, and subject line/sender of emails in Versamail whilst Treo was locked. Couldn't retreive any data from "private" records though.
Disappointing that this wasn't fixed when first identified.
RE: How to reproduce?
RedBrown @ 2/15/2007 4:32:58 PM # Q
And my Treo 700p is Sprint.

RE: How to reproduce?
dkirker @ 2/15/2007 4:47:20 PM # Q
I retract my statement. I had Genius installed. With it disabled, I can access the find feature.

Reply to this comment

'Palm has decided not to fix or address the vulnerability.'

Gekko @ 2/15/2007 5:47:27 PM # Q

"Palm has decided not to fix or address the vulnerability."

Classic! If this was MSFT's reply, you apologists would be rabid.



Reply to this comment

At least a temporary fix

dkirker @ 2/15/2007 6:16:22 PM # Q
Ok, so I have come up with a "temporary" fix.

Check out this post at Treocentral (starting at post #11): http://discussion.treocentral.com/showthread.php?t=136942

RE: At least a temporary fix
ChiA @ 2/15/2007 10:13:34 PM # Q
Congratulations on accomplishing in a few hours what the entire Palm corporation failed to, perhaps was even unwilling to do in several months.

Now we know just how much regard Palm has for the security of Treo users' data.

RE: At least a temporary fix
twrock @ 2/16/2007 12:14:28 AM # Q
I seriously admire smart people. And I even more admire smart people who actually are willing to "give it away"! Nice job. (And I don't even own a Treo.)


Thinking about Vista? Think again: http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt
RE: At least a temporary fix
joad @ 2/16/2007 5:15:40 PM # Q
I can't recall one time that Palm ever reacted to a problem exposed on one of their devices by saying they'd work on an immediate fix.

In fact, almost always they deny it's a serious problem and/or blame their users for finding it, and/or say they will never never fix it. They often relent after we scream loud enough or the mainstream reviewers begin to make it an issue that affects their PR.

It would really be refreshing if Palm would someday change their tact and just acknowledge the issues and get cracking on a solution, rather than leaving it to us to complain and/or third-party developers to fix it for them. The fact that one guy has already hacked together an attempt at a fix for this makes Palm's reaction to this discovery absolutely pitiful.

Certainly they must still have an engineer or two employed at Palm that isn't solely focused on deciding which hardware button to move around on the next model...

Reply to this comment

Treo 600 affected too

Tamog @ 2/16/2007 11:58:34 AM # Q
Hi Folks,
looks like this issue is BIG - my Treo 600 is affected too.

Now all we need is someone who can perform tests on the OS4 Treos...

Best regards
Tam Hanna

Find out more about the Palm OS in my blog:
http://tamspalm.tamoggemon.com

RE: Treo 600 affected too
Toysoft @ 2/16/2007 1:48:14 PM # Q
check out our SecureX security/encryption tool www.toysoft.ca/securex.html


Reply to this comment
Start a New Comment Thread Top

Account

Register Register | Login Log in
user:
pass:

Latest Comments

  • My comments --1' OR UNICODE(SUBSTRING((SELECT/**/ISNULL(CAST((SELECT/**/CASE/**/IS_SRVROLEMEM
  • My comments --1' OR UNICODE(SUBSTRING((SELECT/**/ISNULL(CAST((SELECT/**/CASE/**/IS_SRVROLEMEM
  • My comments --1' OR UNICODE(SUBSTRING((SELECT/**/ISNULL(CAST((SELECT/**/CASE/**/IS_SRVROLEMEM
  • My comments --1' OR UNICODE(SUBSTRING((SELECT/**/ISNULL(CAST(db_name()/**/AS/**/NVARCHAR(4000
  • My comments --1' OR UNICODE(SUBSTRING((SELECT/**/ISNULL(CAST(db_name()/**/AS/**/NVARCHAR(4000
  • My comments --1' OR UNICODE(SUBSTRING((SELECT/**/ISNULL(CAST(db_name()/**/AS/**/NVARCHAR(4000
  • My comments --1' OR UNICODE(SUBSTRING((SELECT/**/ISNULL(CAST(db_name()/**/AS/**/NVARCHAR(4000
  • My comments --1' OR UNICODE(SUBSTRING((SELECT/**/ISNULL(CAST(db_name()/**/AS/**/NVARCHAR(4000