Palm PDA threat to network security
Palm PDA threat to network security [via Security Focus]:
Palm’s debugging program can be exploited by anyone ready to read the Palm OS developer’s manual online and hitch up a PC to a Palm. The program is installed on all devices, and is designed to be used only by application developers and technical support.
The program allows anyone to type in commands such as ‘coldboot’ to wipe all data from the device, or ‘export’ to copy everything onto another computer. The program can also be used to access a user’s Palm password.
An attacker could copy the contents of the average Palm in about five minutes and decrypt a password in a few seconds.
Besides the fact that network managers tend to put commercially sensitive data in their PDAs, Palm devices, which can exchange data with a network, could also be used to crack into a classified network.
“It is not possible to employ a secure application on top of an insecure foundation,” said Wysopal. “Because the Palm OS is inherently insecure, methods to completely secure data are moot. A Palm device should not be left unattended, or loaned to a potentially untrustworthy colleague,” Wysopal added.
@Stake recommends Palm users glue a piece of plastic over the Palm’s serial port connector, leaving the infra-red port as the only method of synching or disabling the Palm’s port by opening the case and cutting the specific RS232 lines.
