If you and other employees in your organization have sensitive data stored in your Palm OS-based PDA, you may think you’ve got it secured with a well-enforced password policy and the system lockout feature. Think again. Unfortunately, there is a known back door built into Palm OS PDAs that could potentially expose your sensitive data to anyone who can get physical access to your Palm.
What’s the problem?
Even if you have activated the system lockout feature on your Palm, a relatively simple hack can give someone source-level debugging access to your applications and allow the hacker to access information in your PDA’s databases.
Who does this affect?
The problem affects anyone who has confidential information on a Palm OS 3.5.2 and earlier Palm-compatible PDAs (this includes all current models).
There are two elements to this threat:
- The Palm OS includes a developer’s back door that operates only through the RS232 (serial) port. All it takes to enter the console debugger mode of the Palm OS is a simple Graffiti three-keystroke combination (see chapter 2, “Using Palm Debugger,” in Palm Development Tool Guide—which is a free download). That will give anyone code-level access to the applications and data stored on the device.
- The password protection built into the Palm OS is actually very weak. The back door can let someone copy your encrypted password and, although it would be irresponsible of me to explain the procedure here, suffice it to say that the password can be cracked relatively easily.
In addition to exposing your files to someone if your Palm is lost or stolen, this particular hack, which is really just accessing developer tools, opens up the possibility of someone with clandestine access to your unit making concealed alterations to your files or even to your applications.
Some of the more important console and debug commands include the following:
- Changerecord—Lets someone undetectably replace individual database records
- Dir—The old DOS directory function that quickly displays everything contained in a PDA
- Saveimages—Copies the entire contents of the PDA
- Import—Can move a database from a PC to the Palm with no record left in the log
You can see that these are dangerous commands if a hacker gets his or her hands on your PDA. Even worse, there is no evidence left when a PDA is altered in the developer debug mode. A quick soft reset and all traces are gone.
If this doesn’t worry you because you keep a close watch on your PDA, remember that other people—such as your doctors and lawyers, your fellow employees, and your friends—may all have confidential information about you on their PDAs.
What can you do?
Probably the most important step you need to take is to make everyone in your organization aware of this major hole in Palm OS security so they can take steps to further secure their PDAs with file encryption software or remove the most confidential data from all company PDAs.
You should also spread the word to friends that, as shipped, any Palm OS-based PDA has this vulnerability.
An upgrade to Palm OS 4.0 will probably remove this flaw. But the upgrade isn’t due for months, and no one actually knows yet whether this will be fixed. After all, this wasn’t simply an oversight on the part of the Palm OS developers. It is an important developer’s tool needed to create software for the PDA, so Palm may leave it in.
Since this back door is not a mistake but an intentional feature of Palm OS for use by developers, it’s not a security flaw in the sense of the newly discovered holes that are always popping up in Windows, NetWare, Linux, and other software. This is only now becoming widely known to security personnel and the wider hacker community, so we should look for the threat to increase exponentially in the near future.
If you need details of how the Palm OS works in order to determine the level of risk posed by this or other Palm software, you should download the free Palm Development Tool Guide. At the very least, you need to look through this document to determine whether a PDA is really suitable for storing your organization’s confidential information. For further details on this security flaw, you can also visit www.atstake.com, specifically, http://www.atstake.com/research/advisories/2001/a030101-1.txt.
How do you feel about the security of your Palm?
We look forward to getting your input and hearing your experiences regarding this important topic. Join the discussion below or send the editor an e-mail.