Your Palm isn't as secure as you think...

Aug 27 '01 (Updated Sep 05 '01)

The Bottom Line You should make yourself aware of the potential ways that security holes in the Palm OS can be exploited, so that you can protect the data stored on your PDA.

The Palm (and other PDA's) are becoming a ubiquitous tool in today's fast-paced business world. You see lots of people use them in meetings, on the road, on the subway, in the office, and just about anywhere you go. They are truly useful devices (I have one myself) as you can store all of your life's information in them. However, as handy a place as it is to keep all your data, there is something that you should know about.

That issue is about security. Now most people are not aware that the Palm Operating System is NOT a secure place to keep your private data, even with the use of the included security application and system lockout. To demonstrate these weaknesses, I will give several examples of software and/or websites that exploit these weaknesses to bypass the security entirely. Please be clear that PDA's from several manufacturers use the Palm OS, including Palm, Qualcomm, Kyocera, Handspring, and Sony.

I was made aware of these issues last week when my boss' Palm became locked and he couldn't remember the password. Plus he hadn't sync'd in over 3 months! Searching the Internet for a solution to crack it really opened my eyes to the insecurity of the Palm platform.

Private parts
In the first example, consider a Palm to which a password has been assigned and several records been marked "private." Under normal circumstances, these records cannot be viewed unless the password has been entered. However, in this state the Palm is very insecure and programs can be loaded (or sync'd) onto the Palm. Take the program called pCrack available for download at http://www.jkware.com/ - this tiny program can be quickly loaded on a Palm, used to decrypt and display the password on the screen, then the pCrack program can be deleted without the PDA owner's knowledge. You can download the program and try it yourself. This is very dangerous since most people do not change their passwords on a frequent basis unless forced to by a system administrator. Once a person has your password, they can access the private data on your Palm on a regular basis.

Barn door left wide open
In the second example, let us consider a Palm which has been placed in System Lockout mode. (i.e., my boss!) This can be activated by going to the Security application and picking "Turn off and lock." In this state, the Palm is fairly secure since no programs can be sync'd to it and it will not do anything until the password is entered. However, even this is not 100% secure. A document located at http://www.atstake.com/research/advisories/2001/a030101-1.txt explains how to download a file off the Palm even while it it is in system lockout. That file can then be decrypted at the attacker's liesure as it uses a very weak encryption algorithm. In this manner it is very easy to obtain the password. I can attest that this works, as I have been able to crack the password on my own Palm using this method!

Beam me up, Scotty!
In the third example, a simple program called NotSync, explained in further detail here: http://www.vnunet.com/News/1116644 , can allow anybody to download your password using the infrared ports on your and their Palm devices! It does this by fooling the targeted Palm into thinking it is HotSyncing with it's desktop cradle. In reality, it is sending the HotSync handshaking information (which contains the password) to a malicious Palm user instead!

Du-uh
In yet another example, http://www.securityfocus.com/bid/2398 explains a rather trivial "hack" that can be used to bypass the password of the Palm Desktop software entirely, allowing anybody to read all your private records!

What can I do?!?
So you're probably wondering, This is pretty scary! what can I do to protect myself? There are several steps to take:

Make sure you have an assigned password
In the Security application, ensure you have assigned a password. If you do not, then anybody can come along, assign a password, and then lock your Palm. At this point, you will have to either do a hard reset (and lose everything) or try hacking into your Palm using one of the methods described above.

Turn off your infrared port
By going to the Preferences application, you can disable the infrared port. This prevents people from beaming your password off your Palm. Most people don't use the infrared port on a regular basis, so this isn't a big deal for most.

Don't store sensitive info in the first place
I know it's so convenient to use your Palm to store stuff like your Social Insurance Number, credit card numbers, passwords to Internet sites (like epinions.com) and the like. But if you don't have anything like that on your Palm, then there's nothing to be hacked.

Physically Secure your PDA
Leaving your Palm lying around is asking for trouble. Keep it on your person at all times if you can. Otherwise keep it locked up in a desk drawer or at least in a briefcase. Worse is if somebody steals it outright, even if they aren't interested in the data it might contain.

Use a third party encryption package
You can store private information on your Palm and keep it that way, through the use of third party software using stronger encryption than what is found standard on the Palm. I use a program called STRIP, which stands for Secure Tool for Recalling Important Passwords. I use it to store all my passwords, PIN numbers, credit card numbers, and other private information that I don't want anyone to see. I can trust it since it uses 256-bit DES encryption, which is a very strong encryption scheme that would take a very long time to crack (in the order of years). This program is freeware and it can be downloaded here: http://www.zetetic.net/products.html

If you're really paranoid, you can download 4Tnox from here: http://www.fortsoft.com/4tnox.htm - this program is similar to STRIP except it uses 448-bit encryption. This encryption is not likely to be cracked in your entire lifetime. 4Tnox is available as shareware.

You should make yourself aware of the potential ways that security holes in the Palm OS can be exploited, so that you can protect the data stored on your PDA. I hope you have found this information useful so that you can trust your PDA to keep your secrets secret, the way it should be!

I want to hear from YOU!
If you are aware of any other security exploits which I have not written about in my review, please post them here and I will rewrite my review to include them!

Thank you for your support.

Comments on this Review

Read all comments (3)

Write your own comment

Epinions.com ID:
macgyver24

Member: Corey R

Location: USA

Reviews written: 30

Trusted by: 16 members

About Me:
Computer and technology nut, jack of all trades, master of none

View all reviews by macgyver24

View macgyver24's profile

Ads by Google

100% Free -Kijiji LAA Safe & Fast Growing Classifieds. Find Jobs, Housing, Pets, & More!.Losangeles.Kijiji.com

Palm PdaFind a great selection of PDAs at Verizon Wireless. Official Site..VerizonWireless.com

Palm Official StoreIt's Here! Check out the Palm Pre & Pre Accessories - Free Shipping.www.Palm.com

Palm os pda'sBrowse Top Branded Palm os pda's and find Great Deals..shop.simpli.com

PDA ReviewsRead the Reviews, Compare Prices, and Buy the Best PDAs.www.ConsumerSearch.com

Epinions | Shopping.com | Rent.com | Free Classifieds | Price Comparison UK

Epinions.com periodically updates pricing and product information from third-party sources,
so some information may be slightly out-of-date. You should confirm all information before relying on it.