|
    Comments on: Palm OS Treo Security Vulnerability PostedSymantec Vulnerability Research has posted a new security advisory on a new Treo data vulnerability. The researchers have found a method to bypass the Treo system password and locking mechanism using the find feature. The advisory states: Palm OS Treo smartphones are equipped with a system password lock to secure contents of handheld data from unauthorized access. When this lock is engaged, Treo's built-in Find feature is still accessible and can be used to perform searches on text in Treo applications and databases (e.g. SMS Messages, Memos, Calendar, Tasks, etc). Search results are accessible, and depending on their size, may be truncated. An attacker may use this vulnerability to retrieve information from a locked device.
Detailed Comment View (13 Total Comments)
The following comments are owned by whoever posted them. PIC is not responsible for them in any way. login or register for free in order to post comments.  How to reproduce?joe77 @ 2/15/2007 4:22:13 PM #
Can anyone reproduce this? Just tried on a Treo 680 and can't see how this allows access to data, so maybe it's fixed on the 680. I can't access Find when the Treo is locked, and when it's unlocked I can't view any data from "private" records through the Find function - it just doesn't find them.  RE: How to reproduce?
I cannot reproduce any of the symptoms on a Verizon Treo 700p, Software version 1.06-VZW. I tried accessing the find option while in a received call, and while in the make emergency call screen. Apparently some Sprint Treo 700p owners can reproduce this (?). RE: How to reproduce?
I was able to duplicate it with Treo 700p. Since I use an application to store up to the last 7 saved words on the clip board, and all of them can bee seen while Treo is locked, it doesn't look good... See the following article on treo|central for procedures: http://www.treocentral.com/content/Stories/1094-1.htm RE: How to reproduce?
OK - I just read the advisory and reproduced on my 680. Nearly called the emergency services in the process! Have never used that function before so didn't realise that button took you straight through without needing to dial - be warned! On incoming call managed to view first line of appointments, contact names, and subject line/sender of emails in Versamail whilst Treo was locked. Couldn't retreive any data from "private" records though. Disappointing that this wasn't fixed when first identified. RE: How to reproduce?
I retract my statement. I had Genius installed. With it disabled, I can access the find feature.
'Palm has decided not to fix or address the vulnerability.'
"Palm has decided not to fix or address the vulnerability." Classic! If this was MSFT's reply, you apologists would be rabid.
At least a temporary fix
Ok, so I have come up with a "temporary" fix. Check out this post at Treocentral (starting at post #11): http://discussion.treocentral.com/showthread.php?t=136942 RE: At least a temporary fix
Congratulations on accomplishing in a few hours what the entire Palm corporation failed to, perhaps was even unwilling to do in several months. Now we know just how much regard Palm has for the security of Treo users' data. RE: At least a temporary fix
I seriously admire smart people. And I even more admire smart people who actually are willing to "give it away"! Nice job. (And I don't even own a Treo.) Thinking about Vista? Think again: http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt RE: At least a temporary fix
I can't recall one time that Palm ever reacted to a problem exposed on one of their devices by saying they'd work on an immediate fix.
In fact, almost always they deny it's a serious problem and/or blame their users for finding it, and/or say they will never never fix it. They often relent after we scream loud enough or the mainstream reviewers begin to make it an issue that affects their PR. It would really be refreshing if Palm would someday change their tact and just acknowledge the issues and get cracking on a solution, rather than leaving it to us to complain and/or third-party developers to fix it for them. The fact that one guy has already hacked together an attempt at a fix for this makes Palm's reaction to this discovery absolutely pitiful. Certainly they must still have an engineer or two employed at Palm that isn't solely focused on deciding which hardware button to move around on the next model...
Treo 600 affected too
Hi Folks, looks like this issue is BIG - my Treo 600 is affected too. Now all we need is someone who can perform tests on the OS4 Treos... Best regards RE: Treo 600 affected too
check out our SecureX security/encryption tool www.toysoft.ca/securex.html
|
Special Deals
Shop at Amazon and help support PalmInfocenter
|
||||
PalmInfocenter.com is not affiliated with or endorsed by Palm Inc, Access or PalmSource in any way.
Any use of the word Palm is for discussion purposes and is a registered trademark of Palm Inc.
Unauthorized reproduction of content is strictly forbidden.
© MobileInfocenter.com, all rights reserved.
