Comments on: Unofficial Fix For Recent Treo Security Hole

PIC reader and Palm OS developer Donald Kirker has released a patch for the Treo security vulnerability recently disclosed by Symantec. Previously, one could bypass the Treo's security lockout while on a call and use the Find application to search the databases for public records, potentially exposing sensitive information. The new patch disables the Find application while the device is locked, protecting your data from prying eyes.

Please note this is an unofficial patch, created by an independent developer and is not supported by Palm in any way. Use at your own risk!

 :)

d_aveFromCA @ 2/17/2007 12:01:08 PM #

Once again the user community springs into action.

http://www.tabletgear.com
http://www.beamtest.com

 RE: :)

cervezas @ 2/17/2007 12:35:30 PM #

Nice work, Donald. And quick! :-)

David Beers
Pikesoft Mobile Computing
www.pikesoft.com/blog

 nice work, Palm

joad @ 2/17/2007 4:07:51 PM #

"The report states that Palm has decided not to fix or address the vulnerability."

I guess once Palm poops the devices out the door, we're on our own. I guess you can't expect much support on a simple $600.00-700.00 phone.

 Warm reset still defeats this

ralvy @ 2/18/2007 2:43:48 PM #

Of course, as expected, a warm reset will defeat this. It really needs to be added to ROM by Palm itself.

 RE: Warm reset still defeats this

dkirker @ 2/18/2007 9:10:01 PM #

Yeah. Not much I could do in this event.

What Palm really needs to do is add a couple lines of code to their button handler.

 RE: Warm reset still defeats this

ralvy @ 2/18/2007 9:20:02 PM #

I agree. You've done all that can be done outside a ROM patch. The Palm user community thanks you.

 Patch needs to be locked

ralvy @ 2/19/2007 8:59:28 AM #

Looks like this patch needs to be locked, according to PalmInternals:

http://mytreo.net/forum/index.php/topic,47411.0.html

 RE: Warm reset still defeats this

dkirker @ 2/19/2007 12:44:28 PM #

Yeah, I think I mentioned locking it on the discussion thread that is linked above.

 RE: Warm reset still defeats this

dkirker @ 2/19/2007 12:46:29 PM #

Here is where I note it: http://discussion.treocentral.com/showpost.php?p=1199476&postcount=17

Maybe I will throw up a small site.

 RE: Warm reset still defeats this

ralvy @ 2/19/2007 6:42:14 PM #

Hmmm...I didn't know this was discussed before. I thought a .prc can be created that locks itself, ridding the person of the necessity of using Resco Locker, or something like that.

 RE: Warm reset still defeats this

dkirker @ 2/19/2007 11:04:26 PM #

I plan on having the fix lock itself into memory.

 Palm aint that bad

vetdoctor @ 2/18/2007 2:39:40 PM #

At least I can try and give palm some moral support.

If a developer releases a free fix and says, " I'm not responsible"

Brainiac

 don't worry....

joad @ 2/19/2007 1:41:09 AM #

I'm sure that by 2009 or so we'll get that anticipated firmware update, maybe by then Palm will have relented and fixed this too.

 Serendipitous security fix

joelforman @ 2/21/2007 7:01:16 PM #

I have discoverd that If you have Findhack (I have Ver. 4.0.6) installed on your Treo 680 and try to use the find function while the device is locked and either making an emergency call or while talking on a received call that the device soft resets! No info is ever displayed and the FindHack app is still active after the reset. Thus If you have FindHack installed and active you are not vulnberable to this security issue.

Tested on an unlocked Treo 680 on T-Mobile with FindHack 4.0.6

Joel