|
    Handhelds Might Be a Security RiskPosted By: Ed on Monday, January 22, 2001 10:08:14 AM
vnunet is quoting Security consultants @stake who point out that Palm handhelds are vulnerable to having passwords stolen from them wirelessly. @stake has written an app that takes advantage of the Palm's ability to HotSync via its infrared port. Notsync tricks a Palm into thinking it is connected to its owner's PC, rather than a hacker's PDA. The hacker then downloads the target's password. While this simple app doesn't try to grab any other information off the target Palm, it is a fact that many people use the same password for everything, including accessing secure corporate networks. Notsync's author, the vice president of R&D at @Stake said, "Wireless is extending the frontier of the corporate network and lowering the level of security, while magnifying the problems." But he added, "We're not trying to scare anyone here. We're trying to stress that companies must adopt a strategic approach to wireless security."
More Stories Like This...  PalmGear Website Relaunched Digital Life 2008 Show Cancelled Palm Targets Additional Developers with Cease & Desist Letters Dmitry Grinberg Gets C&D'd by Palm Verizon and Alltel Treo 700p/wx ROM Updates Released Alltel Treo 755p Reduced to $99 More articles about General News
Article Comments
10 total comments The following comments are owned by whoever posted them. PIC is not responsible for them in any way. login or register for free in order to post comments.  128-bit encryption is exportable...I.M. Anonymous @ 1/25/2001 4:05:59 PM #
...except for places like Cuba and Iran, etc.
 Only as secure as...nospam@home.go @ 1/23/2001 2:13:00 AM #
Only as secure as practices.
After my going to a palm-related show and finding I had acquired 50 new contacts, I set my "beam" preference off. (I also lock mycar door).
Keep it on youQueen Of Swords @ 1/23/2001 6:14:08 AM #
My palm is only a security risk when they pry it out of my cold, dead fingers. If you keep it with you at all times, and have a cover that obscures the IR port, this new trick is easily prevented.
?I.M. Anonymous @ 1/23/2001 11:23:40 AM #
This seems as rather a non-issue. Unless I am mistaken, and someone please correct me if I am, you must initiate a hot synch from the Palm or its cradle. No one is going to be able to surreptitiously come up to you and steal your data without your active [and ignorant] involvement. While it (sounds) feasible that you could trick a Palm into thinking it was synching, the above exploit would require a series of events and a setup that is just plain unlikely...
Lets get realGeorge Brink @ 1/23/2001 11:58:27 AM #
Putting this in perspective, the risk is only if you Hotsync by IR and I think most people who do this might just spot someone standing less than a metre away pointing their Palm at you while you sync.
BluetoothGrouchoMarx @ 1/23/2001 2:53:45 PM #
OK, it may seem crazy now. But just wait for when Palms come Bluetooth enabled, or 802.11b enabled. Automatic, wireless, transparent networking with any other deivce within 10 meters that it can find. With the current state of Palm security, that's a big neon "hack me" sign.
--GrouchoMarx RE: Bluetooth
So maybe people should find other places than their Palm to store sensitive data!! Otherwise someone will have to develop VERY good encryption or security software. Maybe if Palm made it impossible to transfer memos etc., when they are marked private.
Anyone Know if this would be possible?
Beam, Off!
If you turn off your "Beam Receive" and store any private info in a program like Secrete! you shouldn't have any problem, should you? Thanks!
|
Special Deals
Shop at Amazon and help support PalmInfocenter
|
||||
PalmInfocenter.com is not affiliated with or endorsed by Palm Inc, Access or PalmSource in any way.
Any use of the word Palm is for discussion purposes and is a registered trademark of Palm Inc.
Unauthorized reproduction of content is strictly forbidden.
© MobileInfocenter.com, all rights reserved.
Also if Palm supplied 128 bit (or higher) encryption into it's IR functions then it couldn't export them out of Canada and the US so you can't really blame them for not trying.