In an alert posted Thursday, @Stake pointed to a back door in the Palm operating system that allows anyone with developer tools to access data on handhelds that have been "locked" with a password.
If someone finds or steals a Palm, the owner's data is basically an open book. And the theft of mobile devices for their data is becoming more common.
"This is the nail in the coffin of the notion that the Palm has any security for your data," said Chris Wysopal, director of research and development for @Stake.
"Any attacker with a laptop and a serial (syncing) cable is pretty much able to access everything on the device," he said.
Handspring's Visor handhelds and Sony's Clie use the Palm OS.
Palm representatives would not immediately comment on the advisory.
The security flaw is actually in the OS for a reason. Palm software engineers and many of its application developers use the back door to debug applications running on the handheld. Many of them do not consider it to be a security issue, Wysopal said.
However, few people who use the devices realise that using a password will keep only the casually curious from looking at their data.
For that reason, @Stake said, it released the warning.
"It's equivalent to adding a password to your PC's screensaver. "There's no true security in that," said Wysopal, who is known in the security community by his hacker handle, Weld Pond.
Last September, @Stake discovered that the encrypted password used by Palm OS to protect so-called private records from prying eyes could easily be broken. With the discovery of the latest back door, it would seem that no data is safe.
With a laptop loaded with developer tools and a sync cable, anyone who obtains access to a handheld can access the owner's data, add or delete applications, and format the memory card.
Even Palm handhelds protected by encryption software could be compromised by using the back door to load a program to record all passwords as they are entered.
Wysopal warned that weak Palm security could lead to other compromises as well.
"You have corporate administrators keeping their company's critical passwords on their Palm because they think it is secure," he said.
The back door affects all current versions of the Palm OS, Wysopal said. Palm OS 4.0, due later this year, is expected to correct the problem.
I have just heard some bad news.
It would seem that may sensitive data is not as secure as I thought.
Apparently my locking briefcase can be forced open with simple tools
available from any Hardware shop. With a device that is as easy to pick up
as a briefcase I am surprised that manufacturers of these briefcases haven't
included more extreme measures to deter thieves - they must be available - I
have seen them on James Bond.
I have has no choice but to recommend to all my clients and friends that
they "neuter" all briefcases by encasing them in lead and welding them shut.
Until briefcase manufacturers respond Briefcases are not a secure means of
transporting information.
--
Edward Green
--
kHiTeDev
http://www.khite.co.uk