|"This trend toward smart devices ... is likely to provide long-term benefits to the cause of information security.... "|
I freely admit to often watching the cartoons with my children, and often laughing louder than they do. One of my favorites has always been Inspector Gadget, and the seemingly endless number of handy, albeit often inappropriate, devices he could produce from beneath his hat and trench coat. I often feel the same sort of wonder in the real world, as each day brings a new assortment of information appliances and gadgets, aiming to bring simplicity and productivity to the wired among us.
As one of many people who has tried too long and too hard to realize all of my productivity gains on the back of an overworked PC, I am happy to try to find other solutions. Personal Digital Assistants and smart phones are the most popular of the new devices that let us take our work with us - that untether us from the corporate LAN and allow for a truly plug-and-play future.
|"In order to add satisfactory security to your PalmPilot, you must search out 3rd party software to add the necessary components. "|
This trend towards smart devices, as opposed to running everything through a PC, is likely to provide long term benefits to the cause of information security as well, as simplicity in design is one of the best friends to security. However, as anyone who has had a firecracker blow up in their hand can tell you, size does not matter and many simple gadgets pack an amazing amount of power. With that comes a threat to a corporate LAN, if the issue is not properly understood. In this article, we will look at the most common of these devices, the ubiquitous PalmPilot from 3Com.
Personal Digital Assistants, such as PalmPilots and Pocket PCs, pose a security threat for a number of reasons: they are relatively new; their small size and low cost make them easy to obtain and difficult to control; they have tremendous connectivity and storage capabilities; and most of all, they are extremely popular.
It is a breeze for even a novice computer user to setup a PalmPilot to synchronize data with a desktop PC. The challenge isn't just the hidden sophistication of these devices, but the decentralized manner by which they are obtained. Whether or not you have a few of these productivity tools floating around your company, it is a good idea to understand the security issues and know how to secure them.
In a nutshell, these are the major security topics of discussion we hear regarding PalmPilots: their lack of security by default; their poor user practices; their potential use by criminals; and the possibility of viruses and other mainstream malicious code being written for and adapted to the PalmOS environment.
Insecure by Default
If you are a devoted PDA user and misplaced your bags on a trip, your first fear may be losing your wallet, but fright number two is probably worrying about what would happen if someone got hold of your PalmPilot. Typically, a person who finds a PalmPilot will be able to view everything that is on it without so much as entering password: a shrunk-down version of a corporate spreadsheet, credit card numbers, passwords to the company mainframe, even your significant other's phone number and birthday.
|"If someone gains unauthorized access to a PalmPilot, there are no inherent encryption capabilities to protect individual files. "|
The PalmPilot is not a device that you would consider "secure by default. The security application allows you to lock your PalmPilot with password protection, but it is not possible to make this the default operating mode for your PDA. Rather, you must manually select the locking option from the security program before it automatically powers off, or it will be unprotected. Consequently, most PalmPilots are not normally locked down. When passwords are used, they are not masked upon entry, allowing people to use the old "shoulder surfing" method to get your password. In order to add satisfactory security to your PalmPilot, you must search out 3rd-party software to add the necessary components.
Several software packages are available to automatically lock down the PalmPilot after a predefined period of inactivity, and require authentication to regain access to the system. Two popular choices that I have used successfully are TealLock! and OnlyMe. Both applications provide the needed functionality lacking in the core PalmPilot. In addition to automatically locking the PDA, they also mask passwords upon entry to prevent visual snooping. Additionally, you can input owner information, so, on the odd chance that an honest person finds your PalmPilot, he will know where to send it.
In addition to these simple systems for locking down your PalmPilot, we are beginning to see biometric products for restricting access. Taking advantage of the stylus input feature, a product called CIC Sign On uses signature verification to create a logon utility for PalmPilots.
Use Secured Applications
|"My PalmPilot is also my VCR remote control. "|
Even if a PDA user is diligent about physically protecting their PalmPilot or has implemented a lockout system, they may not have their information stored securely. If someone gains unauthorized access to a PalmPilot, there are no inherent encryption capabilities to protect individual files, although you can use a password to hide records marked as private.
A common security problem is using the stock memo pad utility for storing sensitive information. This application has no built-in security, but again there are 3rd-party products to do the job. There are two categories of applications that I would like to highlight for you Inspector Gadget wannabes - Secure Memo Pads and Secure Account Managers. Memo Safe is a very simple to use application. It is very similar to the stock Memo Pad application, but allows you to selectively encrypt memos, using the SAFER SK encryption algorithm.
Memo Safe is very simple to use application. It is very similar to the stock Memo Pad application, but allows you to selectively encrypt memos, using the SAFER SK encryption algorithm.
Certicom, well known as the developer of Elliptical Curve Cryptography (ECC) toolkits and solutions, has developed a freeware replacement for the Memo Pad application called Secure Memo Pad Encryptor. Certicom claims that this is a "workalike" replacement for the Memo Pad, capable of performing 163-bit ECC encryption.
Because people use PDAs as "little black books" of sensitive information, applications have emerged specifically for the secure storage of account numbers, passwords, PINs, etc. Secret! is a quick and simple utility for storing these records, and uses 128-bit IDEA encryption. Mobile Account Manager is a similar application; although it's not as speedy, it has more features, including a nice desktop PC interface. Mobile Account Manager uses the SAFER encryption algorithm. CryptInfo is another nice option, using Triple DES for encryption security.
Palms for the Bad Guys
|"My PalmPilot is also my VCR remote control. "|
|"It will likely take a Melissa-type issue to sell anti-virus solutions for the PalmPilot. "|
Beyond their relatively insecure architecture that can pose a threat to legitimate users, PalmPilots can also be handy tools for the bad guy. Their small size, pervasiveness and "instant" boot-up make them nice devices to sneak in and turn on for a variety of uses. Their robust connectivity capabilities can allow them to be used as a tiny network sniffer; they can "learn" some infrared codes to intercept data or control devices (my PalmPilot is also my VCR remote control) or they can simply provide a tiny platform for manually recording sensitive data.
Tools that can be used responsibly can be used for malicious behavior as well. An interesting possibility that was raised late in 1998 was the scenario of using a PalmPilot in the commission of crimes. According to the British science publication New Scientist, a PalmPilot equipped with "learning" remote control software can capture the codes used to unlock doors or cars that use infrared signals. Most cars use an incompatible radio frequency system and/or "code shifting" that changes the code each time it is used.
The hacker group L0pht Heavy Industries has done development work with the PalmOS platform and has devised a war-dialer for the PalmPilot, allowing you to scan a phone system or a range of phone numbers for answering modems.
Although it hasn't happened yet, PalmPilots are in theory susceptible to viruses and malicious code. The HotSync process used to add applications and to transfer data could be an easy conduit for Trojan horse programs. Anti-Virus companies are looking at the issue and doing research, although no software packages are currently available. It will likely take a Melissa-type issue to sell anti-virus solutions for the PalmPilot, as spare system resources can be minimal on a PDA. It could be that part of the solution will be desktop-based - checking the code before it gets downloaded via HotSync. However, as more and more PalmPilots go wireless, another communications conduit will be opened and another vulnerability exposed.
Even though PalmPilots can be misused, it is difficult to identify anything an IT security manager could do to defend against PDA-based threats, above and beyond what should already be done to maintain overall systems security. You should develop an awareness of any infrared technologies you are using. Identify anything that uses an IR signal to get unlocked, and verify that it uses a technique that cannot be "learned" by a PalmPilot.
PalmPilots are one of the better gadgets that do not reside solely in the cartoons. They are wonderful productivity tools, and you can have mine as soon as you can pry it out of my cold, dead hand. You will not be able to banish them from your network, but can instead take steps to keep your data out of the palms of the bad guy's hands.
SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net (tm)