Jim Wolf
WASHINGTON: Handheld computers such as those using the industry leading Palm
Inc. operating system are increasingly vulnerable to hacker attacks and should
not be trusted to store "any critical or confidential information,"
security experts warned consumers on Thursday.
Peiter Zatko, chief scientist and vice president of @stake, Inc., a
Cambridge, Massachusetts, security engineering firm, and an @stake colleague,
Joe Grant, noted that the growing business use of personal digital assistants,
or PDAs, raises concerns about security.
"PDAs were designed for personal use but are now being used more for
business," Zatko told a computer security conference. "There's a
security boundary that's being crossed."
Zatko and Grant, known as "Kingpin" in the computer security world,
argued that data in the ubiquitous handhelds could be easily compromised,
notably through password retrieval, and that the devices themselves could be
hijacked to spread viruses after being synchronized over networks.
"Many users do not recognize that the information stored on their PDA is
open to compromise by unauthorized users, and hence do not treat the data stored
on their handhelds with the same care as they do on their desktop," they
said in an article for a security symposium sponsored by the USENIX Association,
a computer professional group.
The authors said PDAs were being deployed by corporations and government
bodies such as the US Navy for security-related applications, including one-time
password generation, storage of medical records and confidential inventory
tracking.
The added functionality of wireless technologies such as infrared and radio
frequency links boosted the threat of compromise, they said. "We conclude
that current state-of-the-art portable devices are not equipped for the threat
of viruses or other malicious code components," Zatko and Grant wrote.
The pair focused on devices running the Palm operating system because they
said it represented nearly 80 per cent of the global handheld computing market
despite what they described as fundamental security flaws. The Palm operating
system was designed to be open and modular to support third-party applications
development.
Among those licensing the system are Handspring Inc., Sony Corp., IBM Corp.,
Kyocera Corp., QUALCOMM Inc., Franklin Covey Co. and Symbol Technologies Inc.
One major threat to such devices, the authors argued, is what they called the
relative ease with which passwords may be retrieved.
They said it was possible to extract data from portable devices by reading
"raw memory" or from the host system after such data had been backed
up. "In officially sanctioned scans, the authors found that the passwords
chosen by users to protect data on their PDAs were the same as those being used
for critical corporate assets," they wrote.
The pair said the Palm operating system, in its current state, should not be
trusted to store "any critical or confidential information."
A Palm spokeswoman, Julia Rodriguez, said "as of today" viruses and
other malicious code had not posed a major threat to the broad base of Palm
users, who may total 10 million worldwide.
"We believe that as handhelds and other devices like phones, pagers,
even cars become increasingly connected through wireless or wireline connections
to the Internet and to email, the threat of malicious software will naturally
become greater than it is today," she said.
Contrary to the researchers' conclusion, the spokeswoman said, Palm handhelds
were by their nature more secure than computers with more complex operating
systems.
"There are safeguards built into the Palm operating system to
protect...user data on many levels, and this makes Palm handhelds by nature more
secure from suffering damage from viruses," she said.
(C) Reuters Limited 2001.