PDAs increasingly vulnerable to hackers
Handheld computers are increasingly vulnerable to hacker attacks and should not be trusted to store "any critical or confidential information," security experts warned Thursday.
Peiter Zatko, chief scientist and a vice president of @Stake, a Cambridge, Mass.-based security-engineering firm, and Joe Grand, an @Stake research scientist, noted that the growing business use of personal digital assistants (PDAs) raises concerns about security.
Security firms have been making similar warnings for some time.
"PDAs were designed for personal use but are now being used more for business," Zatko told a computer security conference here. "There's a security boundary that's being crossed."
Zatko and Grand asserted that data in handhelds can be easily compromised, notably through password retrieval, and that the devices themselves could be hijacked to spread viruses after being synchronized over networks.
"Many users do not recognize that the information stored on their PDA is open to compromise by unauthorized users and hence do not treat the data stored on their handhelds with the same care as they do on their desktop," Zatko and Grand wrote in an article for a security symposium sponsored by the USENIX Association.
Corporations and government groups such as the U.S. Navy are using PDAs for security-related applications, they said, including one-time password generation, storage of medical records and confidential inventory tracking.
The added functionality of wireless technologies such as infrared and radio frequency links boosted the threat of compromise, they said.
"We conclude that current state-of-the-art portable devices are not equipped for the threat of viruses or other malicious code components," Zatko and Grand wrote.
The pair focused on devices running the Palm operating system because they said it dominates the global handheld market despite what they described as fundamental security flaws.
The Palm operating system was designed to be open and modular to support third-party applications development.
Among those licensing the system are Handspring, Sony, IBM, Kyocera, Qualcomm, HandEra and Symbol Technologies.
One major threat to such devices, the authors asserted, is what they called the relative ease with which passwords may be retrieved. They said it is possible to extract data from portable devices by reading "raw memory" or from the host system after such data had been backed up.
"In officially sanctioned scans, the authors found that the passwords chosen by users to protect data on their PDAs were the same as those being used for critical corporate assets," they wrote.
The pair said the Palm OS, in its current state, should not be trusted to store "any critical or confidential information."
Palm spokeswoman Julia Rodriguez said viruses and other malicious code have not posed a major threat to the millions of Palm owners.
"We believe that as handhelds and other devices like phones, pagers--even cars--become increasingly connected through wireless or wireline connections to the Internet and to e-mail, the threat of malicious software will naturally become greater than it is today," she added.
Contrary to the researchers' conclusion, the spokeswoman said, Palm handhelds were by their nature more secure than computers with more complex operating systems.
"There are safeguards built into the Palm operating system to protect...user data on many levels, and this makes Palm handhelds by nature more secure from suffering damage from viruses," she said.
