Palm's HotSync allows remote attackers to gain access to Palm without authentication
8 Jan. 2000
Summary
Palm's new Desktop support (for Windows), enables Palm owners to HotSync with their Palm Desktop even when they are outside the office via a simple Internet connection. However, no real authentication is done when synchronizing, and this serious hole allows remote attackers who know the user name of the handheld Palm and the IP of the machine where the Palm Desktop is running, to download all stored information that is currently present in the Palm Desktop (including, emails, appointments, secret information, etc) and to upload information of their own.
Credit:
The information was provided by: Jason Spence.
If you have a Network HotSync enabled on your machine, and a malicious user that knows your name (e.g. John Smith), and the IP address of your machine (e.g. 1.2.3.4, or jsmith.company.com), he or she can change the name on his/her Palm Desktop to John Smith and then do a Network HotSync with your IP, allowing him/her to download emails, send emails as you, and perform any function that you can. There is no password or authentication of any kind.
Temporary workaround:
Disable HotSync completely from access from insecure Internet hosts (outside of the local Intranet). The Network HotSync uses ports TCP 14237 and UDP 14238. If these are blocked no remote Network HotSync can be done. Also, make sure you need the Network HotSync option, since local Intranet users can still 'spoof' your HotSync connection.
