|
|
|
|
| |
We already described the mathematical weakness of the Palm Pilot's password protection system. There are other methods of breaking the Palm's weak security system, assuming the attacker has physical access to the Palm.
Without any technical knowledge, special cables, disassembly of hardware, or any additional software beside that which comes with the Palm itself, anyone with physical access to either the PC used to synchronized the Palm (access to the HotSync program) or to the Palm itself can obtain the private data in a couple of minutes. |
| |
Credit:
This information was provided by Anonymous.
|
| |
Set up
To see how this attack works, set up your system as follows:
1. Do a "hot sync" to synchronize the Palm with your PC.
2. Verify that you need to enter a password on both the Palm and the Palm Desktop application to see the private data.
3. Verify that private records are hidden on both the Palm and the PC.
The attack
1. Do a "hard reset" on the Palm (hold down the power button, press the reset button on the back with a paper clip). Alternatively, just use a new Palm out of the box.
2. Go through the initial process of entering the country name, and synchronizing the stylus with the screen.
3. Do another "hot sync" to copy the data back from the PC to the Palm.
4. You will be asked to press a "reset" button on the screen - do that.
5. Go to Home, and then Security.
6. Notice that the password is now marked as "-Unassigned-".
7. Click on "show private records". You do not need to enter a password.
8. View the private data.
Notes:
1. The suggestion from Palm to "keep the device about your person" will not prevent this attack - you just need to bring your own Palm in, to where the PC is located.
2. Even if the PC is password protected, the default way that the Hot Sync software is installed enables an attacker to do a HotSync (and thus retrieve the data) even if the workstation is locked (tested under Windows NT 4).
3. If the user was to set up the PC to not allow this (thus defeating the ease-of-use somewhat) you can always reboot the PC. Under Windows 95/98 you don't need to enter a password (just press <esc> when the password screen appears). Alternatively, reboot the PC using a "boot floppy" and access their Palm files that way (i.e. copy them to a floppy and then do the above process on your own PC somewhere else).
4. If the PC is strongly secured, and not left unattended, the other approach would be to momentarily get your hands on the target's Palm, and quickly hot sync it to your own PC (e.g. a laptop in your briefcase). You can do this by distracting the target for a moment, or while s/he was out (e.g. getting coffee, going to the bathroom).
Vulnerable Versions
This process was tested on:
Palm Pilot IIIx
Palm OS(tm) Software v. 3.3
Palm Desktop 3.0.1
|
|
|
|
|
|
|
|
|
|
