Penetration Testing mailing list archives
Re: [PEN-TEST] Palm Pilot Security
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Thu, 25 Jan 2001 16:27:05 -0800
Mike Ahern wrote: [snip]
Anybody aware of methods to hack past the password protection on the Palm? I assume that like anything else, physical access equals potential for 100% system compromise. Anyone aware of any RSA/Security Dynamics soft token security issues on the Palm Pilot?
I believe what is important in this case is not necessarily preventing people from breaking the password protection, but rather being able to detect it. Most SecurID tokens have no access control. It's just a little device with a number on the screen. If the user loses it or it is stolen, you deactivate access for the old one and give him a new one. It is assumed it cannot be cloned without the owner noticing. Even if one can crack it open to get the secret key out, the owner should be able to tell the device was tampered with. For a PDA with soft tolken software, the problem is that it may be possible for an attacker to clone the tolken without the owner knowing. Like you say, one assumes physical access equals compromise. If someone loses her PDA, you cancel access for her tolken. Easy call. The challenge in arrises when a tolken is stolen, but the physical device is not. It is not required that the password protection on the PDA be extremely strong or difficult to defeat _PROVIDED_ you can tell when this has occurred. That said, I really do not know how easy or difficult it is to compromise a PDA and then cover your tracks. I just wanted to point out that if some people point to general information about PDA security, this should probably be the criteria used to evaluate their security standards when serving as a soft tolken device: Not the ability to repell attack, but the ability to tell if an attack has occurred. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P.
Current thread:
- [PEN-TEST] Palm Pilot Security Mike Ahern (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Crist Clark (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Rory (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Aviram Jenik (Jan 29)
- <Possible follow-ups>
- Re: [PEN-TEST] Palm Pilot Security Mitch James (Jan 25)
- Re: [PEN-TEST] Palm Pilot Security Ng, Kenneth (US) (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Wall, Kevin (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security sporty o'one (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Scott Treacy (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security Walsh, John (Jan 29)
- Re: [PEN-TEST] Palm Pilot Security DK (Jan 29)
- Message not available
- [PEN-TEST] BIND 8 - TSIG Bug Exploit Jason Witty (Jan 29)