1 / 24

Security Analysis of Palm OS

Security Analysis of Palm OS. Martin Vandepas Karin Olsrud Computer and Network Security ECE 478. Outline. Relevancy Information about PDA’s Intro to Palm OS Built-in Palm OS security Security flaws Solutions Future/Conclusions. Relevancy.

corby
Download Presentation

Security Analysis of Palm OS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Analysis of Palm OS Martin Vandepas Karin Olsrud Computer and Network Security ECE 478

  2. Outline • Relevancy • Information about PDA’s • Intro to Palm OS • Built-in Palm OS security • Security flaws • Solutions • Future/Conclusions

  3. Relevancy • The ramifications of a break of PDA security can be extremely detrimental. • According to Tom Walsh of Enterprise Security, robbers net about $85 per holdup and are caught 80% of the time. Information thefts average $800,000 in value and are caught 2% of the time.

  4. Information about PDA’s • PDA’s offer many features such as email, telephone/fax, computing and network abilities. • They are portable, easy to use and have wireless capabilities. • They allow the user to obtain up to the minute information 24 hours a day.

  5. Intro to Palm OS • Versions • Hardware • Data Storage

  6. Versions • New 4.1 and 5.0 operating systems to be released “early summer” • Many flaws discussed later in the presentation are remedied in these newer versions.

  7. Hardware • All PDA’s processors utilize Motorola DragonBall series. • Extensive programming resources can be found on Motorola’s website. • Palm OS 5.0 is looking to use a more powerful family of processors to increase its current speed of 33MHz to up to 700MHz.

  8. Data Storage • All data on Palm devices is stored in databases. • Databases contain records in which the actual data is stored. • There is no data ownership accommodations or file permissions.

  9. Built-in Palm OS security • Uses a default security program. • No indications to the user about how secure it is. • User is able to input a password at the setup stage, then the password can be used to mark some entries as private or to be used at the power on/off stage.

  10. Vulnerabilities • The Palm OS is currently plagued with glaring security holes. • There are multiple possible attacks depending on the situation. • What follows are some of the general flaws, which is in no way a complete assessment of all the security deficiencies in the Palm OS.

  11. Password Length • There is currently no lower limit of characters that the password is required to be. • The passwords do not necessarily have to be both letters and numbers • Obviously, without a safeguard that would make sure that the user’s password is appropriate, this creates vulnerability.

  12. Weak Password Obfuscation • The method that Palm uses to store the password is very weak and quite trivial. • For passwords less than four characters, it is simply XORed with a known constant and shifted. • For passwords greater than four, the algorithm is slightly more complex but still easy to decode the password once the method is known.

  13. Weak Password Obfuscation cont. • Most importantly, during every HotSync operation, the user’s encoded password is transmitted.

  14. HotSync Vulnerability • In an office environment, someone could walk up to your computer with an empty handheld, press the HotSync button, and the HotSync program will “restore” all your information onto that persons handheld.

  15. HoySync Vulnerability cont. • Each time a handheld is HotSynced, it checks in a specified directory to see if any new files have been added and automatically adds them. A hacker could simply place a program in this add-on directory and it would be transferred to the PDA and executed automatically.

  16. Creator ID Switching • Creator ID is a four character code used by the OS to identify programs. • When a button is pushed or an application is started, the OS looks through the database for a matching ID and executes the program. • Malicious applications can easily add a Creator ID identical to a legitimate one.

  17. Data Ownership • Without any facilities in place to protect ones code or data on a Palm, attacking programs have full access to all the data on a user’s Palm device. • This opens the door to attackers and allows them to do a multitude of damage, often times without the knowledge of the user.

  18. Solutions • movianCrypt • PDA Defense • OnlyMe • FileCrypto

  19. movianCrypt • Uses 128-bit AES encryption key to encrypt individual records. • It replaces standard Palm Operating System. • Provides option to disable encryption on a per-application basis. • In the event of a stolen or lost handheld, the password is not stored on the device itself.

  20. PDA Defense • One of the highest levels of security available for handhelds. • Used by all branches of military, FBI and the white house. • When “bomb” is enabled, all data will be erased from handheld if unauthorized attempts are made to access the device.

  21. OnlyMe • A unique program used for password protection. • Cracker Time Lock-each five times a password is entered in incorrectly, the system locks for a designated period of time. • For purposes of password comparison, user can use keys such as To Do which would correspond to the letter C or number 3 in their password.

  22. FileCrypto • Uses a 128-bit AES data encryption. • Increases user authentication by implementing a PIN and passphrase system at the login stage.

  23. Future/Conclusions • Palm has recognized the vulnerability issues and is beginning to correct them in the latest versions of its products. • Competitors of Palm, like Texas Instrument and Microsoft, have also been quick to address the issue of security in its products.

  24. Future/Conclusions cont. • Consumers can expect to see more products that allow them to increase security for their handhelds, including smartcards, biometric capabilities, and motion detectors. • It is only until companies recognize that handheld security is as important as network security that the current situation will be under control.

More Related