[Mobilepartners] Treo (Palm OS) Security Vulnerability
Andrew J Yu
andrewyu at MIT.EDU
Thu Feb 15 22:47:46 EST 2007
This message affects all users of Palm OS Treo devices.
On 2/14/2007, Symantec released a security advisory explaining how Palm OS Treo
devices allow access to data even when the devices are locked. Even if the user
protects the device with password lock, anyone with physical access to the
device can use "Find" feature on the device to search and access data including
email, documents, SMS messages,etc.
Link: http://isc.sans.org/diary.html?storyid=2250
Palm has yet to issue a fix. I will let you know if and when the fix is
announced by Palm, Inc.
In the meanwhile, Palm OS Treo users should be aware of this vulnerability and
consider using third-party applications that allow the device to be wiped
remotely by sending an SMS to the device.
Here are some applications that users should consider:
1. Butler: http://www.hobbyistsoftware.com/Butler-more.php
2. mSafe: http://www.motionapps.com/sphone/treo700p/_msafe.jsp
3. Warden: http://www.corsoft.com/warden.asp
Please note that the SMS Kill/Wipe command will only work when the device has
wireless turned on. Due to the typical user behavior when the device has been
lost, even using any of the third-party solution may not provide the necessary
protection. In short, if the user deals with sensitive data, Palm OS Treo
device should not be used to store such information until further notice.
___________________________________________
Andrew J. Yu
Mobile Devices Platform Coordinator
Software Release Team
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue, Building W92-140B
Cambridge, MA 02139-4307
Phone: 617-324-8985
Fax: 617-258-8736
Email: AndrewYu at mit.edu
http://web.mit.edu/swrt
More information about the Mobilepartners
mailing list