Networks could be vulnerable because passwords don't protect data held on Palm PDAs, according to a warning from the US-based security firm @Stake.

Chris Wysopal, technical director of research and development at @Stake, said that a back door in the Palm OS allows anyone with developer tools to access information with the tap of a stylus.

Palm's debugging program can be exploited by anyone ready to read the Palm OS developer's manual online and hitch up a PC to a Palm. The program is installed on all devices, and is designed to be used only by application developers and technical support.

The program allows anyone to type in commands such as 'coldboot' to wipe all data from the device, or 'export' to copy everything onto another computer. The program can also be used to access a user's Palm password.

An attacker could copy the contents of the average Palm in about five minutes and decrypt a password in a few seconds.

Besides the fact that network managers tend to put commercially sensitive data in their PDAs, Palm devices, which can exchange data with a network, could also be used to crack into a classified network.

"It is not possible to employ a secure application on top of an insecure foundation," said Wysopal. "Because the Palm OS is inherently insecure, methods to completely secure data are moot. A Palm device should not be left unattended, or loaned to a potentially untrustworthy colleague," Wysopal added.

@Stake recommends Palm users glue a piece of plastic over the Palm's serial port connector, leaving the infra-red port as the only method of synching or disabling the Palm's port by opening the case and cutting the specific RS232 lines.

This will prevent an attacker using the debug mode if activated, but would also void the Palm warranty.

A Palm spokesman said improved security protection for the Palm will come with the release of the Palm OS v4.0 this month. PGP encryption for the Palm OS can be downloaded from several software sites.

Also published in Network News