Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Portables Security Hardware

PDA Security, the Next Big Hurdle for IT? 108

Jack writes "ITO published an article on a new secure PDA requested by the NSA. 'General Dynamics inked an $18 million contract with the secretive National Security Agency to design and develop a secure mobile personal assistant for defense workers. The PDA will integrate all types of communications including voice, data and web.'" In related news palmtops writes "Insecure Magazine has a great and in-depth article written by Seth Fogie, the VP of Airscanner.com, about Pocket PC security. His summary of PDA attacks states: 'These devices are easy to smuggle into a business and can be used to propagate an attack against network devices. Don't make the mistake of assuming is a PDA is a simple data keeper. As the cliche' goes... it is how you use it that matters.'"
This discussion has been archived. No new comments can be posted.

PDA Security, the Next Big Hurdle for IT?

Comments Filter:
  • PDA? (Score:4, Funny)

    by Ceribia ( 865793 ) on Tuesday August 23, 2005 @07:02AM (#13378282)
    I didn't think any one on slashdot had much to worry about when it came to Public Displays of Affection ....
  • by TripMaster Monkey ( 862126 ) * on Tuesday August 23, 2005 @07:04AM (#13378290)

    From the (IN)SECURE article:
    This article will examine just some of the ways that a PDA can be owned by an attacker and what can happen as a result.
    How are we supposed to take this article seriously, when the author can't even spell 'pwn3d' correctly? ^_^
  • just another ploy (Score:4, Insightful)

    by a_greer2005 ( 863926 ) on Tuesday August 23, 2005 @07:04AM (#13378291)
    to make companys bend over and grab the ankles for PocketPC AVs, Wouldnt surprise me a bit if the virus development for the various PDA platforms was unofficially sponsored by the big AV companies
    • Re:just another ploy (Score:4, Interesting)

      by KiloByte ( 825081 ) on Tuesday August 23, 2005 @07:20AM (#13378362)
      While such views are usually dismissed as conspiracy theories, I wouldn't laugh that fast. My dad (in the times when 286 were the hot new stuff) talked to an author of AV software, who admitted to releasing several viruses.
      This was in the times where most software of that kind was written by one-man companies. Now, in the days when AV is a major industry, are you going to bet that no virus authors are employeed by those who benefit the most from virii?
    • Even if a virus cannot attack the PDA directly, it can sit quietly in an email attachment on the device until the device gets synced to a pc, where it can affect the pc. This is where AV software can be useful now - ensuring the data on the device is clean before syncing it to a pc. Before long there WILL be plenty of malware designed to directly attack PDAs but with the wide variety of PDA platform/versions out there it will be difficult to target a sufficiently large set of users to accomplish whatever go

  • My Palm is never hooked to a network, so I never really considered the need for securing it. But I have a friend with a Zaurus, and this should be a huge consideration for him considering he installed a wireless router in his apartment just to be able to use his Zaurus from the bathroom. :-)

        This is just another reminder of how vigilant we must always be.
    • Palm viruses were created as "proof of concept", but haven't been found in the wild frequently, if ever. The Treos might make the exceptions.

      Either way, AV for the Palm is utterly unnecessary. Spend your money where it makes a difference.
    • But I have a friend with a Zaurus, and this should be a huge consideration for him considering he installed a wireless router in his apartment just to be able to use his Zaurus from the bathroom

      More importantly, there are people that he is not friends with who have wireless PDAs right outside his window!! Ok that's tinfoil hat, but really the point is not to secure PDAs but to protect your network from PDAs IMO
      • Mod the parent up!

        Ive just bought an Ipaq with wireless on, so i thought i would have a wander around town on my lunch hour with WiFiFoFum scanning ( Think kismet / netstumbler for pocket pc ).

        As i sit back here at my desk i can see it picked up 138 unique networks, and only 27 of those are showing as having WEP / WPA. Many of them even still have SSID's of 'linksys' and 'NETGEAR' etc.

        Something such as hitchhiker will even automatically try to associate and get web access through the AP with the zero user
    • Meh, just put OpenBSD on the Zaurus and set your paranoia level accordingly...
    • by rlp ( 11898 )
      I just got a (cheap) Zaurus 5500. I've got a wireless router for my wife's laptop, but didn't want to use WPA and the (much) less secure WEP on the same network. So I connected a cheap wireless B PCI card to one of my PC's. Set-up the wireless card in ad-hoc mode on a different channel (well away from the G channel). I then fire-walled all ports on the card except one, and connected and rigged a proxy server listening on that port. I then set up the proxy to NOT access the local LAN.

      Bottom line - I can
    • use his Zaurus from the bathroom.

      Eeeew! I'm glad my job isn't to refurbish Zaurus units that were sent in due to the buttons sticking.
  • Links (Score:5, Informative)

    by Mr_Silver ( 213637 ) on Tuesday August 23, 2005 @07:08AM (#13378308)
    Insecure Magazine has a great and in-depth article written by Seth Fogie, the VP of Airscanner.com, about Pocket PC security.

    It might be a little late mentioning this but the link in this snippet actually points to a 9.1 meg PDF file.

    In the future it would be nice if submitters (and especially editors) actually describe the target of a link when it doesn't go to a good old fashioned HTML or XHTML page of content.

  • by jurt1235 ( 834677 ) on Tuesday August 23, 2005 @07:09AM (#13378311) Homepage
    Adjust an excisting MS/Linux/other PDA with the software required to enter the secure network, and rewrite some drivers to bring the software up to date with . the emerging (BUDGETOVERFLOW DETECTED) secure communications standards.
    The only hardware change seems to be the Defense access card integration.

    Somehow it feels like this device is going to cause a lot of embarrasment later when one gets in the wrong hands and breaks all the security at once.
  • I thought... (Score:2, Informative)

    by uglysad ( 867575 )
    I thought PDAs were on the downfall as it is. With laptops becoming cheaper and cheaper and cell phones getting more advanced, I wasn't aware that PDAs have much of a future. That being said, I still really want one.
    • A laptop doesn't fit in my pocket, is too heavy to always have with me, and while it can do similar stuff with help of some personal information manager software, is in my experience by far not as good at it.

      I am quite often in places where usage of a mobile phone is prohibited completely (for a whole lot of reasons, including security) and have yet to find a phone with good enough PDA functionality but without a camera (again, I have to be at places where carrying any form of camera whatsoever is prohibite
    • Future of PDA... (Score:5, Interesting)

      by hlh_nospam ( 178327 ) <instructor@nOsPAm.celtic-fiddler.com> on Tuesday August 23, 2005 @08:20AM (#13378705) Homepage Journal
      I was happy when the pager business finally died. That reduced the number of gizmos that I was carrying around on a daily basis from 4 to 3; the cellphone features became advanced (and cheap) enough to obsolete the pager completely. At one time, I thought that I would probably snarf up the PDA/phone combo, but I haven't yet found one that I really want to buy -- the price/performance just isn't there yet. When the PDA/cellphone combination gets cheap enough (and full-featured enough), then I envision reducing my current gizmo count to 2.

      As for the laptop, it looks like that will be around for a while. At this point, the PDA just doesn't have the display or input capability to make it the all-in-one personal computing tool. In order for a PDA-sized device to displace the laptop, the I/O needs to get way more advanced, something on the order of a combination ocular/cochlear implant and voice (or better yet, thought ) recognition.

      What are the security folks gonna do when the day comes that you can look at a document and issue a thought-command " copy "? I'm guessing that will be the end of paper documents; to be replaced entirely by electronic (and encrypted) communications for all purposes, including money.
      • What are the security folks gonna do when the day comes that you can look at a document and issue a thought-command " copy "?
        Don't worry. If ever computers become telepathic, people with "bad" ideas will be shot on sight even before they realize they had them.
    • I wasn't aware that PDAs have much of a future. That being said, I still really want one

      Actually GSM phones and PDA's seem to be slowly merging [sonyericsson.com]. My guess is that the winner will be some form of hybrid between GSM phone, PDA and iPod like media player... GPS functionality (complete with maps and routeplanners) wouldn't be bad either.
    • It has to be small enough to play nethack anywhere.

    • Well, you can never tell. Even smart people routinely lose lots of money on predicitons like this.

      I've done every combination of laptop, pda, phone, and converged device, and none of them are perfect. As I get older, I like fussing with stuff less and less, and value simple functionality more and more. I don't really want PDA functions intruding on my phone -- what I'd appreciate a large, well laid out hardware dial pad. I don't want to fuss with multi-level menus on a tiny phone screen. Making all the
  • by MosesJones ( 55544 ) on Tuesday August 23, 2005 @07:15AM (#13378343) Homepage
    The PDA will integrate all types of communications including voice, data and web

    Riiight, so its sort of a SMARTPHONE then? Sure PDAs could be a threat, but its probably worth focusing more on something that everyone already has and which is has all this functionality already, as well as a digital camera etc.... the ubiquitous mobile phone.

    Developing, and then requiring, a "secure" PDA for all your people and then being "suprised" when information leaks via their mobile phone with the 1GB Flashcard, 2 Mega-pixel camera and Broadband 3G connection doesn't sound like a plan for tomorrow.

    • The whole thing is a terribly simplistic view.

      Don't make the mistake of assuming is a PDA is a simple data keeper. As the cliche' goes... it is how you use it that matters.

      There are adaptors for TI Calculators that turn them into serial port terminals. Most digital cameras run some variant of DOS under the hood, and can be programmed to run any script that you would want. GB USB flash drives are small enough to be hidden basically anywhere these days. And anything with bluetooth is 0wnable and can be use
    • I work for a General Dynamics subsidiary (Electric Boat) and we're currently forbidden to bring in any form of a camera, even on a cell phone or PDA. Most of the time you're trusted, but they check on occasion. You'd be lucky if you didn't get canned for bringing one in, so most people aren't willing to risk it. We're also forbidden to connect anything to the computers, even though there's nothing classified on the user desktops. Again, they log everything and check.

      The problem lies with the fact that it's
      • I work in a secure environment. But some peoples idea of secure is clearly different from others.

        We're not allowed to connect to the internet unless we go through a Citrix session. We can't cut and paste between the Citrix session, but we are allowed to save to the host computer, then use SAMBA to connect to that host and grab the file.

        We're not allowed to access the secure LAN from out workstations, but we are allowed to bring data sticks into the office, and use them to take data off the secure lan.

        We can
        • I could go on. It seems that although the company signs up to the concept of security, they don't actually like to implement it.
          This is normal, that's because you work for a company managed by PhBs.

          Bail-out.

  • Too many standards (Score:5, Insightful)

    by spectrokid ( 660550 ) on Tuesday August 23, 2005 @07:26AM (#13378392) Homepage
    I think the biggest problem is every manufacturor makes his own synchronisation software running some weird propietary protocol. It feels like the good old days where you spent half a day setting up your dotmatrix in WP 2.1, and then restarted from zero in Lotus 123. Somebody should set some standards here. A PDA/Phone should be hardware abstracted at the OS level, just like a printer. And on corporate networks, the PC should just be a USB/Bluetooth -to-ethernet router, with the PDA authenticating directly to Exchange/Notes/whatever.
  • Bored (Score:2, Funny)

    by CaptainFork ( 865941 )
    What a boring story.

    Would someone please post a feed-line so I can post a funny reply and get some karma.

    Thanks.

  • by Voltas ( 222666 ) on Tuesday August 23, 2005 @07:35AM (#13378433) Homepage Journal
    This makes a PDA sound like something its not and it links a sites physical/personel security to the PDA.

    You can smuggle 1 GB of viral data into a facility in the roof of your mouth (SD Card) SD CARDS ARE THE NEXT THREAT TO WORLD SECURITY!!!

    I think you get my point.

    PDA's are computer, now a-days they are about the horse power of a full size computer 10 years ago. Thats all we need to know, and address the PHYSICAL and INFRASTRUCTURE security appropriatly for them.

    The number 1 hacker method will always be social engineering. A ./ artical a while back showed that a guy stold a mainframe and he didn't use a PDA.
    • Steal a mainframe (Score:3, Insightful)

      by jurt1235 ( 834677 )
      To steal a mainframe, one usually uses a flatbed truck with a forklift, and ofcourse wirecutters. To steal a mainframe with a PDA that PDA really needs special features....
  • Openbsd (Score:4, Informative)

    by ErisCalmsme ( 212887 ) on Tuesday August 23, 2005 @07:47AM (#13378494) Homepage Journal
    http://openbsd.org/zaurus.html [openbsd.org]

    Nuff Said.
  • Why would we not fix desktop security first? We have not yet helped Microsoft enough.
  • PAD cases (Score:2, Insightful)

    by Ozric ( 30691 )
    One thing about a PAD zip case .. it is just abot the same size as a pistol case for a 32 or 308.

    I have never seen a gaurd stop a person holding a PDA case in their hand.
  • ... would seem to be a key problem for the NSA. Blackberry servers allow admins to erase lost devices remotely, but I tend to think that "erase" is similar to a MS DOS format - i.e, barely touch the actual filesystem. To scrub a PDA's flash disk with numerous overwrites of random data would seem to be a good trick. Similarly, having a PDA render its flash permanently unreadable would also be a good trick, given the battery constraints.

    ostiguy
    • There are enough utilities to wipe disks clean like for example zerodisk. Or if you want to destroy just one file use shred. So adding this kind of functionality is not too tough. The point is more what happens when the device is out of reach. I think the best solution is to have a stateless device, so no data present when you do not have a correct connection. The question is if the device still is usefull for the goverment at that moment.
  • From the article ::
    • The NSA PDA phone will provide secure voice and data communications, including e-mail, web access, file viewing and access to the government secure network.

    But wouldn't those still fall for the regulations of the FCC?! The wireless tracking [slashdot.org], VoIP tapping [slashdot.org] and backdoring networks [slashdot.org]

    If those PDA's are for gov. use only, that still doesn't prevent gov. agencies from spying on each other! or even prevents black-hats from accessing gov. networks then PDA's

  • by Maljin Jolt ( 746064 ) on Tuesday August 23, 2005 @08:30AM (#13378782) Journal
    Just walking around with the pockets full of computers makes the task done: iPaq 3970 ($100) with Linux, Jornada 690 ($50) with NetBSD. Plus some equipment: 2G CF microdrive and wifi/ethernet CF/pcmcia makes a real computer of both. They have 100x more resources than double mainframe I admined just 22 years ago.

    However, a "secure PDA" by NSA standards somewhat tells me it must have a backdoor of some kind...

  • Homephone (Score:3, Insightful)

    by Doc Ruby ( 173196 ) on Tuesday August 23, 2005 @08:38AM (#13378834) Homepage Journal
    PDAs (and mobile "phones") seem perfect candidates for biometrics. They are easily taken from their owner's physical control. Their UI HW is so limited that passwords are a hassle. They're actually the main storage for many people's "memos", so remembering their password is a catch-22. They have the most personal info of any device, often just a tap away from indicating personal liabilities. They're just a year or two from acting as a universal digital wallet, probably wireless - almost certainly with dynamic IP#s. They'll usually be connecting through a brief relationship with an otherwise unknown LAN segment, like a public WiFi hotspot. And people will just completely trust them, especially because their userbase is among the least tech sophisticated.

    But also, most importantly, because they're so extremely valuable as security devices. People can trust their own phone, if really secured. They can carry it anywhere Especially once phones are <$20 each, they can have several secured phones left around their car, their office, other locations they frequent. A reliable biometric access device, like a thumbprint scanner, makes the "phone" an extension of the person's identity. Appropriate, when it stores both all their personal data, and their contacts with other people - as well as executing access to them. Securing one's phone can make access to the rest of the virtual world secure, at just the persistent device closest to us. If that little gizmo is really going to become our "universal remote" to all worlds both real and virtual, it needs to recognize us exclusively, and vice versa, to represent us there.
    • Great. Now about that reliable part in the thumbprint (fingerprint ?) scanning... Fingerprint scanning *can* be rather secure. By letting qualified personel watch persons while they perform the biometric verification. Artificial fingerprints are just too easy to make (and to get off glass, like for instance, the touch screen of a PDA).

      I would myself rather opt for a PIN or similar scheme (e.g. put pictures in a specific order) to access the device. These kind of devices tend to get used pretty much, so the
  • I did a little PDA Security article a while back that was published in BlackListed 411! magazine.
    It briefly surveys a number of key issues, and has some good links/ references at the end.

    For anyone interested, you can read it here:

    http://iamsam.com/papers/PDA_Security.htm [iamsam.com]

    Later-

    Sam

    Sam Nitzberg
    sam @ iamsam . com
    http:/// [http] www. iamsam. com
  • Palm OS 6 Cobalt (Score:3, Interesting)

    by samalone ( 707709 ) on Tuesday August 23, 2005 @08:44AM (#13378877) Homepage

    It's a shame that no Palm OS 6 Cobalt [palmos.com] devices have actually made it to market, because PalmSource has done a lot right in that version of the Palm OS to provide a sound security model.

    Not only does the OS provide for digital signing of code, it provides secure databases where only signed applications can access the data. You can control which databases are synchronized to the desktop, and even which applications can access screen buffers (to prevent screen-scraping).

    Hopefully either Palm OS 6 Cobalt or its Linux-based successors will make it into actual devices soon. It would be a huge step toward powerful, secure PDAs.

  • by Anonymous Coward
    Agressive Network Self Defense (Chapter 1) includes a rather long and very detailed walkthrough on how a Pocket PC can be owned by an attacker.

    From buffer overflow to virus and trojan examples, it is all covered.

    Plus these links have information of value as well:

    Hacking Windows CE - Phrack 63 http://www.phrack.org/show.php?p=63&a=6 [phrack.org]

    Pocket PC Phone Shellcode: http://www.mulliner.org/pocketpc/ [mulliner.org]

    Blackhat talk by Seth Fogie: http://www.airscanner.com/pubs/BlackHat2004.pdf [airscanner.com]

  • Last I knew, PDA sales were at an all time low compared to recent years more or less due to cell phones dupicating most of their functions. It seems wrong that something that has been said to be near the end of its lifespan is considered the "next big security risk".
  • There are plenty of criticisms of Windows architecture shortcomings, but what about PocketPC OS? I haven't paid much attention to this market. Was it designed from scratch, or is it a cut-down windows kernel? Does it share any of Window's vulnerabilities (mixing of app & os code, security issues, etc.), or is it inherently more secure than Windows by virtue of different architecture?
  • You have a secure pda, thats great. Let's say a gov employ (possibly from homeland sec.) takes the train/subway/airplane home and the pda slips out of his pocket.(I have lost enough cellphones this way.) Now you have a goverment information, stored passwords, encryption keys sitting there for the less scrupulous of us to scoup up. At least laptop cases are harder to forget.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...