By Jim Wolf
WASHINGTON (Reuters) – Handheld computers such as those using the industry leading Palm Inc. (Nasdaq:PALM – news) operating system are increasingly vulnerable to hacker attacks and should not be trusted to store “any critical or confidential information,” security experts warned consumers on Thursday.
Peiter Zatko, chief scientist and vice president of +stake, Inc., a Cambridge, Massachusetts, security engineering firm, and an +stake colleague, Joe Grand, noted that the growing business use of personal digital assistants, or PDAs, raises concerns about security.
“PDAs were designed for personal use but are now being used more for business,” Zatko told a computer security conference. ”There’s a security boundary that’s being crossed.”
Zatko and Grand, known as “Kingpin” in the computer security world, argued that data in the ubiquitous handhelds could be easily compromised, notably through password retrieval, and that the devices themselves could be hijacked to spread viruses after being synchronized over networks.
“Many users do not recognize that the information stored on their PDA is open to compromise by unauthorized users, and hence do not treat the data stored on their handhelds with the same care as they do on their desktop,” they said in an article for a security symposium sponsored by the USENIX Association, a computer professional group.
The authors said PDAs were being deployed by corporations and government bodies such as the U.S. Navy (news – web sites) for security-related applications, including one-time password generation, Storage of medical records and confidential inventory tracking.
The added functionality of wireless technologies such as infrared and radio frequency links boosted the threat of compromise, they said.
“We conclude that current state-of-the-art portable devices are not equipped for the threat of viruses or other malicious code components,” Zatko and Grand wrote.
The pair focused on devices running the Palm operating system because they said it represented nearly 80 percent of the global handheld computing market despite what they described as fundamental security flaws.
The Palm operating system was designed to be open and modular to support third-party applications development.
Among those licensing the system are Handspring Inc. (Nasdaq:HAND – news), Sony Corp (news – web sites). (6758.T), IBM Corp. (NYSE:IBM – news), Kyocera Corp. (6971.OS), QUALCOMM Inc. (Nasdaq:QCOM – news), Franklin Covey Co. (NYSE:FC – news) and Symbol Technologies Inc. (NYSE:SBL – news).
One major threat to such devices, the authors argued, is what they called the relative ease with which passwords may be retrieved.
They said it was possible to extract data from portable devices by reading “raw memory” or from the host system after such data had been backed up.
“In officially sanctioned scans, the authors found that the passwords chosen by users to protect data on their PDAs were the same as those being used for critical corporate assets,” they wrote.
The pair said the Palm operating system, in its current state, should not be trusted to store “any critical or confidential information.”
A Palm spokeswoman, Julia Rodriguez, said “as of today” viruses and other malicious code had not posed a major threat to the broad base of Palm users, who may total 10 million worldwide.
“We believe that as handhelds and other devices like phones, pagers, even cars become increasingly connected through wireless or wireline connections to the Internet and to email, the threat of malicious software will naturally become greater than it is today,” she said.
Contrary to the researchers’ conclusion, the spokeswoman said, Palm handhelds were by their nature more secure than computers with more complex operating systems.
“There are safeguards built into the Palm operating system to protect…user data on many levels, and this makes Palm handhelds by nature more secure from suffering damage from viruses,” she said.