treocentral.com >> Stories >> Hardware
Does Your Treo's built-in Find Feature Help Crooks to "Find" Out About You?

Wed Feb 14, 2007 - 3:55 PM EST - By Jennifer Chappell


Overview

Update 3: Chirag Patel from Corsoft has let me know of a new update for Warden:

"Here is a brief update for you and TreoCentral community. We have posted an update, Build: 2.0.1037, to eliminate the reported security vulnerability completely. With this update, Warden will not permit access to the 'Find' functionality when the device is secured.

As reported earlier, with Warden Software, it was possible to invoke Find dialog during a very brief moment while a phone call was attempted from a locked device (either by Call Owner or Call Emergency) during the time it was getting connected. Once the call was connected or terminated, Warden regained its control back right away. The access to this information was very brief, as in, less than few seconds but we could not ignore this , especially after knowing about it.

With the new update, the access to the find dialog is completely blocked when the device is locked by Warden Software."

Thank you Mr. Patel for all your hard work in keeping our Treo's safe and secure!


Update 2: Nebojsa Lazic, Director of Technology at mSafe has responded to my email regarding the Find Feature vulnerability. Below is some of what Mr Lazic had to say:

"Thank you very much for contacting us on this matter. We are aware of the security problem of the Palm global find feature and we are going to address it by providing a fix in the next mSafe update. This update, i.e. mSafe v4.1 is scheduled for release early next week. We have been able to find a solution to this problem and it will provide a complete fix for Palm's oversight, including the fix for disabling the data retrieval through global find after the debug reset of a device.

I would also like to use this opportunity to share with you some highlights of the upcoming mSafe features. From its beginning mSafe was designed and implemented on top of the Palm's built-in security application by adding advanced locking and data erasing features to it. We believe this is the best approach to solving security concerns of many Treo users and that is why we have been insisting on it since the v1.0 of mSafe which was released a few years ago for the first Treo smartphone that hit market - Treo 180. We don't want to add an additional layer of complexity with mSafe by forcing our users to learn how to use and optimally configure yet another application on their phones. Instead, by leveraging the built-in security mechanisms of smartphones, our users are implicitly familiar with our product, know how to use it and, most importantly, what kind of behavior they can expect from it once the phone is locked or erased. This approach also enables us to support a wide variety of smartphones as mSafe is available and has the same features on all Treos - including the latest family of Windows Mobile Treo devices, as well as other smartphones like MotoQ. This enables our users to keep their information secure in a same and constant manner even if they change their phone or upgrade to a completely different OS.

And most importantly, because it is built into the each Treo smartphone, Palm's security application is under constant review by a large community of Palm users and other developers and not only by agile mSafe users and beta testers. People like you and your readers are invaluable source of the important information - like the mentioned Palm's global find error - that we can act upon and provide all the required fixes in future, like we did in the past. In fact, this is probably one of the most powerful features of mSafe: even if by some chance, we didn't provide a fix for a security hole discovered by people like you, somebody else, if not Palm, would surely come up with a fix, and our users would be able to continue to use advanced mSafe features along with any fixes provided by others. This is something that none of the applications implementing their own security mechanism can ever hope to achieve. If you compare this to a possibility of a security hole in some proprietary application for which one can never be certain how thoroughly it has been tested in the field and what vulnerabilities it may hide under the hood, you will realize all the benefits of our approach to the problem.

Finally, early next week we are going to release the new mSafe v4.1 that addresses the mentioned problem, along with the mSafe Portal website that our users will be able to use to remotely lock or erase their smartphones. mSafe Portal will work with network carriers around the globe, including the US and non-US cellular networks."

Thank you Mr. Lazic for your very kind response!

And of course the major news on this has been posted by Dieter today that Palm is going to patch the Security hole.


Update: We have a wonderful community full of TreoCentral users and one of them has developed a fix for the Find Feature vulnerability on a Palm OS Treo.

dkirker, a user in our TreoCentral forums came up with the fix. Donald Kirker is his name and he's in the midst of creating his own web browser known as the Universe PalmOS web browser. Thanks for developing this great fix Donald!

The fix got started when forum member chiru posted about the Find Feature information disclosure. dkirker responded to chiru's post saying that he could not reproduce the symptom. Other members like Perry Holden responded and members reported being able to reproduce the sympton. dkirker got to work and developed a fix called SecurityLockFindFix. I asked Donald Kirker about the SecurityLockFindFix and this is how he explained the fix to me:

"Basically, all it does is register with the system to receive button presses. The fix then checks to see if the button pressed was the find button and if the device was locked. If both conditions are met, the patch tells the system that it handled the button. This prevents the system from handling it itself."

This fix seems to work. Note that it is unsupported and still in development. Be sure to read through the entire thread before downloading the fix which can be found in the thread.


There is an interesting article over at InfoWorld about a Treo security bypass vulnerability.

Symantec has found the bug and reported it, thank goodness.

Below is a section straight from the report:

Platforms: Palm OS Treo smart phones - Tested on Verizon, Sprint, & Cingular Treo 650 (Treo650-1.03a-VZW & Treo650-1.12-SPCS), Cingular Treo 680, and Sprint/Verizon Treo 700p phones

Severity: Locally exploitable

According to the report, even though Palm OS Treos are equipped with a system password lock to secure contents of handheld data from unauthorized access, a Treo's built-in Find feature is still accessible and can be used to perform searches on text in Treo applications and databases (e.g. SMS Messages, Memos, Calendar, Tasks, etc).

The Find feature can be accessed when the handheld is locked by issuing keyboard shortcut keys on the Emergency Call screen and the Call In Progress screen that is displayed when an incoming call is accepted.

Well, that's not good, huh? And guess what? According to this report, Palm was notified about the problem on 8/14/2006. Palm acknowledged and confirmed during the next month. And Palm decided not to fix the vulnerability on 1/19/2007 according to the report.

So let's hope that there are some really good security programs out there for our Treos. A couple of security programs out there are Warden by Corsoft and mSafe by MotionApps. I've emailed both companies and asked if their product protects against this vulnerability. I'll update when I get a response.

Unfortunately, as long as there are scummy crooks out there who want our personal information, we'll always have to be on our toes regarding security, even with our Treos that we hold safely and dearly at our sides daily. It never ceases to amaze me at the loops and holes these hackers will jump through in order to get at what they want. For more information on the security vulnerability, you can read the InfoWorld article here.

Update: Chirag Patel from Corsoft emailed me a very kind response to my question about his software Warden. Below are some of Mr. Patel's comments:

"The reference made by the article for the default Security Application is correct. I noticed that they even provide steps one can follow to access confidential information. I suspect this would be true for all third party applications that depend on the default Security application, like mSafe, Butler and few others. They primarily provide options to invoke the lock remotely. Some of them also provide options to remotely delete the data.

With Warden, this security violation does not exist *for the most part*. There is a very small window of opportunity for the attacker to see some data but the device will lock itself quickly. Let me elaborate...

Warden provides its own Lock. It does not use the default Treo Security app. Warden Lock has options to Call Owner and also an In Case of Emergency (ICE) section. Call owner option helps a Good Samaritan reach the owner to return the device. As per statistical records, the chances your device will end up in good hands is more than 80% (numbers vary in other parts of the World).

The ICE option provides assistance to others that may be around in case the device owner is not able to make a call for help, in case of an accident, for example. The Police or anyone around can find and call device owner's family and the medical personnel can know more about their health issues, allergies, medications and more to respond quickly during those critical moments. Warden prevents exposure of critical data and yet helps the right people get connected. (Though we have designed it, we hope none of our users ever have the need to use it.)

Warden handles local lock and remote lock differently. The user may want to lock their Treo locally, while it is with them, and yet continue to use it, like get alerts about their appointments, receive SMS and accept incoming calls. They can also make calls to the most Frequently Called Numbers. But when the Treo is lost, the device owner can lock their device remotely using the web (http://LockMyTreo.com). In this remotely locked state, the device behaves much differently. It will not present any alerts - Calendar or from new SMS messages and will also not ring on any incoming calls (except the ones that are defined to ring - like the owner himself trying to call the device). The entire section on ICE becomes inaccessible as the device is no longer with its rightful owner. Warden also provides options to conceal the name and email address of the device owner (which is normally presented on the local lock). The idea here again, is to present total confidentiality on 'who' the device belongs to and to discourage potential attacks (A device that was known to belong to personalities like Bill Gates, Larry Ellison or Steve Jobs is likely to generate more controversy and greater interest than an unknown reference).

If an attacker was to access a locked device, then they can click on Call Owner button to make a call or click on Call 911 button to make a 911 call. For a remotely locked device, the finder can click on a button to call some predefined number which may be designated by a company or an individual for lost and found reporting. While that call is in progress, *as in, the call has NOT yet connected*, then during that time, the attacker could try to explore information using the FIND option as stated in the article and may have access to that information for a very short time - UNTIL the call is connected! When the call makes the connection, Warden will restore the lock and the attacker would not be able to view that information anymore.

This is much different from Default Security Application (or mSafe, Butler and the like), where the attacker has access to that critical information BEFORE making the call and even after the call is through or terminated.

Warden provides total security for the device (as in Data and Voice). It is designed explicitly for the Palm Treo and operates on all recent Treo models (Palm 700P, 680, 650, 600 + Windows Mobile 750, 700W|WX). Warden provides fine granular control on the device behavior and helps the device owner get the much needed peace of mind on the status of the Treo (like it is locked, or unlocked) via email confirmation and more.

Warden is the *ONLY* solution that secures voice calls on Treo remotely. For example, when you have lost your Treo, the people in your world may not know about it and may try to reach you for business or otherwise. They may not be able to distinguish you by the voice that answers the call and have every reason to trust that it is you as they have initiated the call to you. With Warden, all inbound calls are blocked preventing any potential of fraud, which could lead to lack of faith and Trust."

So there you have it! Thanks Mr. Patel! I must say that Warden sounds like a wonderful security application to have on your Treo! I can tell from talking with Mr. Patel that he is very dedicated to the security of the Treo device.

This page shows some nice illustrated examples of Warden which explain the "Local Lock". This page explains the "Remote Lock".

If you'd like to check out Warden, head over to LockMyTreo.com and have a look. You can also find Warden in the TreoCentral Store. Look for a review of Warden from Jay coming soon.




Copyright 1999-2016 TreoCentral. All rights reserved : Terms of Use : Privacy Policy

TREO and TreoCentral are trademarks or registered trademarks of palm, Inc. in the United States and other countries;
the TreoCentral mark and domain name are used under license from palm, Inc.
The views expressed on this website are solely those of the proprietor, or
contributors to the site, and do not necessarily reflect the views of palm, Inc.
Read Merciful by Casey Adolfsson