"Here is a brief update for you and TreoCentral community. We have
posted an update, Build: 2.0.1037, to eliminate the reported security
vulnerability completely. With this update, Warden will not permit
access to the 'Find' functionality when the device is secured.
As reported earlier, with Warden Software, it was possible to invoke
Find dialog during a very brief moment while a phone call was attempted
from a locked device (either by Call Owner or Call Emergency) during the
time it was getting connected. Once the call was connected or
terminated, Warden regained its control back right away. The access to
this information was very brief, as in, less than few seconds but we
could not ignore this , especially after knowing about it.
With the new update, the access to the find dialog is completely blocked when the device is locked by Warden Software."
Thank you Mr. Patel for all your hard work in keeping our Treo's safe and secure!
Update 2: Nebojsa Lazic, Director of Technology at mSafe has responded to my email regarding the Find Feature vulnerability. Below is some of what Mr Lazic had to say:
"Thank you very much for contacting us on this matter. We are aware of the security problem of the Palm global find feature and we are going to address it by providing a fix in the next mSafe update. This update, i.e. mSafe v4.1 is scheduled for release early next week. We have been able to find a solution to this problem and it will provide a complete fix for Palm's oversight, including the fix for disabling the data retrieval through global find after the debug reset of a device.
I would also like to use this opportunity to share with you some highlights of the upcoming mSafe features. From its beginning mSafe was designed and implemented on top of the Palm's built-in security application by adding advanced locking and data erasing features to it. We believe this is the best approach to solving security concerns of many Treo users and that is why we have been insisting on it since the v1.0 of mSafe which was released a few years ago for the first Treo smartphone that hit market - Treo 180. We don't want to add an additional layer of complexity with mSafe by forcing our users to learn how to use and optimally configure yet another application on their phones. Instead, by leveraging the built-in security mechanisms of smartphones, our users are implicitly familiar with our product, know how to use it and, most importantly, what kind of behavior they can expect from it once the phone is locked or erased. This approach also enables us to support a wide variety of smartphones as mSafe is available and has the same features on all Treos - including the latest
family of Windows Mobile Treo devices, as well as other smartphones like
MotoQ. This enables our users to keep their information secure in a same and constant manner even if they change their phone or upgrade to a completely different OS.
And most importantly, because it is built into the each Treo smartphone, Palm's security application is under constant review by a large community of Palm users and other developers and not only by agile mSafe users and beta testers. People like you and your readers are invaluable source of the important information - like the mentioned Palm's global find error - that we can act upon and provide all the required fixes in future, like we did in the past. In fact, this is probably one of the most powerful features of mSafe: even if by some chance, we didn't provide a fix for a security hole discovered by people like you, somebody else, if not Palm, would surely come
up with a fix, and our users would be able to continue to use advanced mSafe features along with any fixes provided by others. This is something that none of the applications implementing their own security mechanism can ever hope to achieve. If you compare this to a possibility of a security hole in some proprietary application for which one can never be certain how thoroughly it has been tested in the field and what vulnerabilities it may hide under the hood, you will realize all the benefits of our approach to the problem.
Finally, early next week we are going to release the new mSafe v4.1 that addresses the mentioned problem, along with the mSafe Portal website that our users will be able to use to remotely lock or erase their smartphones. mSafe Portal will work with network carriers around the globe, including the US and non-US cellular networks."
Thank you Mr. Lazic for your very kind response!
And of course the major news on this has been posted by Dieter today that Palm is going to patch the Security hole.
Update: We have a wonderful community full of TreoCentral users and one of them has developed a fix for the Find Feature vulnerability on a Palm OS Treo.
dkirker, a user in our TreoCentral forums came up with the fix. Donald Kirker is his name and he's in the midst of creating his own web browser known as the Universe PalmOS web browser. Thanks for developing this great fix Donald!
The fix got started when forum member chiru posted about the Find Feature information disclosure. dkirker responded to chiru's post saying that he could not reproduce the symptom. Other members like Perry Holden responded and members reported being able to reproduce the sympton. dkirker got to work and developed a fix called SecurityLockFindFix. I asked Donald Kirker about the SecurityLockFindFix and this is how he explained the fix to me:
"Basically, all it does is register with the system to receive button presses. The fix then checks to see if the button pressed was the find button and if the device was locked. If both conditions are met, the patch tells the system that it handled the button. This prevents the system from handling it itself."
This fix seems to work. Note that it is unsupported and still in development. Be sure to read through the entire thread before downloading the fix which can be found in the thread.
There is an interesting article over at InfoWorld about a Treo security bypass vulnerability.
Symantec has found the bug and reported it, thank goodness.
Below is a section straight from the report:
Platforms: Palm OS Treo smart phones - Tested on Verizon, Sprint, & Cingular Treo 650 (Treo650-1.03a-VZW & Treo650-1.12-SPCS), Cingular Treo 680, and Sprint/Verizon Treo 700p phones
Severity: Locally exploitable
According to the report, even though Palm OS Treos are equipped with a system password lock
to secure contents of handheld data from unauthorized access, a Treo's built-in Find feature is still accessible and can be used to perform searches on text in Treo applications and databases (e.g. SMS Messages, Memos, Calendar, Tasks, etc).
The Find feature can be accessed when the handheld is locked by issuing keyboard shortcut keys on the Emergency Call screen and the Call In Progress screen that is displayed when an incoming
call is accepted.
Well, that's not good, huh? And guess what? According to this report, Palm was notified about the problem on 8/14/2006. Palm acknowledged and confirmed during the next month. And Palm decided not to fix the vulnerability on 1/19/2007 according to the report.
So let's hope that there are some really good security programs out there for our Treos. A couple of security programs out there are Warden by Corsoft and mSafe by MotionApps. I've emailed both companies and asked if their product protects against this vulnerability. I'll update when I get a response.
Unfortunately, as long as there are scummy crooks out there who want our personal information, we'll always have to be on our toes regarding security, even with our Treos that we hold safely and dearly at our sides daily. It never ceases to amaze me at the loops and holes these hackers will jump through in order to get at what they want.
For more information on the security vulnerability, you can read the InfoWorld article here.
Update: Chirag Patel from Corsoft emailed me a very kind response to my question about his software Warden. Below are some of Mr. Patel's comments:
"The reference made by the article for the default Security Application is correct. I noticed that they even provide steps one can follow to access confidential information. I suspect this would be true for all third party applications that depend on the default Security application, like mSafe, Butler and few others. They primarily provide options to invoke the lock remotely. Some of them also provide options to remotely delete the data.
With Warden, this security violation does not exist *for the most part*.
There is a very small window of opportunity for the attacker to see some
data but the device will lock itself quickly. Let me elaborate...
Warden provides its own Lock. It does not use the default Treo Security app. Warden Lock has options to Call Owner and also an In Case of Emergency (ICE) section. Call owner option helps a Good Samaritan reach the owner to return the device. As per statistical records, the chances your device will end up in good hands is more than 80% (numbers vary in other parts of the World).
The ICE option provides assistance to others that may be around in case the device owner is not able to make a call for help, in case of an
accident, for example. The Police or anyone around can find and call
device owner's family and the medical personnel can know more about
their health issues, allergies, medications and more to respond quickly
during those critical moments. Warden prevents exposure of critical
data and yet helps the right people get connected. (Though we have
designed it, we hope none of our users ever have the need to use it.)
Warden handles local lock and remote lock differently. The user may
want to lock their Treo locally, while it is with them, and yet continue
to use it, like get alerts about their appointments, receive SMS and
accept incoming calls. They can also make calls to the most Frequently
Called Numbers. But when the Treo is lost, the device owner can lock
their device remotely using the web (http://LockMyTreo.com). In this
remotely locked state, the device behaves much differently. It will
not present any alerts - Calendar or from new SMS messages and will also
not ring on any incoming calls (except the ones that are defined to ring
- like the owner himself trying to call the device). The entire section
on ICE becomes inaccessible as the device is no longer with its rightful
owner. Warden also provides options to conceal the name and email
address of the device owner (which is normally presented on the local
lock). The idea here again, is to present total confidentiality on
'who' the device belongs to and to discourage potential attacks (A
device that was known to belong to personalities like Bill Gates, Larry
Ellison or Steve Jobs is likely to generate more controversy and greater
interest than an unknown reference).
If an attacker was to access a locked device, then they can click on
Call Owner button to make a call or click on Call 911 button to make a
911 call. For a remotely locked device, the finder can click on a
button to call some predefined number which may be designated by a
company or an individual for lost and found reporting. While that call
is in progress, *as in, the call has NOT yet connected*, then during
that time, the attacker could try to explore information using the FIND
option as stated in the article and may have access to that information
for a very short time - UNTIL the call is connected! When the call
makes the connection, Warden will restore the lock and the attacker
would not be able to view that information anymore.
This is much different from Default Security Application (or mSafe,
Butler and the like), where the attacker has access to that critical
information BEFORE making the call and even after the call is through or
terminated.
Warden provides total security for the device (as in Data and Voice). It is designed explicitly for the Palm Treo and operates on all recent Treo models (Palm 700P, 680, 650, 600 + Windows Mobile 750, 700W|WX). Warden provides fine granular control on the device behavior and helps the device owner get the much needed peace of mind on the status of the Treo (like it is locked, or unlocked) via email confirmation and more.
Warden is the *ONLY* solution that secures voice calls on Treo remotely. For example, when you have lost your Treo, the people in your world may not know about it and may try to reach you for business or otherwise. They may not be able to distinguish you by the voice that answers the call and have every reason to trust that it is you as they have initiated the call to you. With Warden, all inbound calls are blocked preventing any potential of fraud, which could lead to lack of faith and Trust."
So there you have it! Thanks Mr. Patel! I must say that Warden sounds like a wonderful security application to have on your Treo! I can tell from talking with Mr. Patel that he is very dedicated to the security of the Treo device.
This page shows some nice illustrated examples of Warden which explain the "Local Lock". This page explains the "Remote Lock".
If you'd like to check out Warden, head over to LockMyTreo.com and have a look. You can also find Warden in the TreoCentral Store. Look for a review of Warden from Jay coming soon.
