On Jun 3, 2004, at 9:50, Tyler Durden wrote:
Actually, this is really my threat model. What I really want to know is that, given the above possibility, is there a "fire wall" for a PDA for this kind of attack? (Yes I know it's possible to put a Password on stuff in your Palm, BUT I bet that would be about a vaulable as WEP...)
(Note, I'm not familiar with the changes in Palm OS 5, so all this would apply to 4.x and prior).
The built-in security on Palm OS is notoriously hideous. The password to protect your Palm databases really just translates to a bit in the header section of the database that applications are supposed to check for and respect.
One thing you can do to help protect yourself from this threat is use PGP for palm. It's not perfect, but it does add a decent layer of security, and I think would normally stop this kind of attack (given a good passphrase for PGP, of course). The way PGP for Palm works is you select all your databases you want encrypted, and it encrypts them. When you want to access any one of them, you enter your passphrase and it decrypts them all, until you turn the unit off at which time it re-encrypts all of them. This seems to work pretty well (it's not as slow as it sounds... you barely notice any lag time when it's decrypting). When you are done using your secret data (and preferably before you run any other potentially trojanized programs), you turn off your unit. If someone finds a way to steal your data (via mugging, via trojan, via beaming magic, whatever), it'll be the encrypted version.
