Re: Palm Hack?

2004-06-05 Thread John Kelsey
I think the notion of someone using your IR beaming capacity against your will is at 
least a possible threat (imagine what happens if I get a trojan onto your Palm that's 
supposed to leak data--it could just listen on the IR port, and hand over your data 
when I get it the right message.)  Some people tape a piece of aluminum foil over the 
IR port of their Palm to make this class of attacks harder.  

--John



Re: Palm Hack?

2004-06-05 Thread Bill Stewart
At 07:50 AM 6/3/2004, Tyler Durden wrote:
Anybody know of apps that allow someone to hack somebody else's Palm?
PalmOS doesn't have useful memory protection,
so if you can get somebody to run a trojan application, they're potentially 
toast.
If you can't, then you're limited to whatever the existing applications do
with the data that you hand them.
Many applications are well written, protect themselves against oversized
or other malicious input, and will only do what their authors expect.
Other applications are poorly written schlock that leave a gun barrel
aimed at your foot waiting for you to shove bullets in them.

Specifically, say you are beaming or receiving a beam from someone else's 
Palm, but you'd like to know much more than what they had planned on 
beaming you. So you actually beam them an app that takes their phonebook 
and calender and dumps it out to you. '
I'd be extremely surprised if the primary Palm beaming apps
(including builtins and beambox) are that naive, but you never know.
Partly this is because they're tolerably well written,
and partly because the early Palm Pilots didn't have much memory,
so the obvious data structures for handling most objects
are annoyingly small and don't give you ways to get past their boundaries,
and most of that clunkiness is still there in the APIs.
Another possible way in is email, if your victim downloads email to a Palm
and runs it with an insecure application.
Another way that the Palm accepts application data is hotsync -
if you can put malicious data into the Windows feed for somebody's Palm,
such as downloadable programs, you might be able to get them installed.
Fortunately, Windows is perfectly secure but the wetware isn't.
"Dude!  Here's a really cool Palm Screen Saver!  Dancing Pigs and 
Everything!"

Actually, this is really my threat model. What I really want to know is 
that, given the above possibility, is there a "fire wall" for a PDA for 
this kind of attack?
Certainly not on the Dragonball machines.
Not sure if they've improved on newer machines, but without memory protection,
any broken application makes it theoretically possible to break the machine.
So don't run broken applications that accept input from outside.
PS: I'm also wondering if it's possible to force-beam info out of a 
sleeping Palm that's in a coat pocket or whatever.
Think about what you just suggested.
Beaming isn't something magic, it's a medium for programs to send bits
to other programs with some format for what to do with them.
If your would-be victim's Palm is asleep, it's not listening for IR.
If you Google for "PalmOS Virus", you'll find references to one PalmOS virus
that somebody cobbled together, though I'm not sure it actually spread in 
the wild,
and a trojan that masquerades as a Gameboy emulator program.
But most of the viruses for Palm, like most Unix viruses,
run on the Honor System, like the "IBeamYou" address book entry.




Re: Palm Hack?

2004-06-05 Thread Morlock Elloi
> If there's any kind of leakage bias, then a high-powered signal might get a 
> few bits through. After that, only a Palm OS expert will know if there's 
> some kind of signal that can tease the Palm awake and then get it to swallow 
> some kind of trojan.

Bits are not marbles to exist outside receiver's experience. Bits are tokens of
agreement between sender and receiver.

If receiver (including analog PHY) is powered down/idle/inactive, it's hard to
imagine that bits could be stored in the analog capture device to be retreived
later. Actually, one bit can be stored, the Last Bit. That one is stored by
shining few watts into the receiving element, blinding it forever.



=
end
(of original message)

Y-a*h*o-o (yes, they scan for this) spam follows:




__
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 



Re: Palm Hack?

2004-06-05 Thread Tyler Durden
"Think about what you just suggested.
Beaming isn't something magic, it's a medium for programs to send bits
to other programs with some format for what to do with them.
If your would-be victim's Palm is asleep, it's not listening for IR."
Well, some of your other answers are good enough that I suspect I don't 
understand you.
The IR port on a palm is, I assume, a combination IR diode and some sort of 
receiver. When the IR port is ready to receive a beam, clearly there's a DC 
bias that goes up across the receive circuitry to allow it to receive and 
amplify the signal. The questions here are: 1) Does this bias go away when 
the non-sleeping Palm is not ready to receive a beam? 2) When the unit is 
off, does the bias go fully to zero, or is there some leakage bias?

If there's any kind of leakage bias, then a high-powered signal might get a 
few bits through. After that, only a Palm OS expert will know if there's 
some kind of signal that can tease the Palm awake and then get it to swallow 
some kind of trojan.

Frankly, however, I consider this unlikely, but I am unfamiliar enough with 
Palm OS as to consider it within the realm of possibility.

-TD

From: Bill Stewart <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Palm Hack?
Date: Fri, 04 Jun 2004 16:16:37 -0700
At 07:50 AM 6/3/2004, Tyler Durden wrote:
Anybody know of apps that allow someone to hack somebody else's Palm?
PalmOS doesn't have useful memory protection,
so if you can get somebody to run a trojan application, they're potentially 
toast.
If you can't, then you're limited to whatever the existing applications do
with the data that you hand them.
Many applications are well written, protect themselves against oversized
or other malicious input, and will only do what their authors expect.
Other applications are poorly written schlock that leave a gun barrel
aimed at your foot waiting for you to shove bullets in them.

Specifically, say you are beaming or receiving a beam from someone else's 
Palm, but you'd like to know much more than what they had planned on 
beaming you. So you actually beam them an app that takes their phonebook 
and calender and dumps it out to you. '
I'd be extremely surprised if the primary Palm beaming apps
(including builtins and beambox) are that naive, but you never know.
Partly this is because they're tolerably well written,
and partly because the early Palm Pilots didn't have much memory,
so the obvious data structures for handling most objects
are annoyingly small and don't give you ways to get past their boundaries,
and most of that clunkiness is still there in the APIs.
Another possible way in is email, if your victim downloads email to a Palm
and runs it with an insecure application.
Another way that the Palm accepts application data is hotsync -
if you can put malicious data into the Windows feed for somebody's Palm,
such as downloadable programs, you might be able to get them installed.
Fortunately, Windows is perfectly secure but the wetware isn't.
"Dude!  Here's a really cool Palm Screen Saver!  Dancing Pigs and 
Everything!"

Actually, this is really my threat model. What I really want to know is 
that, given the above possibility, is there a "fire wall" for a PDA for 
this kind of attack?
Certainly not on the Dragonball machines.
Not sure if they've improved on newer machines, but without memory 
protection,
any broken application makes it theoretically possible to break the 
machine.
So don't run broken applications that accept input from outside.

PS: I'm also wondering if it's possible to force-beam info out of a 
sleeping Palm that's in a coat pocket or whatever.
Think about what you just suggested.
Beaming isn't something magic, it's a medium for programs to send bits
to other programs with some format for what to do with them.
If your would-be victim's Palm is asleep, it's not listening for IR.
If you Google for "PalmOS Virus", you'll find references to one PalmOS 
virus
that somebody cobbled together, though I'm not sure it actually spread in 
the wild,
and a trojan that masquerades as a Gameboy emulator program.
But most of the viruses for Palm, like most Unix viruses,
run on the Honor System, like the "IBeamYou" address book entry.


_
FREE pop-up blocking with the new MSN Toolbar – get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/



Re: Palm Hack?

2004-06-05 Thread bgt
On Jun 3, 2004, at 9:50, Tyler Durden wrote:
Actually, this is really my threat model. What I really want to know 
is that, given the above possibility, is there a "fire wall" for a PDA 
for this kind of attack? (Yes I know it's possible to put a Password 
on stuff in your Palm, BUT I bet that would be about a vaulable as 
WEP...)
(Note, I'm not familiar with the changes in Palm OS 5, so all this 
would apply to 4.x and prior).

The built-in security on Palm OS is notoriously hideous. The password 
to protect your Palm databases really just translates to a bit in the 
header section of the database that applications are supposed to check 
for and respect.

One thing you can do to help protect yourself from this threat is use 
PGP for palm.  It's not perfect, but it does add a decent layer of 
security, and I think would normally stop this kind of attack (given a 
good passphrase for PGP, of course).   The way PGP for Palm works is 
you select all your databases you want encrypted, and it encrypts them. 
 When you want to access any one of them, you enter your passphrase and 
it decrypts them all, until you turn the unit off at which time it 
re-encrypts all of them.  This seems to work pretty well (it's not as 
slow as it sounds... you barely notice any lag time when it's 
decrypting).  When you are done using your secret data (and preferably 
before you run any other potentially trojanized programs), you turn off 
your unit.  If someone finds a way to steal your data (via mugging, via 
trojan, via beaming magic, whatever), it'll be the encrypted version.