08-04-2003, 07:00 PM
|
|
Contributing Editor Emeritus
Join Date: Aug 2006
Posts: 8,228
|
|
Handheld Devices Lack Security?
http://story.news.yahoo.com/news?tmpl=story&cid=581&ncid=581&e=1&u=/nm/20030802/tc_nm/tech_handhelds_dc
There have been a number of news articles over the past few days spurred by comments at DefCon last week. "Don't put any secure information on your PocketPC or your Palm," Glancey warned after a speech on the subject at DefCon, the largest annual computer security conference in the world. "They don't have any security features built in," he said."
They go on to speak of specific vulnerabilities in the PalmOS but don't really mention anything about the Pocket PC. I'm not sure how much of Glancey's comments are real and how much is sensationalist. Pocket PCs don't have any encryption built in, and if that is what he is referring to, it is a fair statement. To my knowledge though, you can't just sniff out a Pocket PC on your LAN and suck all of the information off of it. If you have a PIN on your Pocket PC, you can't even dock it with your PC and get the data via ActiveSync unless you know the PIN.
A PIN is a good security measure, especially the one on the Pocket PC. Time increases exponentially between guesses so after 15 guesses, you are having to wait 7-8 minutes before you can make another guess. After 24 guesses, you are having to wait days between guesses. Given there are 10,000 possible combinations using just a simple 4 digit PIN, unless you do something stupid like make it your year of birth, chances of someone getting your 4 digit PIN in 24 guesses are 1 in 417. Given it takes days to get there, I'll take those odds. It isn't like I have the nuclear launch codes or anything. If you have the strong alphanumeric PIN, it is close to impossible to guess.
Still, you need to encrypt some data. I keep my encrypted data in Ilium Software's eWallet for a few reasons. First, my PIN isn't always active. For convenience sake, I keep my PIN set to activate at one hour. Another reason is my eWallet file is synchronized to my PC, then my domain file shares and backed up on tape. I want to make sure that data is secure through all of those transmissions and on the various forms of media it is stored on. You can also use applications like Resco's File Explorer to encrypt specific files. For seamless encryption, you can use apps like Softwinter's Sentry 2020 for Pocket PC, which encrypts and decrypts on the fly as you use documents.
I think it is a bit chicken little to say you shouldn't put any confidential information on your Pocket PC, but you do need to take measures to ensure the data is safe, just as you do on your PC and corporate servers.
There are some other security related threads from June 2002 and September 2002. (All product links are affiliate links)
|
| |
|
|
|
08-04-2003, 07:07 PM
|
|
Thinker
Join Date: Aug 2006
Posts: 333
|
|
And don't forget that iPaq with the thumbprint scanner. I would think that would fall uder the realm of a security feature. I suspect the author based his entire speech on the lack of security in Palm, and then assumed that Pocket PCs would be similar.
|
| |
|
|
|
08-04-2003, 07:11 PM
|
|
Editorial Contributor
Join Date: Jun 2007
Posts: 5,411
|
|
I always figured my Pocket PC doesn't have any more damaging material on it than my wallet. I treat it somewhat like my wallet. I don't leave it laying around loose, it goes in my pocket, I keep track of it. Beyond that I do use e-wallet to secure the extra sensitive stuff.
__________________
Sometimes you are the anteater, sometimes you are the ant.
|
| |
|
|
|
08-04-2003, 07:21 PM
|
|
Theorist
Join Date: Jul 2003
Posts: 258
|
|
I think that you should be forced to wait only if the code was wrong. Imagine entering the right code on your PPC after someone tried to enter the wrong PIN hand having to wait days for it to unlock :roll:
|
| |
|
|
|
08-04-2003, 07:43 PM
|
|
Contributing Editor Emeritus
Join Date: Aug 2006
Posts: 8,228
|
|
Quote:
|
Originally Posted by easylife
I think that you should be forced to wait only if the code was wrong. Imagine entering the right code on your PPC after someone tried to enter the wrong PIN hand having to wait days for it to unlock :roll:
|
The delay is almost nothing after the first 3-4 guesses. If you are into guess #5, I suspect you aren't the real owner. :wink: If someone did mess your PPC up the way you say, I'd be inclinded to do a hard reset and just restore.
|
| |
|
|
|
08-04-2003, 08:02 PM
|
|
Philosopher
Join Date: Apr 2004
Posts: 545
|
|
Sounds like he only knows about palms.....
While I will agree, there's no built in Encryption, it is very easy to add that. Sometimes your PPC comes with it (RescoFileExplorer comes with the iPaq 5555 and possibly other iPaqs). I also use the fingerprint scanner. I ahve had folks who are not me try to scan their print and it works like it should (although not to the erasure point). I tried F-Secure but it gave me problems when I was powering on. Sometimes I would not be able to access iTask when I was having these problems. Uninstalling it alleviated that. I currently use Resco to encrypt some files. I don't keep my CC info on ANY computer except the banks unless it's encrypted to the hilt. I do not keep the CC info on my PPC either.
|
| |
|
|
|
08-04-2003, 08:06 PM
|
|
Sage
Join Date: Feb 2002
Posts: 784
|
|
Re: Handheld Devices Lack Security?
Quote:
|
Originally Posted by Ed Hansberry
Given there are 10,000 possible combinations using just a simple 4 digit PIN, unless you do something stupid like make it your year of birth, chances of someone getting your 4 digit PIN in 24 guesses are 1 in 417.
|
Whoop guess I better change my PIN... 
__________________
T-Mobile Dash | HP iPAQ 4100 | HP iPAQ 2210 | HP iPAQ 1910 | Intermec 6651 | Toshiba E570 | Compaq iPAQ 3600 | Casio Pocket Viewer
|
| |
|
|
|
08-04-2003, 10:12 PM
|
|
Thinker
Join Date: Jul 2003
Posts: 381
|
|
i don't know about other backup solutions, but the in ROM backup solutions int he Asus and the Jornada sucked. If you hard reset and restore, your PIN does nto get restored. So it's no longer secure. HOwever, I do realize Pocket Backup and other solutions do offer a encrypted backup... just commenting on the older ppcs. The only sensitive info i have is in eWallet anyway...
|
| |
|
|
|
08-05-2003, 12:21 AM
|
|
Ponderer
Join Date: Mar 2004
Posts: 97
|
|
And of course storing confidential data in ROM or on storage card has to be a big no-no.
|
| |
|
|
|
08-05-2003, 01:57 AM
|
|
Thinker
Join Date: Jul 2003
Posts: 443
|
|
Indeed. I have a flash card that I carry project files on. At the moment it's not where it should be...
So if anyone happens across a slick little silver compact flash reader with a cf card in it... email me or something... just be sure not to examine anything stored on it! There are things on there that are going to change the world.
|
| |
|
|
|
|
|
Linear Mode
