Treo Security Alert
According to InfoWorld, there is a Treo security bypass vulnerability that Palm has neglected to address.
“Palm OS Treo smartphones are equipped with a system password lock to secure contents of handheld data from unauthorized access. When this lock is engaged, Treo’s built-in Find feature is still accessible [via the Make Emergency Call screen] and can be used to perform searches on text in Treo applications and databases (e.g. SMS Messages, Memos, Calendar, Tasks, etc). Search results are accessible, and depending on their size, may be truncated. An attacker may use this vulnerability to retrieve information from a locked device.”
For those concerned about security, this vulnerability may be meaningful. We decided to explore the issue further, and learned that the Treo security application is no different from the one found on other Palm devices like the entry level Palm Zire or Tungsten. There is basically no difference between the security application on the new Treo 680 and the locking application on the 6 year old Palm m505.
We looked at third party security applications that we had reviewed back in April 2006 and checked on them against this vulnerability. mSafe is an enabler for the default security application. It does not have its own security control. So it’s vulnerable. TealLock does not provide options for making outbound calls, so the vulnerability does not exist. Warden provides options to make calls from a locked device, and successfully blocks the vulnerability.
If you are in the market for a security application, you may want to check out the new Warden update. (If you are a Warden customer, we highly recommend installing the new version.) On the Warden lock screen, there is now an option to “Call Owner,” which may be used by a device finder to reach you in the event the phone is missplaced. It connects to your pre-assigned number without allowing additional access to phone application. When the call is initiated, control is transferred to the phone application briefly. (But Warden immediately reclaims its lock over the phone, preventing access to data and the security hole.)
Warden now differentiates between its local lock and remote lock. During a local lock, it receives alerts, messages and phone calls, and also permits you to make calls to frequently called numbers without having to unlock the device. When the device is remotely locked, Warden secures your Treo totally, including for phone and data. All incoming calls are greeted by voice mail. That way you have the access that you need while the device is in your hands, but can totally lock down in the event the device vanishes.
If the device vanishes and you send the locking command remotely, callers will not know your device was lost or misplaced because they will receive your voice mail, and Warden prevents unauthorized users from answering your inbound calls. Warden also has an option to permit calls from the owner to ring on the device to facilitate communication with the device finder.
Warden also has a very comprehensive set of options to secure the Treo quickly. For remote locking, there is a well defined interface at LockMyTreo.com. Our Treo locked in less than 10 seconds and we received email confirmation messages about the lock request and acknowledgment confirming the Treo was locked.
Do you have any recent experiences with a good security application? Let us know about them!
Related Links
Security Application Comparison Review
Filed under: Editorials
Loading ...
TealLock 6 has an option to allow you to make an outgoing phone call while it is locked.
However I have tested this security problem against TealLock 6 and found it was secure :-)
Warden sounded pretty good, until I visited their web site. I tried to find out how much it cost, but when I clicked “Buy Now” Opera warned me that their secure server was using an insecure short key. I accepted that anyway only to be told my browser was incompatible and I should use IE, probably the least secure browser on my PC! Sorry, Corsoft, you lose.
Since Warden is hosted here on mtdn with its own Star Developer forum, you should have just stayed here for your research and purchase.
I just simply dont put anything on my phone that I’m not willing to part with. I mean come on phone security??? What is there someone out there that wants to hack my treo and call my mom? Look if you want to buy something online wait until you get home and do it on your computer. Otherwise hang on to your treo for dear life and never let it out of your sight. Now that’s treo security!!!
Looks like it’s about time for my annual quest to find a decent PalmOS security program to begin again. Last year I was amazed at how easy it was to defeat Warden and the rest, despite their claims. The basic problem appears to be that the Treo is simply a cell phone grafted onto a PDA OS, and allowing the phone to operate at all opens up easy ways to defeat the PDA’s (already weak) security. Maybe it’s the single tasking - open up one app (phone) and it can’t prevent you from changing via one of the menus to another program - and you’re free. Also, I wonder if the SMS does a “Zero-Out” reset, or just a “hard reset”? If I understand the “hard reset” properly, there is still the ability to pull data out of the NVFS with proper tools. Anyone carrying super-confidential data has vulnerability. Until proven otherwise, I’m agreeing with jman46241 that the “physical security” layer is about all you can trust.
LMBO !! This is pure hype .. Its true that you can search from the make an emergency call screen , but anyone in the world that doesn’t lock down individual files with sensetive information. Totally possible in memopad , phonebook etc. etc. is a fool. The “hack” mentioned here will NOT search through password protected individual files. If you purchase an expensive upwardly mobile phone and don’t read the instructions thats your own fault lol.
Another lamo lmao story.
I read the article with interest and immediately set out to check the concern on my Treo 650. On my phone, any information or data, which I consider sensitive, is marked as private. Doing a find search, it did not reveal any of my protected information. Now, it may be that one is able to get around a “simply” password protected/locked phone, but it appears that the individually marked “private” info remains protected. I haven’t tried to “break in” to my phone after my time-activated locking kicks in, but I will certainly test it and report the result.
Thanks Alli. I know mytreo is a great place to buy software. My point was that Corsoft are expecting me to trust their software to secure my device, while being unable to secure their own commerce server and forcing me to use a browser with a known poor security track record…
Come on folks, this is not really a security weakness. Your Treo is a valuable asset in its own right - don’t let it out of your sight! It’s meant to replace your old-fashioned filofax and is far more secure than that. If you leave confidential information unencrypted on something pocket-sized, keep it in your pocket!
Calling this a security weakness is like suing Yale if you get burgled after losing your keys.
Holy crap. I decided to install Warden on my Treo 650, but once installed, I received a “Fatal Error” after rebooting.
And now I can’t remove Warden! It’s in a reset loop when I try to open it! (”Warden wants to do a soft reset now” reset, open Warden, “Warden wants to do a soft reset now” repeat). So hence I can’t follow the special uninstall instructions at the Warden website. Don’t remove app first, like you normally would!
With this reset loop, I tried to erase all my Treo data and rebuild from a back-up program. Argh, it’s still there! Another reset loop with Warden. Let the @#$ go! What a waste of an afternoon!
I can’t say I’d reinstall this program for some time. What an unnerving experience. Or next time, I’ll read the manual.
BTW, the site’s FAQ “pop-downs” do not open in Firefox 1.5! I had to open the site in Gates Explorer….
Thank you all for your candid comments. I greatly appreciate it.
The best case of security is always user education. If one understands the risks of having their device and data in wrong hands and how that would affect them or the people they know, than they can do what it takes to protect themselves from it.
jman46241 brought out an interesting point: “Will the lost person call my mom?” I am not sure what that person may or may not do but regardless, would your mom like it?
One user (name witheld on request) found his entire phone data posted on the net after his device was lost. He reported his lost phone so it was blocked from making calls and he also got a replacement phone with same number. He thought much the same way - why would anyone call him? What would they gain from calling him? Blame it on VOIP evolution but he got calls at weird hours of the day and not all callers spoke in English! His wife (her phone number was among the one posted on net) also received these calls. This user believes that most of his contacts were abused in much the same way by phone and email. Caller id in most cases showed a US-based number and was different most of the time. One can imagine what they went though. They changed their contact details but a year later, they were still not over it!
I am sure that not everybody who loses their phone goes through such an ordeal. This user did not expect it either! The phone he lost was not a Treo but he now uses one and has been very protective of it. We can live and learn from his mistake!
Now with this information on hand, would you like your mom to go through this ordeal? Your mom, wife or girl friend, and other contacts should not suffer just because you lost your Treo, right?
Warden also protects you for all your inbound phone calls. If your Treo is lost and you lock it remotely, then people who try to reach you get directed to your voice mail. In such cases, Warden does not provide the option to answer your incoming call. This prevents the device finder from having the option to impersonate you which may lead to loss of trust and/or business. Your callers may or may not be able to identify your voice and will have more reasons to believe it is you since they called you!
Again, these possibilities may not apply to you or you may never lose your Treo. But then there are people who have lost their phones. And then there are people who have lost their car keys, prescription glasses, cameras and other valuables! Depending on the part of the world you live or travel in, you are subject to risks. We consider it as our job to help and educate users with mobile devices. We want you to know that options exist to help you minimize your risks.
While I promote security, I would clarify that having [any] security solution does not guarantee protection. For example, if your Treo has a very weak passsword then your device may be compromised quickly. If you enforce a super secure enviroment with strong password that engages itself when the device screen shuts off, then you will find yourself being counter productive. I am willing to bet that most users will not last one day with that configuration. With Warden, you have options that help you get protection you need without compromising your productivity.
Request for mrpeabody: Please meet us in our forum here (Corsoft - Warden Security) or drop in a line to our support mailbox (solutions[at]corsoft[dot]com). We will do all we can to help. Treo has many third party solutions and it is possible that some of these may conflict with Warden causing the reset. We regret the inconvenience caused but if you give us a chance, we will be glad to help.
Thanks to andrewg_oz: Yes, we could do better. Our focus has been on Treo and how we could make that experience better for our users. But what matters to our users, matters to us! I appreciate your bringing this out to our attention.
We invite you all to explore and learn all security solutions. If there is anything we can do to help, please do let us know. Again, thank you for your contribution here. Your feedback helps tremedously.
P.S. Pardon the long post but I hope it is informative.