Retrieval of Passwords

It is possible, via a number of methods, to extract data from portable devices by reading raw memory or from the host system after such data has been backed up. These attacks can retrieve files containing potentially valuable data such as passwords, financial, medical, or other company or personal information. In officially sanctioned scans, the authors found that the passwords chosen by users to protect data on their PDAs were the same as those being used for critical corporate assets.

One example of a high-security application is medical data, which is increasingly being stored on portable devices by doctors in order to have immediate access to patient information. Recent situations have occurred in which hospital intruders have beamed extensive amounts of unprotected patient data off of Palm OS devices. This could have been avoided with the proper use of passwords, encryption, and access-control on the device.

History has shown the weaknesses of poorly chosen or stored passwords, as in [17] and with the Morris Worm [19]. Users of portable devices, especially those that have no keyboard and require character input with a pen, oftentimes choose short, easily guessable passwords, placing convenience over security. Leveraging this, the scenario presents itself where malicious code determines the user's password on the local device and, upon connection to a network or other system, attempts to gain access to other systems using the user name and now-known password. This type of attack ends up being disconcertingly successful.

As it happens, an encoded block is stored on the Palm OS device in the Unsaved Preferences database that contains a reversible obfuscation of the user's system password [15]. The block is not only readable by any application on the actual device, but is also transmitted over the serial cable, airwaves, and networks during a HotSync operation. This problem is verified to concern Palm OS versions 3.5.2 and earlier.