Results 1 to 12 of 12
  1. kin
    kin is offline
    kin's Avatar
    Posts
    71 Posts
       #1  
    I have discovered a way to unhide all hidden items without entering the password.

    If you use Easylaunch 0.16 and the toggle private records function, it seems to be able to unlock the Treo without having to enter a password.

    This is potentially a huge security problem for the Treo.

    Can someone please confirm that it is not a software issue on my Treo only but a generic issue affecting all?
  2. #2  
    There is no real security on any PalmOS device as it comes out of box. Anyone can take your device and sync in on their machine and they would have access to all your "private" records.

    If you want better security you will have to encrypt your documents and even then it is questionable since the key has to reside on the PalmOS device somewhere.

    Jeff.
  3. #3  
    If you want better security you will have to encrypt your documents and even then it is questionable since the key has to reside on the PalmOS device somewhere.
    Encryption is something I know nothing about. However it seems like any encryption scheme would fall victim to your observation if it were true. Isn't there only one key that will decode encrypted data so that it becomes the same data that was put into it? Why would this key necessarily have to be stored on the device. Please elaborate.

    --Kurt
  4. #4  
    Originally posted by KRamsauer


    Encryption is something I know nothing about. However it seems like any encryption scheme would fall victim to your observation if it were true. Isn't there only one key that will decode encrypted data so that it becomes the same data that was put into it? Why would this key necessarily have to be stored on the device. Please elaborate.

    --Kurt
    Sorry, I should have said som of the encryption programs for the Palm store the key on the PalmOS device.

    If you encrypt something with a key, you need that key in order to decrypt the data again.

    There are several types of encryption algorithms. Some generate complex binary keys which are not stored in "human readable" form so they must be stored on the device so the application can read the key and decrypt the data. Others are generated using a passphrase so you don't need to store in on the device, the person would have to enter the "passphrase" every time and it would then decrypt the data. Usually in this case, people do not choose strong passphrases especially on a Palm that uses grafitti because it takes time to enter. In this case the key is not stored on the device but can be guessed without too much difficulty using a computer to attack the data. Others create a binary key on the device but then protect it with a passphrase so you need the passphrase to decrypt the key which is then used to decrypt your data. Either way, your data is much more safe using an encryption program of some sort than using the "private" flag.

    It all depends on how the author of the application writes it. But my point was that anyone relying on the regular "private" record feature of the PalmOS should expect that anyone can read their records with minimal work.

    Jeff.
  5. Q
    Q is offline
    Q's Avatar
    Posts
    686 Posts
    Global Posts
    774 Global Posts
    #5  
    There are also some systems (like the program Matrix, inspired by the movie) that use the buttons--you set a sequence of the 4 hard buttons, and then push that sequence co unlock it.
  6. #6  
    Out of the box, the only secure way to protect your data is to use the security application to 'turn off and lock' your device. Private records are not private to a knwing hacker who has any database tools like RsrcEdit. Private records are not encrypted in any way but simply marked as provtae. The OS wont show them but other data tools will allow you to browse these records. Turn off and lock prevents any access to the handheld. The only way past it is to hard reset the handheld.

    It is a lot more convenient to use a secure repository like SplashID for all your PINs and private info. It behave a bit like Macintosh KeyChain application. One key gets you in to all the private records and snoops cannot get to the data without the key as it stores everything in encrypted format.

    If you are really paranoid, you can set your Treo to always lock when it auto-offs and also encrypt your data. It will seem like a pain only until you lose the device and know that your secret stuff is all securely hidden away.

    PS it is always a good idea to set the Owner Preference so that if an honest person finds your Treo, you will get a phone call or have it mailed to you. It is the text you see when you turn on a password locked Treo.
  7. #7  
    Mind if I throw a can of worms into the works? I was under the impression that there's a dot dot two shortcut command for dubugging can override the built-in shutoff and lock via a cradle. Then all info can be gleaned off the Palm.

    However, I'm not sure these are accessible on the Treo. They aren't accessable from the keyboard the way they are from graffiti, but if they are still built into the system, they could be accessed via a PC.

    Any ideas?
  8. #8  
    I just tried both shortcut dot 1 and shortcut dot 2 on the password screen. Neither interrupted the password requirement. If anyone else can get past, I would like to hear about it.
  9. #9  
    Dave,

    Now that I have my facts a little straighter (though I'm still talking over my head) here's what I meant to say: Through a developer backdoor (apparently the same FUNCTION as shortcut-dot-2) it's seems it's possible to bypass the lockout and use the debugging feature to access all files on a locked Palm via a PC. With software on the PC, any Palm can be placed in a cradle (or probably Treo hotsync cord) and then accessed. I ran across a document with a little more info on this:

    http://www.atstake.com/research/advi.../a030101-1.txt

    (I also think I read that the same thing is possible by infrared connection to a PC, but I don't want to open that can of worms.)

    I think what this all comes down to is: like any system, the Palm can be cracked IF someone really want to get into it. But good security is never really an absolute, it's just a really goopd deterrent.
  10. #10  
    So let's say that you do have the Treo 600 (or apparently other Palm/Phone combination devices from what a friend tells me) and you receive a phone call.

    How do you get to the security screen to unlock it?
  11. #11  
    Security thread
    Me = Nokia 5170/Palm III > Kyocera 6035 > Treo 600 > Treo 650 > Treo 700p > Treo 755p > Treo Pro > Palm Pre

    Wife = Treo 600 > Treo 650 > Treo 755p > Palm Centro > Palm Pixi
  12. #12  
    Originally posted by meta_dave
    it is always a good idea to set the Owner Preference so that if an honest person finds your Treo, you will get a phone call or have it mailed to you. It is the text you see when you turn on a password locked Treo.
    Another good option in addition to that is StuffBak
    http://www.stuffbak.com

    It's an ID label that makes the return process easy for honest people and lost&found departments. They can drop your item off at any UPS store or have Airborne Express pick it up directly, at no cost to them. They are even automatically rewarded by Stuffbak with $20 in free labels for returning your missing item, plus you can offer a cash reward on top of that yourself.

    Definately check out that security thread cash70 mentioned above, it lists some of the different programs that encrypt and bit-wipe your data or lock your device.

Posting Permissions