PDAs'convenience, and no security
- By William Jackson
- Jul 29, 2004
LAS VEGAS'A proof-of-concept virus discovered last week is a relatively benign bug for infecting Windows CE devices. It carries no destructive payload and has not been released in the wild.
But a little tweaking of the code demonstrated at the Black Hat Briefings Wednesday can let an attacker delete files from a personal digital assistant running the Microsoft operating system.
'This virus is more of a threat than some people realize,' said Seth Fogie, vice president of Airscanner Corp. of Dallas. 'He has laid down the foundation for a whole class of CE viruses.'
PDAs have not been obvious targets so far for virus writers and hackers, but their software carries most of the security vulnerabilities that have caused headaches on desktop and notebook computers.
'The things are pretty much completely lacking in security,' Fogie said. 'It's pretty simple to get in to and control.'
Fogie demonstrated a number of hacks that would wipe data from the devices or let a snooper spy on the PDA while in use. The devices also provide what Fogie called mobile-attack platforms against wireless networks. He said network administrators should accept that the personal devices would be used on networks and make an effort to understand who is using them and how.
He made a number of recommendations to administrators for securing PDAs:The enterprise should own and manage PDAs used on its networks, controlling and encrypting the data stored on themStrong passwords should be enforced in place of default four-character passwordsSynchronization should be encrypted and securedWireless connections to the network should be securedFirewalls and antivirus software should be used on PDAsData should be backed up regularly.
William Jackson is a Maryland-based freelance writer.