Title: Pointsec for PalmOS PIN disclosure
Pointsec software for PalmOS stores it's authentication credentials
in clear-text in memory. These credentials (the PIN code) can be
retrieved in a few seconds once the Palm device is authenticated.
Quoted from the vendors web page:
"Pointsecยฎ for Palm OS combines sophisticated access control, data
encryption, and a revolutionary user authentication process to
protect everything - not just a few selected applications like most
PDA security products. Pointsec´s mandatory access control complies
with tough new security regulations and reduces liability for third
party data by ensuring that only authorized users can access
applications and data."
The Pointsec software for PalmOS uses a PIN code to unlock the
Palm device. This PIN code is stored in clear-text in the memory of
the Palm device.
The PIN code can be extracted by dumping the memory of the device
once the user has authenticated. The extraction only takes a few
seconds.
The Pointsec software can be configured to time-out after a given
period, forcing re-entry of the PIN code.
However, this period is most likely longer than the time it takes
for a malicious user to steal the Palm and extract the PIN thus
giving him access to all the data on the Palm.
You can visit the vendors web page here: http://www.pointsec.com
The vendor was contacted about the first issue on the 13th of
February, 2002. We received a new version of Pointsec for PalmOS
on 18th of May which corrected this specific issue.
Upgrade to Pointsec for PalmOS version 1.2, which is available
from Pointsec (http://www.pointsec.com)
Authors:
Laurens Binken ([email protected])
De informatie verzonden met dit e-mailbericht (en bijlagen)
is uitsluitend bestemd voor de geadresseerde(n) en zij die
van de geadresseerde(n) toestemming kregen dit bericht te
lezen. Gebruik door anderen dan geadresseerde(n) is
verboden. De informatie in dit e-mailbericht (en bijlagen)
kan vertrouwelijk van aard zijn en kan binnen het bereik
vallen van een geheimhoudingsplicht en een verschonings-
recht.
Any information transmitted by means of this e-mail (and any
of its attachments) is intended exclusively for the addressee
or addressees and for those authorized by the addressee
or addressees to read this message. Any use by a party
other than the addressee or addressees is prohibited.
The information contained in this e-mail (or any of its
attachments) may be confidential in nature and fall under a
duty of non-disclosure and the attorney-client privilege.