@stake, Inc. www.atstake.com Security Advisory Advisory Name: Palm OS Password Lockout Bypass Release Date: 03/01/2001 Application: Palm OS 3.5.2 and below Platform: All Palm OS Devices Severity: Passwords and data can easily be obtained through a backdoor in Palm OS, even if the device is "locked". Author: Kingpin [kingpin@atstake.com] Vendor Status: Vendor responded via email, see response section CVE: CAN-2001-0157 Reference: www.atstake.com/research/advisories/2001/a030101-1.txt Executive Summary: The Palm operating system (OS) Security application provides "system lockout" functionality in which the Palm device will not be operational until the correct password is entered. The password is also used to protect and hide records by the legitimate user by marking them as "Private". These mechanisms are meant to prevent an unauthorized user from reading data or running applications on the device. A backdoor exists in Palm OS which provides source- and assembly- level debugging of executables and the administration of databases existing on the physical device. Although this backdoor is documented for debugging purposes, it can be activated even if the Palm OS lockout functionality is enabled. This will allow an unauthorized user to perform a number of commands including, but not limited to, retrieving an encoded form of the system password, obtaining all database and record information on the device, and installing or deleting applications. The system lockout mechanism is currently assumed by most users to be a sufficient protection feature of the Palm operating system. This is not the case and is a severe weaknesses for particular deployments of Palm OS devices. Overview: The security implications of the Palm OS backdoor are further amplified when read in conjunction with [1], which details the weak, reversible encoding scheme used to protect the Palm system password on the device. Once the actual password is determined, the system lockout functionality can be disabled and a user's private data can be accessed. Although well known in the security industry to be insecure, Personal Digital Assistants (PDAs) are ubiquitous in enterprise environments and are being used for such applications as one-time- password generation, storage of medical and company confidential information, and e-commerce [2]. It is important that those specifying Palm OS devices for use in their organizations be aware of the discussed flaws so that policies and procedures can be put in place to help mitigate risk. In order to enable the backdoor mode, the attacker must have physical access to the target Palm device. By nature, portable devices face the threat of physical attack external to the office environment. Additionally, the threat of physical attacks internal to a company is very real and will increase as the use of portable devices becomes even more common. Detailed Description: Designed into the Palm OS is an RS232-based "Palm Debugger". By entering a short Graffiti keystroke combination (shown on page 81 of [3]), the Palm OS device enters one of two interfaces provided by the Palm Debugger and monitors the serial port for communication. "Console mode" interfaces with a high-level debugger, such as Metrowerks Codewarrior for Palm OS, and is used mostly for the manipulation of databases. "Debug mode" is typically used for assembly- and register- level debugging. A soft-reset of the Palm device will exit debug mode, leaving no evidence of use. Aside from the specific attack of retrieving the obfuscated system password block by using the 'export 0 "Unsaved Preferences"' console command, which is shown in the Proof-of-Concept section, it is possible to access all database and record information on the entire Palm OS device. A complete listing of console and debug commands can be found in [3]. A selection of the most pertinent, and potentially damaging, console commands are as follows: cardformat - Format the memory card. changerecord - Replaces a record in a database. coldboot - Initiates a hard reset on the device. A hard reset erases all data, restoring it to a factory new state. del - Deletes a database from the device. dir - Displays a list of the databases on the device. dm - Displays memory for a specified number of bytes. export - Copies a Palm OS database (or application) from the handheld device to the desktop computer. import - Copies a Palm OS database (or application) from the desktop computer to the handheld device. This will sidestep any HotSync or beaming operations and logging mechanisms. launch - Launches an application on the handheld device. saveimages - Saves a memory card image (all of the data on the device). Because the debug modes communicate with the host via the serial port, this attack can trivially be carried out in a portable fashion using a laptop and HotSync cable or cradle. Additionally, it is possible to use a Palm OS-based application to emulate the required commands and, with a modified HotSync cable, be used for the retrieval of passwords or other data. Proof-of-Concept: The Palm OS password is set by the legitimate user with the Security application. The maximum length of the ASCII password is 31 characters. Regardless of the length of the ASCII password, the resultant encoded block is always 32 bytes. The encoded password block is stored in the "Unsaved Preferences" database on the Palm device (along with being transmitted over the serial or network port during a HotSync operation). Even if the system is "locked", it is possible to use the Palm debug "Console mode" to retrieve the Unsaved Preferences from the device as shown below. The actual password can be determined as described in [1] using the PalmCrypt tool, which will encode and decode ASCII passwords to encoded password blocks and vice versa. <--- begin console mode screenshot ---> Ready... >export 0 "Unsaved Preferences" Unsaved Preferences Getting info on resource 3 of 3 Exporting resource 3 of 3 Success!! <--- end console mode screenshot ---> The Unsaved Preferences database is saved to the desktop PC in the .\PalmDebugger\Device directory. Using a hex editor or Palm database viewer tool on the PC, the 32-byte encoded password block can be located. Entering the encoded block into the PalmCrypt tool, the original ASCII password can be determined. <--- begin palmcrypt screenshot ---> E:\>palmcrypt -d 568CD23E994B0F8809021345070413440C08135A3215135DD217EAD3B5DF5563 PalmOS Password Codec kingpin@atstake.com @stake Research Labs http://www.atstake.com/research/ August 2000 0x74 0x65 0x73 0x74 [test ] <--- end palmcrypt screenshot ---> Temporary Solution: Mitigating the risk of a backdoor has been historically difficult without an upgrade to the offending application (in this case, Palm OS). Palm OS 4.0, due to be released at the end of 2001, appears to have resolved the issue of weak password obfuscation [1] and the activation of debug functionality during the "system lockout" mode. However, it is highly recommended that a thorough analysis of OS 4.0 takes place before a security-critical application is deployed. The most immediate recommendation would be to not use the current family of Palm devices for the storage of sensitive or confidential information. Beware of the security ramifications of other PDAs, as well. It is not possible to employ a secure application on top of an insecure foundation. Because Palm OS is inherently insecure, methods to attempt to completely secure data are moot. The U.S. Government is beginning to follow this recommendation [4]. The user should be very aware of the physical security and location of the device at all times. It should not be left unattended or loaned to a potentially untrustworthy colleague. A PDA lock such as the Kensington PDA Saver could be used, or a lanyard such as Force.com's The Bond. Because the debug modes are accessible only through the serial port, a hardware add-on with a lock could be used which will prevent a physical connection to the port. For urgent deployments, a piece of plastic could be permanently glued into place (leaving the infrared port as the only method of HotSync). The serial port could be disabled at the circuit board level on particular Palm OS devices by opening the case and cutting the specific RS232 lines. These actions will prevent an attacker from using the debug mode even if it is activated. Solutions exist which provide power-on protection similar to the Palm OS built-in functionality by requiring a handwritten signature, physical button taps, or other form of password before allowing access to the device. Encryption solutions, such as Secure Memopad by Certicom or Jawz, Inc. Datagator, will encrypt the data of certain Palm applications. If the secret components (e.g., encryption keys or passwords) are not stored on the Palm device, these will serve as an additional layer of security for particular deployments. However, this does not completely mitigate all risks. Because it is possible to install applications onto the Palm OS device while the "system lockout" functionality is enabled, an adversary could install a keystroke monitoring program in which any passwords could be recorded and retrieved at a later date. This recorded data could be retrieved though the debug mode, as well. The possibility also exists for such a program to save the contents of memory after cryptographic operations take place, hence retrieving the plaintext of encrypted memos, keys, or other data. It would behoove Palm, Inc. to completely remove all debugging features from future production versions of Palm OS, including OS 4.0. For purposes of application development, a debug-enabled ROM set should be available (and can be used in conjunction with the Palm OS Emulator on a desktop PC). If the debugging functionality remains inherent in Palm OS, attackers may find methods to modify the operating system to re-enable the debug mode. Vendor Response: Vendor responded via email that Palm OS 4.0 will fix the problem when it ships. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following name to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2001-0157 References: [1] Kingpin, "Palm OS Password Retrieval and Decoding," @stake Security Advisory, September 26, 2000, http://www.atstake. com/research/advisories/2000/a092600-1.txt. [2] Forbes.com, "Padlock Your Palm," http://www.forbesbest. com/0226/060.html. [3] Palm, Inc., Palm OS Programming Development Tools Guide, DN 3011-002, http://www.palmos.com/dev/tech/docs/ devtoolsguide.zip. [4] Federal Computer Week, "The Circuit," February 5, 2001, http://www.fcw.com/fcw/articles/2001/0205/news-circuit- 02-05-01.asp. Advisory policy: http://www.atstake.com/research/policy/ For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2001 @stake, Inc. All rights reserved.