Palm Decides Not to Address Treo Vulnerability
Symantec recently highlighted a vulnerability on recent Palm OS-powered Treos:
Palm OS Treo smartphones are equipped with a system password lock to secure contents of handheld data from unauthorized access. When this lock is engaged, Treo's built-in Find feature is still accessible and can be used to perform searches on text in Treo applications and databases (e.g. SMS Messages, Memos, Calendar, Tasks, etc). Search results are accessible, and depending on their size, may be truncated. An attacker may use this vulnerability to retrieve information from a locked device.
The built-in Find feature can also be used to access an Edit window and paste previously cut or copied data into the search field of a locked device. An attacker may use this vulnerability to view data that was cut or copied from Treo applications prior to the device being locked. [Emphasis mine]
The Treo 650, 680, and 700p are affected by this.
Palm was apparently notified of the problem and they decided not to address it. It isn't really a severe vulnerability if you think about it. You should never leave a smartphone or PDA alone with someone else anyway (the "attack" can only be carried out with direct access to the phone), especially if you have valuable data stored on it. But it's good to see people stepping up to solve the problem.
free cellphones
February 23rd, 2007 at 6:54 am #
Palm is probably giving up the Palm OS as they are trying to build the next Linux based Treos.
Rico
February 24th, 2007 at 2:45 pm #
Actually, Palm no longer owns the OS itself. Access Co. is responsible for its development. But I know what you mean: Palm’s initial decision was sound, because from a business POV, it doesn’t make sense spending time and money to fix what’s actually a minor bug.