T 4.51 Inadequate security mechanisms on PDAs

An IT system that is employed for portable use can be connected to a LAN via a VPN such that the communication link is very well protected. However, in the case that this IT system itself is inadequately protected against unauthorised access, there is a risk that an authorised person may misuse this system as a "gateway" to access the internal network.

Typical end devices for portable use are mobile telephones or PDAs on which, in the majority of cases, it is not possible to distinguish between users. As a result, anybody who has access to the IT system can access all data and programs, and also internal data belonging to the organisation or very personal data belonging to the owner.

Other, unfortunately very typical vulnerabilities on portable components such as PDAs are:

• inadequate access protection and authentication mechanisms
• no facility or an inadequate facility for encrypting data
• insecure synchronisation
• no logging facilities or inadequate logging facilities

A large number of different PDA models with a very wide range of operating systems are available. The security features on the different PDA platforms vary, secure protection against tampering is, however, not provided by any of the common commercial systems.

Example:

With Palm OS 3.5.2 and all previous versions, using a combination of keys it is possible to change to either the so-called "Console Mode" or the "Debug Mode". Both modes provide direct access to system data, bypassing all security mechanisms. Here it is irrelevant whether the PDA access is protected using a password or not: both modes can be activated by circumventing the access protection.