Palm OS Treo Security Vulnerability Posted
Symantec Vulnerability Research has posted a new security advisory on a new Treo data vulnerability. The researchers have found a method to bypass the Treo system password and locking mechanism using the find feature.
The advisory states:
Palm OS Treo smartphones are equipped with a system password lock to secure contents of handheld data from unauthorized access. When this lock is engaged, Treo's built-in Find feature is still accessible and can be used to perform searches on text in Treo applications and databases (e.g. SMS Messages, Memos, Calendar, Tasks, etc). Search results are accessible, and depending on their size, may be truncated. An attacker may use this vulnerability to retrieve information from a locked device.
This same tactic can also be used to expose any data contained within the device's clipboard when locked.
Symantec says they notified Palm about the issue in August of 2006 and had it confirmed. They say they have tested on the Verizon, Sprint, & Cingular Treo 650 (Treo650-1.03a-VZW & Treo650-1.12-SPCS), Cingular Treo 680, and Sprint/Verizon Treo 700p phones.
The report states that Palm has decided not to fix or address the vulnerability. PalmInfocenter has requested a statement from Palm on the issue.
Related: Palm OS Security Software