[ISN] Sharp's Zaurus PDA suffers security holes

From: InfoSec News (isnat_private)
Date: Fri Jul 12 2002 - 06:06:08 PDT

  • Next message: InfoSec News: "[ISN] Optus accounts hacked"

    By Richard Shim 
    Staff Writer, CNET News.com
    July 11, 2002, 12:50 PM PT
    Sharp's Linux-based, business-oriented Zaurus handheld suffers from
    security holes that could let hackers grab private data off a
    corporate network, according to researchers at Syracuse University.
    In an advisory posted Wednesday to a Syracuse University
    computer-science Web site, researchers said they had found
    vulnerabilities in Sharp's Zaurus SL-5500 and Zaurus SL-5000D
    handhelds. The flaws let attackers take control of the device's file
    system, giving them the power to overwrite files or lock the device so
    no data can be input through the keypad or touch screen.
    The biggest potential threat, though, exists when the device is
    wirelessly connected to a company's network, where sensitive data
    might be stored. The flaws would enable attackers to download and
    upload files.
    "These vulnerabilities mean that the Zaurus can be used as a launching
    point to attack the network," said K. Reid Wightman, one of the
    researchers who worked on the advisory.
    Security holes are not likely to help Zaurus' already delicate
    Large businesses are the company's target audience with the device,
    but, being Linux-based, the gadget was already at risk of being
    overlooked by corporate IT buyers. Though Linux has become a fact of
    life in the computing world and has been adopted for limited use by a
    number of companies, Linux handhelds remain a rarity.
    The Syracuse researchers notified Sharp of the vulnerabilities,
    according to the advisory, and Sharp spokeswoman Nancy Boyle Levene
    said the company is working on a patch. It's not yet clear, though,
    when the fix will be available, she said.
    "Thus far, (the Zaurus has) been primarily a consumer product, so it
    isn't a major problem for businesses." Levene said, adding that Sharp
    anticipates greater business interest in the Zaurus once the company
    makes its mobile services available in October.
    Linux is an open-source operating system, giving developers equal
    access to the code. Many consider that an advantage in a situation
    like this, as security flaws are found quickly and fixes and other
    software improvements can be added by a whole community of
    programmers, not just those employed by a particular company. However,
    Sharp has not released the source code for the Zaurus' particular
    operating system to the open-source community, nor has it integrated
    any community updates to its OS, choosing instead to go a more
    proprietary route.
    "Sharp committed to Linux and the open-source community, but they've
    realized that they don't want to live the lifestyle," said a source
    familiar with the company's plans.
    The source added that there is an OS in the open-source community,
    called OpenZaurus, that is compatible with the software included on
    the Zaurus. Sharp is using a modified version of Lineo's Embedix Plus
    PDA OS in its Zaurus handheld device. The Embedix Plus PDA OS is built
    around the Linux kernel.
    Wednesday's advisory is part of a Syracuse University research project
    aimed at analyzing the security of the Zaurus and its use as a hacking
    tool, according to Syracuse University's Center for Systems Assurance
    Web site.
    According to a source familiar with Sharp's plans, the company's
    next-generation Zaurus device, due this fall, will address the
    vulnerabilities. The gadget will come with Intel's 400MHz XScale
    PXA250 processor and a larger battery than the one found in Sharp's
    currently available Zaurus SL-5500. The Zaurus SL-5500 uses Intel's
    206MHz StrongARM SA-1110 processor.
    The vulnerable Zaurus SL-5000D and the Zaurus SL-5500 are nearly
    identical, but the 5500 comes with 64MB of memory, while the 5000D
    comes with 32MB. The 5000D is the developer's version of the Zaurus.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 09:15:06 PDT