Background: REX 5000 is a credit card sized PDA, made by Xircom (which now is "An Intel Company"). It is coming with a good PIM program, Starfish (www.starfish.com) Truesync Desktop (which is probably a new rewrite of the well-known Starfish Sidekick). I just downloaded the last version, 2.0b. I noticed a couple of vulnerabilities: 1. Like many other PIMs (or word processors, etc) Truesync desktop allow you to set a password for accessing the files with contacts, notes, etc. But a. the actual files are not encrypted, not even "scrambled" so anybody with can view them anyway b. the password is stored in the registry, under the key HKEY_LOCAL_MACHINE\SOFTWARE\Starfish\TrueSync Desktop\Version 1\PASSWORD\pswd The algorithm for storing the password is obvious : if the password is abc the key is 097098099 - this is the ASCII codes for the letters concatenated. No other comments. 2. The device itself has 6 keys - and you can set a 5 key password (this is diffrent from the above password). The keyspace will be 7776 keys possible (almost 13 bit key - waw !). It is somehow cumbersome to bruteforce via the keys - but using the serial cradle (included) to bruteforce 7776 keys is a one hour task. The fatal flaw here is that there is no delay between entering the passwords (preferably a delay that increase with the number of unsuccessful attempts). 3. The included software also can be used to make backups of the entire device. Any manipulation of the device or backups will require the device password (if one use the included software), so a normal user will assume that the data is somehow safe. But not, the backup file includes the device password (cleartext) ! Fixing the problem(s) A. For the software. Use a real good symmetric encryption algorithm to encrypt the data. This will require a major rewrite of the software. As a workaround you can store all the data on an encrypted filesystem, like pgpdisk or Jetico's bestcrypt. B. For the device. Entering and remembering 128 bits with 6 keys will be very hard and no user will be willing to remember and enter each time 50 (!) keys. But what the manufacturer can do is to have a delay (preferably a delay that is exponentially expanding with the number of unsuccessful retries). DISCLAIMER: These are my opinions and have nothing to do with my employer.
This archive was generated by hypermail 2b30 : Fri Aug 24 2001 - 07:58:41 PDT