Advisory Notice 23 -- Information Security Resource Center

DEPARTMENT OF ENERGY
INFORMATION SECURITY RESOURCE CENTER
PACIFIC NORTHWEST NATIONAL LABORATORY

ADVISORY NOTICE No. 23
March 31, 1998

NEW HAND-HELD COMPUTERS A GROWING CONCERN

SUMMARY

Small, hand-held computers, called Personal Digital Assistants (PDAs), are becoming more and more common. In fact, they were reported by a technology watch group as the number one new growth technology in the U.S. for 1997. No one expected PDAs to become so popular, as they are becoming the latest "must-have" for managers and scientists throughout the DOE Complex.

These PDAs, known as Palm Pilots, Palm Personnel Computers, and Palmtops, are hand-held organizers that include some of the same powerful applications and programs seen on desktop computers. The inherent dangers of PDAs are also their greatest appeal; versatility, power, and size.

PDAs are small and easy to conceal. Individuals entering facilities housing computer networks could easily bring in a PDA, preloaded with network intrusion software, to use for penetrating the network or a specific system. Additionally, new features such as voice recording, two way paging, and data transfer are making PDAs a likely venue for exploitation. In fact, hacking scripts and applications for PDAs are already appearing in underground hacker bulletin boards.

Security managers throughout the DOE Complex are finding it harder and harder to deny entry of these devices to areas where classified or sensitive unclassified discussions occur. Current DOE policy prohibits the introduction of some electronic devices, but not specifically hand held computers.

BACKGROUND

The PDA's success lies in its ability to be a personal information manager, e-mail interface, note taker, voice recorder, and off-line Web browser, all in one compact package. In the past year, the PDA has developed an avid consumer following and is now catching on with corporations as well. Already, there are five newsgroups on the Internet devoted exclusively to providing advice, assistance, and freeware for PDAs.

The Microsoft version of the PDA to be released later this year, called the Palm PC, is powered by Windows CE. If you are familiar with the Windows 95 or the Windows NT operating system, you already know the basics of using the Windows CE. The familiar windows-like operating system of the Palm PC also may lend itself to easy software exploitation from the established hacker community, and possibly competitive intelligence professionals as well.

The ability to communicate is a key feature of PDA devices. It can take a variety of forms rangingfrom direct network connections, infrared linking, and dial-up modem capabilities. PDAs, also are compatible with most desktop computer platforms. In addition to built-in communication hardware, most PDAs permit a wide variety of aftermarket communications devices to be added to the basic package.

Usually the focus in the computer underground is directed towards finding holes in software programs. The creation or modification of hardware is also another technique that skilled hackers will employ to attack computer systems. Many electronic devices have already been created by computer criminals for the purpose of intercepting data transmissions, defeating telephone tolls, and decrypting sensitive data. The relatively inexpensive PDA may be a prime target of new or young hackers because the costs associated with purchasing necessary components is minimal.

Because of their popularity, some hackers have begun to create attack programs to use on PDAs. The Information Security Resource Center (ISRC) has yet to encounter any of these programs "in the wild," because the hardware and software is still too new. As the technology advances and the prices drop, we will see many more hackers using and developing attacks utilizing the PDAs capabilities.

In 1997, ISRC Advisory Notice No. 12 presented information concerning the use of a computer as an audio recorder. If malevolently applied, this audio recording capability represents a potential risk to the protection of sensitive conversations. One PDA promotes its unique feature of a audio recorder, called the Voice Recorder. The ability of a PDA to record a meeting for later playback and transcription, from a small hand-held device, represents a useful tool. However, surreptitious recording can be accomplished in exactly the same way.

The newest wrinkle in these hand held computers is the addition of pager cards, currently under development. The PDAs will receive data using one-way pager technology, and later, two-way pager technology. They will receive pages and be able to respond with alpha numeric messages. This first module, one-way pager cards, are being developed now.

RECOMMENDED ACTION

Develop and distribute policy to the DOE Complex to provide a standardized risk management approach to emerging computer technologies such as PDAs.

Prohibit PDAs in areas where classified or sensitive discussions occur.

Return to Advisory Table of Contents

Security and Privacy Notice
To contact send email to ISRC
Last Updated October 2001