PEOPLE who bring palmtop computers into the office could be unwittingly giving hackers easy access to their company’s computer networks.
Hand-held “personal digital assistants” (PDAs) are commonplace in offices. But if you plug one in to a company network to download your calendar or retrieve email, the device could easily gather information from the network and send it to a hacker’s PC.
The loophole exists because most network security systems use software “firewalls” as their main defence against external hacking, while internal network security is often far more lax. The problem was demonstrated at the hackers’ annual Black Hat conference in Las Vegas last week by Aaron Higbee and Chris Davis, of network security companies Foundstone, California, and RedSiren, Pittsburgh.
Advertisement
To prove their point, Higbee and Davis wrote and installed a simple computer programme on a Compaq palmtop iPAQ. When the device was plugged into a computer linked to a network, it used the computer’s Internet access to connect with a computer outside the building. This link could then be used to bypass any firewall and access information on the network. Because the data being hacked blends in with regular Internet traffic, it doesn’t raise suspicion.
“For targeted attacks this is a very, very easy way to do it,” says Davis. What’s more, the hacking programme could be spread to people’s PDAs like a virus by hiding it in free software that PDA users commonly download from the Web.
The news comes just days after John Stenbit, the chief information officer at the US Department of Defense, declared that from next month the Pentagon will ban wireless PDAs from sensitive areas. “These are places where you can store, use, discuss or process information that is well beyond secret,” says Pentagon spokesman Ken McClellan. Personal cellphones and dictaphones are already banned from such areas.
Stenbit is concerned about the raft of wireless devices that is coming onto the market, including PDAs that can link up to cellphone networks. These devices might be used to eavesdrop on classified meetings or broadcast the location of top US officials. He is already taking a proactive stance. “In his conference room you already have to leave these devices outside the room and have them dismantled,” says McClellan.
The Pentagon is wary of PDAs that can record conversations. “It would be very simple to enable the microphone remotely and divert the signal down the network,” says McClellan.
This isn’t the first time new technology has caused a fuss in US government departments. Two years ago the US National Security Agency embarrassed itself by banning Furbys, a type of cuddly toy, from its offices in the false belief that they recorded speech and repeated it later.