An article in the current issue of [In]Secure magazine suggests that the perception of PDAs as “simple devices” has left many corporate networks vulnerable to attack. Not only can the PDAs themselves be compromised, but PDAs can also be used as trojans to attack a network, writes author Seth Fogie.

Fogie begins by pointing out that attacking a PDA is not as easy as attacking a PC. Because the operating system is in ROM, PDAs tend to be unique, and the art of exploiting PDAs is relatively new, he notes. But if a hacker is willing to accept these limitations and is sufficiently obsessed, there are a number of ways that PDAs can be exploited.

Fogie explains in detail how to compromise PDAs running Windows, using cabinet files and the autorun feature of removable media cards to introduce malicious programs. He also shows how Pocket Internet Explorer can be used to trick users into revealing personal information. Additionally, he says the Soft Input Panel (SIP) that substitutes for a hardware keyboard on Pocket PCs can easily be replaced by a seemingly identical program that logs keystrokes.

Going beyond simple attacks on the device itself, Fogie shows how a PDA running Linux can be used to attack a corporate network. The PDA is equipped with WiFi, an Ethernet card, and a password “sniffer” program, then surreptitiously plugged into a network behind the firewall to create a “drop and go” backdoor.

[In]Secure magazine is available as a PDF download here. The article by Seth Fogie is titled “PDA attacks: palm sized devices — PC sized threats.”

 
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.