PEOPLE who bring palmtop computers into the office could be unwittingly giving hackers easy access to their company鈥檚 computer networks.
Hand-held 鈥減ersonal digital assistants鈥 (PDAs) are commonplace in offices. But if you plug one in to a company network to download your calendar or retrieve email, the device could easily gather information from the network and send it to a hacker鈥檚 PC.
The loophole exists because most network security systems use software 鈥渇irewalls鈥 as their main defence against external hacking, while internal network security is often far more lax. The problem was demonstrated at the hackers鈥 annual Black Hat conference in Las Vegas last week by Aaron Higbee and Chris Davis, of network security companies Foundstone, California, and RedSiren, Pittsburgh.
Advertisement
To prove their point, Higbee and Davis wrote and installed a simple computer programme on a Compaq palmtop iPAQ. When the device was plugged into a computer linked to a network, it used the computer鈥檚 Internet access to connect with a computer outside the building. This link could then be used to bypass any firewall and access information on the network. Because the data being hacked blends in with regular Internet traffic, it doesn鈥檛 raise suspicion.
鈥淔or targeted attacks this is a very, very easy way to do it,鈥 says Davis. What鈥檚 more, the hacking programme could be spread to people鈥檚 PDAs like a virus by hiding it in free software that PDA users commonly download from the Web.
The news comes just days after John Stenbit, the chief information officer at the US Department of Defense, declared that from next month the Pentagon will ban wireless PDAs from sensitive areas. 鈥淭hese are places where you can store, use, discuss or process information that is well beyond secret,鈥 says Pentagon spokesman Ken McClellan. Personal cellphones and dictaphones are already banned from such areas.
Stenbit is concerned about the raft of wireless devices that is coming onto the market, including PDAs that can link up to cellphone networks. These devices might be used to eavesdrop on classified meetings or broadcast the location of top US officials. He is already taking a proactive stance. 鈥淚n his conference room you already have to leave these devices outside the room and have them dismantled,鈥 says McClellan.
The Pentagon is wary of PDAs that can record conversations. 鈥淚t would be very simple to enable the microphone remotely and divert the signal down the network,鈥 says McClellan.
This isn鈥檛 the first time new technology has caused a fuss in US government departments. Two years ago the US National Security Agency embarrassed itself by banning Furbys, a type of cuddly toy, from its offices in the false belief that they recorded speech and repeated it later.