PDA

View Full Version : Network Hotsync No Authetication

palmtxluvr
04-17-2007, 12:10 AM
Hi all
I have been reading, lurking for a while and getting some GREAT info here so thanks to everyone..

I am now having a problem and hope that some of you more knowledgeable people will be able to help me... or perhaps there is no solution to my problem.. which I hope is not the case....

I am able to hotsync wirelessly when connecting to my home network at home using the WEP key ... I was thinking about trying to sync via the internet... so if I am connected anywhere I can sync the palm...
Ok so I signed up for one of those dynamic hosting redirecting services... so I can connect... I opened up the port on the router... it works great..
1 problem... NO SECURITY - once I have an internet connection... which sometimes requires authentication... but sometimes does not.... as long as someone knows the ip or hostname they can hotsync to my computer... that concerns me a LOT.... I know that in order to hotsync the palm desktop asks.. but I am sure that people who know what they are doing could bypass this... or use the open port to do nasty things... you can't even change the hotsync port... so that it makes is a little harder to get to... (but not much...)
Is there any work around... any authentication for hotsync... so that I am not leaving myself WIDE open? It just would be so nice to be able to hotsync from anywhere...
I have googled for answers and all I found were some very old - like 2001-2002 - which pointed out this problem and there was no solution. I am hoping since wireless has become so popular - there may have been some solution since then....

For now I have closed the port.... are my dreams of remotely hotsyncing just that - dreams?
Thanks
potter
04-17-2007, 09:19 AM
Background:

The first few steps of the start of the Hotsync process:
The user presses the Hotsync button.
The Hotsync application starts up, and make any connections needed (e.g. modem, or network).
The Hotsync applications sends an attention signal to the Hotsync Manager.
The Hotsync Manager responds.
The Hotsync applications send the Hotsync ID, and a device number.
If the Hotsync Manager does not have the given Hotsync ID, it will prompt the user if they want to make a new user on this desktop.
If the Hotsync Manager does have the given Hotsync ID, but the device number does not match, the an error dialog box will open saying that you cannot sync two devices with the same ID against the same desktop.
Therefore, there is a minor authentication going on. However:
I think the device number is only like four digits long.
Neither the Hotsync ID nor device number are encrypted when transfered. I know that when the device password is transfered it is masked, but not encrypted. Therefore I assume the Hotsync ID and device number are either plain text or at best masked.
Password:

There also is the device password that is transfered from the desktop to the hand-held during a Hotsync. When Hotsyncing a device with a password against a new desktop, one must enter the password on the desktop in order to make the new user on the desktop. However, I do not know how the change password is managed, so I cannot say if a passworded device provides any authentication. If I change the password on the device, why do I not have to enter the new password on the desktop?

Security issues that I have heard of associated with the Hotsync process:

The password is transmitted in a masked form. It is possible to reverse this mask to retrieve the plain text password.
The password transmission is VERY simple. The hand-held sends the password to the desktop when needed. This opens up the possibility of:
"Encrypted" password repeating.
The hand-held is trusting the desktop identity, unverified.
All the rest of the data is transmitted unencrypted.
Denial of Service attack. I read an article about the existence of a DOS vulnerability in the Hotsync Manager. From what I could tell, it was very easy to send bad data to the Hotsync Manager, via a network connection, and this would cause the Hotsync Manager to hang or crash. I have not been able to find a reference saying this has been fixed. However, the article said the issue was in version 4.0.4.0 and earlier. Performing a quick test, I was able to crash Hotsync Manager 4.0, but I was not able to crash 6.0.1.
Side Note:

Most if not all of the Password issues and trusted vs untrusted desktops was fixed in Palm OS 6.0.

Mitigation:

I am theorizing only here. With the right software, it should be possible to set up a VPN connection between your hand-held and you local network before initiating the Hotsync. I think this would remove all of the vulnerabilities mentioned above.