Palm Security: Case study

ahwong999 · #1 (**permalink**) 09-04-2005, 03:13 PM

Bluetooth security adoption has not been very positive, so I am writing an article to introduce Bluekey and how to maximize this application for your PDA. So here goes:

Intro: PDA Security Overview

A PDA will likely be used to store highly personal and confidential data. Think credit card numbers, passwords and business data. To prevent unauthorized access to these data, it is necessary to at least protect the PDA with some sort of security application. Most PDAs have a simple security program pre-installed. But is it enough to prevent the PDA from being accessed? Is it simple and flexible enough to be used everyday? These are the two main areas that this article will be covering. There is a general law that states that a security is proportional to the number of steps. Think of a single lock door compared to a two lock door. More locks = more security = longer time to unlock.

Security solutions

What is the ideal security application? One that authorizes you, and only you with the least intervention. It is also critical that nobody but you knows how the unlock mechanism is. The less somebody knows about it, the less chances that it will be cracked or bypassed. There are many security solutions. They are passwords, buttons, images and the latest Bluetooth. Each security solution will be compared here

Passwords

A password is the simplest from of protection for your PDA. Most, if not all, in-built security application uses this method to protect your handheld. The reason is that it works fairly well over different devices with little incompatibility problem. During setup, the user will have to define a password which will be used to unlock the PDA when the security application is activated. All seems fairly good and simple as it is. But… what is the catch for this method. Two that I can think of. Firstly, the choice of password is very critical. It is recommended to have a long password and a senseless one is best. Example “1jd7xjf4”. This ensures that the password cannot be easily guessed by other users. This leads to the second problem, a longer password will require more time to unlock. What is the average time to turn on your handheld, take out the stylus, write an 8 character password? Providing you do remember your password.

Buttons

Buttons… most Palm OS devices have at least four hard buttons and at least two directional up down buttons. Some applications use a combination of button presses to unlock the handheld. A good tradeoff between unlock time and security. But as in the password case, more security requires more button presses which leads to longer unlock time.

Images

Image unlocking methodology is a better approach to security. It requires the user to tap on a specific point in the image to unlock the handheld. In most occasions, the user usually will set the unlock point on a prominent point on an image, i.e. nose of Mona Lisa, peak of Eiffel tower, hometown on a map, etc. A smart and observant person can easily break this method. Fast unlocks but is it secure enough?

Bluetooth

Bluetooth is a unique method of securing a PDA. Bluetooth devices are becoming very common and are suitable for this application. During setup, Bluetooth devices are assigned to be used as “Keys”. There are two approaches to implementing a Bluetooth security system. One is using discovery mode and another is direct connection mode. Both have their advantages and disadvantages. For discovery mode, the PDA will attempt to search for all devices within its Bluetooth radio range, typically 10m for a PDA. From the search, the PDA will do a comparison with the “Keys” that were previously assigned. If any of them matches, the PDA will unlock. The advantage of this is that multiple devices can be compared simultaneously resulting in faster unlock times. The downside is that the “Keys” will always have to be in discoverable mode, a rather dangerous step as they will be vulnerable to attacks (Bluejacking…). The second method, direct connection, is more reliable. The “Keys” need not be in discoverable mode but “Bluetooth” must be enabled. The PDA will attempt a direct connection to the “Keys”. The downside is that only a single connection can be attempted at any one time. If the device is available, the respond time will determine the unlock time. This ranges from less than 3 seconds to about 8 seconds. The good thing about Bluetooth unlocks are that they are easy to use and highly secure (as long as you don’t lose both devices). This method also does not require any stylus taps or button presses. You don’t even need to remember any passwords to do an unlock.

Bluekey
Bluekey is a Palm OS application that uses the second Bluetooth method to secure your handheld. Bluekey was developed with a few points in mind. Firstly, of course, the program must be secure. Second, the program must be easy to use. Third, the program must be flexible enough to suit everybody. For the program to be secure, we have used Bluetooth as our choice of unlock mechanism. The advantages of Bluetooth unlock has been discussed above. The program will even cover soft and warm resets. Ease of use. What do you think of a program that will automatically authenticate itself on power without any user intervention? Easy enough I would say. Flexibility. Profiles, multiple devices support and passwords as a last resort.

Bluekey allows three applications per profile. Say you are mostly in your office from 9-5 and at home the rest of the time. So you can set a profile for work to use your office PC as a “key”. Off work, you can set your phone, home PC or even your headset as “keys”. Each profile enables you to select three devices as “keys” with variable timeouts for each.

Another feature of Bluekey is application lock. You can prevent unauthorized access to certain application if Bluekey fails to authenticate you. Another innovative method of using Bluetooth is location lock. Say you are the MIS administrator for your company and you want to disallow access to confidential data out of the company. You can lock the application to your company’s Bluetooth network. Once out of the company, the application will not be able to authenticate and the data will be secured. Of course other applications on the PDA can function as normal. The possibilities are limitless.

Conclusion

Faster unlocks, less intervention. Bluetooth security is the future.

Bluekey… securing effortlessly… wirelessly.