Highly classified environments may be using the same mechanisms to protect themselves against PDA risks. In “highly classified environments” I refer to environments in which security is a primary concern, enough of a concern that the computer systems are not connected to the Internet. Government agencies are an example. For them, the risk of using PDAs that are synched with local PCs goes way beyond the compromise of data that is on the PDA if the PDA is stolen. The other risk, that shall not be downplayed, is the risk of opening an untrusted interface to an otherwise isolated computer network.

Two components are required for a successful content leak from an isolated network: One is an agent application running within the network to collect (search, analyze, compress, and encrypt) the data of interest. This agent needs to somehow be installed on a relevant machine; a machine that can access the desired information and that can access the way out. The second component is the way out— some mechanism by which data can be exported to somewhere the opponent can find it. Highly classified networks are usually separated from untrusted networks to avoid both risks. Lack of connectivity reduces the risk of an agent being introduced to a computer on the network. Lack of connectivity also assures that even if an agent was somehow installed, it will find it impossible to export the information to a location from which the opponent can obtain it. Unfortunately, a synchronized PDA can invalidate both of these desired properties of the network.

The PDA synchronization conduit can generally be considered as non-harmful. Even the most extreme conspiracy theorist has not yet accused the vendors of PDA conduit software (the software that handles the synchronization of the PDA with the PC) of introducing intentional back-doors in their products; I think. However, the conduit code cannot be blindly considered as fully trustworthy either. The same distrust in software quality that leads to the physical separation of highly classified networks from non-trusted networks shall be applied to PDA synchronization conduits. Given the amount and the complexity of the data structures that conduits handle, a potential buffer overflow that may allow for the injection of arbitrary code is more than likely. An opponent who can obtain access to a PDA for a few seconds can easily add a new record that injects the agent code as soon as the next synchronization occurs.

Carrying out the second part of the job, that is, getting the collected information out, can be easier. All the agent needs to do is pack the collected information in an encrypted PDB file and place it in the install directory (in the case of PalmOS, as a non-restricting example). More complex routines can be used to avoid detection, such as to add the data as one or more native records. The synchronization process will take care of the rest. The sensitive documents are encrypted on the PDA, illegible by the probably-unsuspecting user. All that is left for the opponent to do is to get a hold of this PDA once again. This time he does not even need to give it back.

What is the best solution for this problem? I don’t know. Yet, there is one thing I can say: where you do not allow to connect an unclassified laptop — do not allow to connect an unclassified PDA either. This holds regardless of how you use this PDA and what you synchronize it with.