PDAs in highly classified environments
For a while IT security professionals are warning against the impacts of Personal Digital Assistants (PDAs) on corporate security. A PDA can be lost or stolen and lead to undesired disclosure of the information that is on it. The emerging of micro-drives leads to these tiny devices having gigabytes of storage. Due to the high storage capacity of the PDA and the reduced file formats it uses (resulting in smaller files), a modern PDA can easily store the entire document repository of its owner. This document repository may contain masses of sensitive corporate information in a physical size that is way too easy to lose or to have stolen. This poses a real threat to organizations, as also pointed out by Bruce Schneier in an essay called “Risks of Losing Portable Devices”.
Information security officers are not unaware of the risk and attempt at finding solutions. The most immediate solution that comes to mind is password-protecting the PDA. Realizing that these mechanisms can be hacked, encryption is put to use, enciphering all or some of the PDA databases using a key that is entered by the user. This method carries notable inconvenience for the user, who is forced to enter a key each time he is looking for a phone number, an e-mail address, or a meeting time. It is clumsy, but it solves the problem. However, does it solve all problems?
No; at least not for everyone, in my opinion.
Highly classified environments may be using the same mechanisms to protect themselves against PDA risks. In “highly classified environments” I refer to environments in which security is a primary concern, enough of a concern that the computer systems are not connected to the Internet. Government agencies are an example. For them, the risk of using PDAs that are synched with local PCs goes way beyond the compromise of data that is on the PDA if the PDA is stolen. The other risk, that shall not be downplayed, is the risk of opening an untrusted interface to an otherwise isolated computer network.
Two components are required for a successful content leak from an isolated network: One is an agent application running within the network to collect (search, analyze, compress, and encrypt) the data of interest. This agent needs to somehow be installed on a relevant machine; a machine that can access the desired information and that can access the way out. The second component is the way out— some mechanism by which data can be exported to somewhere the opponent can find it. Highly classified networks are usually separated from untrusted networks to avoid both risks. Lack of connectivity reduces the risk of an agent being introduced to a computer on the network. Lack of connectivity also assures that even if an agent was somehow installed, it will find it impossible to export the information to a location from which the opponent can obtain it. Unfortunately, a synchronized PDA can invalidate both of these desired properties of the network.
The PDA synchronization conduit can generally be considered as non-harmful. Even the most extreme conspiracy theorist has not yet accused the vendors of PDA conduit software (the software that handles the synchronization of the PDA with the PC) of introducing intentional back-doors in their products; I think. However, the conduit code cannot be blindly considered as fully trustworthy either. The same distrust in software quality that leads to the physical separation of highly classified networks from non-trusted networks shall be applied to PDA synchronization conduits. Given the amount and the complexity of the data structures that conduits handle, a potential buffer overflow that may allow for the injection of arbitrary code is more than likely. An opponent who can obtain access to a PDA for a few seconds can easily add a new record that injects the agent code as soon as the next synchronization occurs.
Carrying out the second part of the job, that is, getting the collected information out, can be easier. All the agent needs to do is pack the collected information in an encrypted PDB file and place it in the install directory (in the case of PalmOS, as a non-restricting example). More complex routines can be used to avoid detection, such as to add the data as one or more native records. The synchronization process will take care of the rest. The sensitive documents are encrypted on the PDA, illegible by the probably-unsuspecting user. All that is left for the opponent to do is to get a hold of this PDA once again. This time he does not even need to give it back.
What is the best solution for this problem? I don’t know. Yet, there is one thing I can say: where you do not allow to connect an unclassified laptop — do not allow to connect an unclassified PDA either. This holds regardless of how you use this PDA and what you synchronize it with.
Comments
Display comments as Linear | Threaded