Fogie begins by pointing out that attacking a PDA is not as easy as attacking a PC. Because the operating system is in ROM, PDAs tend to be unique, and the art of exploiting PDAs is relatively new, he notes. But if a hacker is willing to accept these limitations and is sufficiently obsessed, there are a number of ways that PDAs can be exploited.

Fogie explains how cabinet files and the autorun feature of removable media cards can be used to introduce malicious programs. He shows how Pocket Internet Explorer can be used to trick users into revealing personal information. Additionally, the Soft Input Panel (SIP) that substitutes for a hardware keyboard on Pocket PCs can easily be replaced by a seemingly identical program that is also a keystroke logger, according to Fogie.

But beyond simple attacks on the device itself, a PDA can be a powerful tool for attacking corporate networks. Fogie shows how a Linux-based PDA equipped with WiFi, an Ethernet card, and a "sniffer" program can be surreptitiously plugged into a network behind the firewall to create a "drop and go" backdoor.

[In]Secure magazine is available as a PDF download here. The article by Seth Fogie is titled "PDA attacks: palm sized devices -- PC sized threats."

---

Related stories:

• Report notes growth of malicious code targeting mobile devices
  
• Free Wi-Fi scanner utility finds rogue devices
  
• "Identity management" software secures mobile apps at device level
  
• Windows Mobile antivirus software upgrade nears beta
  
• Mobile device antivirus software gains enhanced virus detection, disinfection
  
• Partnership aims to improve mobile device wireless security
  
• Security software guards Windows Mobile Pocket PCs
  
• Developing a security policy for mobile devices