In an alert posted Thursday, @Stake pointed to a back door in the Palm operating system that allows anyone with developer tools to access data on handhelds that have been "locked" with a password.
If someone finds or steals a Palm, the owner's data is basically an open book. And the theft of mobile devices for their data is becoming more common.
"This is the nail in the coffin of the notion that the Palm has any security for your data," said Chris Wysopal, director of research and development for Cambridge, Mass.-based @Stake.
"Any attacker with a laptop and a serial (syncing) cable is pretty much able to access everything on the device," he said.
Handspring's Visor handhelds and Sony's Clie use the Palm OS.
Palm representatives would not immediately comment on the advisory.
The security flaw is actually in the OS for a reason. Palm (palm) software engineers and many of its application developers use the back door to debug applications running on the handheld. Many of them do not consider it to be a security issue, Wysopal said.
However, few people who use the devices realize that using a password will keep only the casually curious from looking at their data.
For that reason, @Stake said, it released the warning.
"It's equivalent to adding a password to your PC's screensaver. "There's no true security in that," said Wysopal, who is known in the security community by his hacker handle, Weld Pond.
Last September, @Stake discovered that the encrypted password used by Palm OS to protect so-called private records from prying eyes could easily be broken. With the discovery of the latest back door, it would seem that no data is safe.
With a laptop loaded with developer tools and a sync cable, anyone who obtains access to a handheld can access the owner's data, add or delete applications, and format the memory card.
Even Palm handhelds protected by encryption software could be compromised by using the back door to load a program to record all passwords as they are entered.
Wysopal warned that weak Palm security could lead to other compromises as well.
"You have corporate administrators keeping their company's critical passwords on their Palm because they think it is secure," he said.
The back door affects all current versions of the Palm OS, Wysopal said. Palm OS 4.0, due later this year, is expected to correct the problem.
