• Portal
• Calendar
• A-Z Index

• Yale home
• About Yale
• Academic programs
• Admissions
• Health & medicine
• Working at Yale
• Yale & New Haven
• Yale & the World
• Giving to Yale
• News

• Prospective students
• Students
• Parents
• Faculty
• Staff
• Postdocs
• Alumni
• Foundations & corporations
• Patients
• Visitors

Find it

• About ITS
• Policies
• Feedback
• Search ITS
• ITS A-Z Index
• System Status

Mobile technology & security for handhelds

Overview

A personal digital assistant (PDA) is a handheld device that combines computing, telephone/fax, email and networking features. PDA security should be a serious concern for every handheld device user. PDAs are very portable, making them easy targets for thieves and are easily misplaced or lost. Free programs are publicly available that allow someone to bypass the default Palm OS security system.

You must comply with all University HIPAA (Health Insurance Portability and Accountability Act) Privacy and Security policies:

• If you belong to one of the University's HIPAA - Health Covered Components and want to use mobile technology for email exchange, the hardware you purchase needs to support email exchange that complies with the University Electronic Communication of Health Related Information policy. Consult with your IT support provider before making a purchase to determine the most appropriate device.
• If electronic Protected Health Information (ePHI) is stored on the device, data should be encrypted and access should be password protected
• If ePHI is transmitted during synchronization, then ensure proper user/device authentication before transmitting data and maintain an audit trail.
• If ePHI is transmitted wirelessly, then ensure proper user/device authentication before transmission, encrypt data during the transmission (see VPN).
• To protect data if the PDA is lost or stolen, utilize user ID and Password level security, user/device validation during synchronization and encryption of the data stored on the PDA. These recommendations may change as HIPAA compliance at Yale University is implemented and as technology changes.

As more and more mission-critical information is stored on handhelds, the need to secure that information has become a top-priority IT challenge. Data security begins with basic password protection for locking access to a handheld computer and hiding records. These capabilities are inherent in the operating system of Palm OS handhelds.

At the PalmSource 2000 conference, Palm announced that version 4.0 of the Palm OS will support enhancements to the built-in security application, such as various ways to enable automatic device locking (“Never,” “On power off,” “At a preset time,” “After a preset delay”) .Palm OS 4.0 also offers new encryption, integration with the Palm Desktop software, and password hinting for unlocking sensitive data. For example, when users set up passwords, they can enter a short hint that only the user would know to help in case of forgotten passwords. The Palm OS 4.0 upgrade will be available in the summer of 2001 for the Palm III, IIIx, IIIxe, IIIc, V and Vx. (Check back here for updates on the availability of Palm OS 4.0) A number of vendors are capitalizing on the momentum in the handheld market by providing enhanced password protection that offers a wide range of capabilities. For example, one option requires pressing a specific combination of buttons, another requires the use of a stylus to write a unique character on the handheld screen, and yet another requires tapping a unique ID on an ATM-style keypad on the handheld screen before access is given. Some excellent solutions from Palm OS developers for protecting data from unauthorized access are provided below.

Wireless security

It is best practice to enable VPN whenever making a wireless connection.

PDA data encryption and protection

Limiting access to the device using password protection is an excellent starting point, but may not go far enough for certain security-sensitive applications. Often it is necessary to provide a redundant level of protection by encrypting particular databases or applications. For the Palm OS, on-device data protection and encryption generally takes one of four forms:

• Encryption of private records
• Encryption of the entire Memo Pad
• Organization and encryption of the user’s passwords or other confidential bits of information
• Encryption of databases.

Some very sophisticated algorithms for data protection on the device have been developed, using well-known standards throughout the cryptographic community such as Blowfish, IDEA, SAFER-SK, and 3DES. The Palm OS supports private records, which involves a special flag which can be set for individual entries in the Address Book, Calendar, Memo Pad, and Tasks/ToDo. The user can then assign a password and enable record hiding within the Security application, which ships with every Palm OS device. This prevents an unauthorized user from seeing records marked as private on the device.

• PDASecure:
  With PDASecure, you can control who can access your data with a wireless handheld device, and you can encrypt all the data or password-protect applications, so that they are useless if stolen or compromised.
• MemoSafe:
  For encryption of the entire Memo Pad, the MemoSafe product from DeepNet is a $7 product which uses a SAFER-SK public domain block-cipher to encrypt Memo Pad records while not changing its functionality. Encrypted memos are shown with a lock symbol.
• PDA Defense:
  PDA Defense is intended for Palm OS users who desire a higher-level of protection for the data residing on their PDAs than other applications currently provide. PDA Defense is an application that WILL delete all the data and applications residing on your PDA if unauthorized attempts are made to access your device (with the "bomb" enabled). You MUST set a password that you will not forget. If you do forget your password, you will have to rely on restoring your data and applications from your HotSync or backup.
• Secure Digital:
  Secure Digital (SD) Memory Card provides the ability to manually write-protect data. Palm m500 and m505 include an SD expansion slot.

Securing data on a multi-user PDA

Another level of security can be provided by offerings such as Restrictor (allows an administrator to create profile categories for different users as well as a default profile, on a single PDA. These profiles limit the applications that each user has access to. With the use of passwords, each profile may only log on to applications or records that the administrator deems appropriate) or Enforcer (provides different profiles for different users and share handhelds - Palm OS).

PDA password protection

• OnlyMe from Tranzoa (www.tranzoa.com) automatically locks a Palm OS handheld whenever the device is turned off and will ensure that no one can read the information on the device without entering the right password.

Minimizing loss and theft

Companies such as Kensington Technology Group offer PDA Saver™, which uses a galvanized steel cable and a lock to secure a handheld to the desktop environment. Several innovative companies are applying new technologies such as motion detection and proximity alarms to the handheld world. The personal nature of handhelds has led to some stylish interpretations of restraint devices such as the Palm V neck strap from Force Technology that offers a bond product and neck chain to attach handhelds to a users body.

Antivirus

The handheld industry experienced its first virus in 2000. Patches were posted within hours by a variety of vendors that create anti-viral software. Virus attacks are nothing new. Any electronic platform can be susceptible to hackers who create viruses. But just as the usage model for a PC is very different from that of handheld, so is the operating system and the potential impact of viruses, worms, and Trojan horses.

The Palm OS has to date been relatively safe from attack, despite considerable coverage in the media. Safeguards built into the Palm OS protect user data on many levels, making Palm handhelds by nature very secure from these kinds of attacks. In contrast, handhelds based on Windows CE are exposed or vulnerable to the thousands of viruses that currently permeate the Windows world.

In addition, infrared beaming is by nature secure since it requires close physical proximity (4 feet or less) to the beaming device, and the recipient is prompted and must tap on the screen to accept all incoming beams (there are no unsolicited beams). Palm OS devices also have built-in “sleep” thresholds (typically 1-3 minutes), and when sleeping the device cannot accept an incoming infrared beam. The user also has the option to disable beam receive altogether through the system preferences on the device.

In addition, Palm handheld computers are not susceptible to viruses developed for the Windows platform (email attachment-based or otherwise), and also cannot be used to stage viruses passed to the device then back to the desktop. Thirdparty products developed for Palm OS, such as DocumentsToGo from DataViz, Inc. and QuickOffice removes macros from Microsoft Word and Excel files upon transmission to the device.

Even though to date there have been no true replicating viruses, Palm takes this threat very seriously and is working with the best in class anti-virus software vendors such as Symantec, McAfee, and Computer Associates to ensure protection against potential hacker threats.

• Symantec's Antivirus product SAV for Handhelds is available for PalmOS 3.5/4.x/5 and Pocket PC 2002/Windows Mobile 2003.
• Computer Associates (www.ca.com) recently announced the availability of InoculateIT for the Palm OS platform. InoculateIT offers virus detection for PalmOS v3.0 or greater devices. InoculateIT for Palm OS Platform is specifically designed to provide immediate and complete protection against all current known malicious attacks targeted at the Palm OS platform.
• Network Associates/McAfee (www.networkassociates.com) offers VirusScan Wireless, which is deployed to users through an email link, provides automatic updates based on a schedule individual users set, and scans files during synchronization operations.
• F-Secure (www.f-secure.com) developed the F-Secure Antivirus for Palm, specifically to target the “Phage” code, which was discovered in September of 2000. Phage is capable of overwriting executables but does not harm databases. The symptom of its presence is the screen going blank when running an application.
• PC-cillin provides automatic real-time launch scanning to prevent viruses that enter the device from every possible entry point - beaming, synching, email and Internet downloading. Real-time launch scanning activates whenever applications on the device are launched and prevents viruses from activating on the device. PC-cillin — Palm/EPOC/Pocket PC.