Backdoor Debug Modes

Designed into the Palm OS is an RS232-based ``Palm Debugger'', which provides source- and assembly-level debugging of Palm OS executables and the administration of databases existing on the physical device [21].

Entering a short keystroke combination [21], the Palm OS device enters one of two interfaces provided by the Palm Debugger and monitors the serial port for communication. ``Console mode'' interacts with a high-level debugger and is used mostly for the manipulation of databases. ``Debug mode'' is typically used for assembly- and register-level debugging. A soft-reset of the Palm device will exit debug mode, leaving no proof of prior use.

The Palm Debugger can be activated even if the Palm OS lockout functionality is enabled (which is currently assumed by most users to be a sufficient protection feature, because a password is required before the device becomes operational). This problem is verified to concern Palm OS versions 3.5.2 and earlier.

Aside from the specific attack of retrieving the obfuscated system password block by using export 0 "Unsaved Preferences" and decoding as detailed in §4.1, it is possible to access all database and record information on the entire Palm OS device [16]. For example, using the import console command, one can load a Palm OS application into the device, therefore side-stepping any HotSync or beaming operations and logging mechanisms. A complete listing of console and debug commands can be found in [21].

Because the debug modes communicate with the host via the serial port, it would be possible to create a Palm OS-based application to emulate the required commands and, with a modified HotSync cable, be used for the retrieval of passwords or other data in a mobile fashion. When the possibility exists to retrieve data from a portable device while ``in the field'' and not requiring the use of a desktop computer, the threat of physical attacks increases greatly.