COMMAND

    Starfish Truesync Desktop + REX 5000 Pro

SYSTEMS AFFECTED

    Starfish Truesync Desktop + REX 5000 Pro

PROBLEM

    Valentin Butanescu  found following.   REX 5000  is a  credit card
    sized PDA, made by Xircom (which  now is "An Intel Company").   It
    is  coming  with  a  good  PIM  program, Starfish Truesync Desktop
    (which  is  probably  a  new  rewrite  of  the well-known Starfish
    Sidekick). Valentin downloaded the  last version 2.0b and  noticed
    a couple of vulnerabilities.

    1. Like  many  other  PIMs  (or  word  processors,  etc)  Truesync
       desktop allow  you to  set a  password for  accessing the files
       with contacts,  notes, etc.   But a.  the actual  files are not
       encrypted, not even "scrambled"  so anybody with can  view them
       anyway b. the password is stored in the registry, under the key

        HKEY_LOCAL_MACHINE\SOFTWARE\Starfish\TrueSync Desktop\Version 1\PASSWORD\pswd

       The  algorithm  for  storing  the  password  is obvious: if the
       password is abc the key is 097098099 - this is the ASCII  codes
       for the letters concatenated.  No other comments.

    2. The device itself has 6 keys - and you can set a 5 key password
       (this is diffrent from the above password).  The keyspace  will
       be 7776  keys possible  (almost 13  bit key  - waw  !).   It is
       somehow cumbersome to bruteforce via  the keys - but using  the
       serial cradle (included) to bruteforce 7776 keys is a one  hour
       task.  The fatal  flaw here is that  there is no delay  between
       entering the passwords (preferably  a delay that increase  with
       the number of unsuccessful attempts).

    3. The included software also can  be used to make backups of  the
       entire device.  Any manipulation of the device or backups  will
       require the device password (if one use the included software),
       so a  normal user  will assume  that the  data is somehow safe.
       But  not,  the  backup   file  includes  the  device   password
       (cleartext)!

SOLUTION

    A. For  the  software.   Use  a  real  good  symmetric  encryption
       algorithm  to  encrypt  the  data.   This  will require a major
       rewrite of  the software.   As a  workaround you  can store all
       the data on an  encrypted filesystem, like pgpdisk  or Jetico's
       bestcrypt.

    B. For the device.  Entering and remembering 128 bits with 6  keys
       will be very hard and no  user will be willing to remember  and
       enter each time 50 (!) keys.  But what the manufacturer can  do
       is to have  a delay (preferably  a delay that  is exponentially
       expanding with the number of unsuccessful retries).