July 11, 2002 12:50 PM PDT
Linux handheld suffers from security hole
Zaurus SL-5500 info
Zaurus SL-5500 prices
The flaws let attackers take control of the device's file system, giving them the power to overwrite files or lock the device so no data can be input through the keypad or touch screen.
The biggest potential threat, though, exists when the device is wirelessly connected to a company's network, where sensitive data might be stored. The flaws would enable attackers to download and upload files.
"These vulnerabilities mean that the Zaurus can be used as a launching point to attack the network," said K. Reid Wightman, one of the researchers who worked on the advisory.
Security holes are not likely to help Zaurus' already delicate prospects.
Large businesses are the company's target audience with the device, but, being Linux-based, the gadget was already at risk of being overlooked by corporate IT buyers. Though Linux has become a fact of life in the computing world and has been adopted for limited use by a number of companies, Linux handhelds remain a rarity.
The Syracuse researchers notified Sharp of the vulnerabilities, according to the advisory, and Sharp spokeswoman Nancy Boyle Levene said the company is working on a patch. It's not yet clear, though, when the fix will be available, she said.
"Thus far, (the Zaurus has) been primarily a consumer product, so it isn't a major problem for businesses." Levene said, adding that Sharp anticipates greater business interest in the Zaurus once the company makes its mobile services available in October.
Linux is an open-source operating system, giving developers equal access to the code. Many consider that an advantage in a situation like this, as security flaws are found quickly and fixes and other software improvements can be added by a whole community of programmers, not just those employed by a particular company. However, Sharp has not released the source code for the Zaurus' particular operating system to the open-source community, nor has it integrated any community updates to its OS, choosing instead to go a more proprietary route.
"Sharp committed to Linux and the open-source community, but they've realized that they don't want to live the lifestyle," said a source familiar with the company's plans.
The source added that there is an OS in the open-source community, called OpenZaurus, that is compatible with the software included on the Zaurus. Sharp is using a modified version of Lineo's Embedix Plus PDA OS in its Zaurus handheld device. The Embedix Plus PDA OS is built around the Linux kernel.
Wednesday's advisory is part of a Syracuse University research project aimed at analyzing the security of the Zaurus and its use as a hacking tool, according to Syracuse University's Center for Systems Assurance Web site.
According to a source familiar with Sharp's plans, the company's next-generation Zaurus device, due this fall, will address the vulnerabilities. The gadget will come with Intel's 400MHz XScale PXA250 processor and a larger battery than the one found in Sharp's currently available Zaurus SL-5500. The Zaurus SL-5500 uses Intel's 206MHz StrongARM SA-1110 processor.
The vulnerable Zaurus SL-5000D and the Zaurus SL-5500 are nearly identical, but the 5500 comes with 64MB of memory, while the 5000D comes with 32MB. The 5000D is the developer's version of the Zaurus.