COMMAND

	XIRCOM REX6000 PDA password revealed

SYSTEMS AFFECTED

	XIRCOM REX6000 PDA

PROBLEM

	Daniel Jonsson [daniel2@algonet.se] posted :
	

	The Xircom REX6000 PCMCIA PDA can be protected with up  to  a  10  digit
	PIN-code that needs to be entered via the  touchscreen  every  time  the
	PDA is powered on if using the highest security level. After entering  a
	correct code every data stored on  the  PDA  is  available  for  access.
	Memos marked Private needs  the  same  PIN  code  again  to  be  entered
	everytime they are accessed. The manual states clearly that  \"PIN  code
	is to protect the data\"
	  

	However the PIN Code protection structure built  into  the  REX6000  PDA
	makes this secret PIN Code useless for  protecting  any  type  of  data.
	Using the included REXTOOLS program the user can  copy/paste/change  the
	PDA information via a computer. The REXTOOLS and the  REX6000  PDA  uses
	serial (COMx) for communication. The  REXTOOLS  program  correctly  asks
	for the PIN Code when trying to access the PDA and prevents  information
	from being shown in the program if the PIN Code  is  incorrect.  However
	the verification of the PIN Code is done by the  REXTOOLS  program,  and
	here lies the PIN  Code  structure  flaw.  By  using  a  serial  monitor
	program to listen to the communications between  the  REXTOOLS  and  the
	PDA the PIN Code will be send in cleartext  from  the  PDA  to  REXTOOLS
	after some initial communication, just before REXTOOLS prompts  for  the
	PIN Code and verifies that the one  entered  is  the  same  as  the  one
	received from the PDA.
	

	In short, every PIN Code protected REX6000 PDA can  get  compromised  by
	just starting a serial monitor,  and  then  connect  to  the  PDA  using
	REXTOOLS, read the cleartext PIN Code send from the  PDA  and  enter  it
	when REXTOOLS asks for that PIN Code, or  by  simply  eject  the  PCMCIA
	REX6000 PDA and enter the PIN Code via the touchscreen.

SOLUTION

	Nothing yet