The vulnerability affects models 650, 680 and 700p, although other versions are also likely to be affected, according to an advisory on the security company’s website.
The flaw allows anyone with access to the phone, to locate the data stored on it by using the “find” feature.
“Palm OS Treo smartphones are susceptible to a local information-disclosure vulnerability because the software fails to properly secure access to certain features when locked,” the posting on Symantec’s security focus website said.
“Successfully exploiting this issue allows attackers with physical access to affected devices to obtain potentially sensitive information. This may aid them in further attacks.”
Jamie Cowper, marketing manager EMEA at PGP Corporation, added: “As more people store sensitive data on smartphones such as the Treo, it is imperative that this information receives the same level of protection as data stored on the corporate network, merely locking the device only creates a false sense of security.
“Companies need to extend their IT security policies to workers’ mobile devices, and encryption should be at the heart of these policies. This remains the only way to ensure that data stays completely protected, even if the devices are lost or stolen.”
Palm has yet to issue a patch for the flaws.
Palm Treo smartphone flaws detected
By Fiona Raisbeck on Feb 16, 2007 11:25AM
Several versions of the Palm Treo smartphone contain security flaws that could allow anyone who gets hold of it to access the data, even when the device is locked, Symantec has warned.
Got a news tip for our journalists? Share it with us anonymously here.