Hacking Tandy Sam Nitzberg The PC-6 is a pocket computer that was produced by Radio Shack, and also by Casio under another name. It is programmable in BASIC, with 10 areas in which programs may be stored, has a memo-pad area for notes, equations, phone numbers, and the like. A trapdoor is a secret entry point to code. A Trojan horse is a subversion of a program which results in the program performing some function other than the one intended by the user. The PC-6 does allow passwords to be used, but is vulnerable to the attacks mentioned; this is not addressed in the PC-6 documentation. The PC-6 has a memo pad area and a set of 10 program areas. The memo pad is normally used to store functions, financial information, phone numbers, and assorted notes. Normally, the memo pad may be browsed, and the contents of any program area may be viewed. The memo pad may be accessed directly via keys on the PC-6 keyboard, or the memo pad may be accessed via programs. If a password is set by using the PASS command, any attempts to read the memo pad directly or obtain program listings are denied, and the protect error (Error 8) is returned. While the password is set, programs may still be executed. This is the trapdoor and Trojan horse vulnerability: Once a password is set, the user is locked-out at the command level from accessing program listings or the memo pad data. Programs can still be executed, and they may manipulate and access the program area. That is, a user can not read memo pad contents with the password enabled, but if that user has modified a program present to display or manipulate memo pad contents, that program will execute properly and without restriction. An example follows. Suppose this is a program in one of the 10 program areas: 10 CLEAR 20 INPUT A 30 GOSUB 100 : REM Perform some function 40 PRINT A 50 END 100 A=A+1 110 RETURN This is not an exciting program. But, it may be used to subvert the password mechanism, all the same. To covertly provide memo pad access, all that is needed is a few minor code changes. Someone having physical access to the PC-6 only once without the password being set could change the code to the following: 10 CLEAR 20 INPUT A 30 GOSUB 100 : REM Perform some function 40 PRINT A 50 END 100 A=A+1 105 IF A=-9999 THEN FOR Z=1 TO 10: READ# $ : PRINT $ : NEXT Z 110 RETURN By adding line 105, the memo pad is subverted. To created the trapdoor, the value of -9999 has been chosen. Presumably the legitimate user will not enter negative numbers. A subversive user would enter the value -10000 when running this program to activate the Trojan horse property which has been installed. The commands READ# $ and PRINT$ are used to read a single record from the memo-pad, and display the record. The net result is that line 105 will cause the PC-6 to display the first 10 records in the memo pad whether or not a password has been set, the Trojan horse. Other than this all programs will behave properly. Similarly, attacks feasible against the memo pad may delete one entry at a time or write over entries. One would be limited only by how many ways there are to manipulate data present in the possibilities of what could be done with the memo pad data. While this is a simple example, it demonstrates the problem with the password mechanism. Any person who is using a PC-6 is vulnerable to this attack. The only countermeasure besides the obvious - not letting anyone access the PC-6, and always having a password set is to periodically review all source code on the PC-6. If a person who owns one of these does not use passwords, and someone were to apply the above technique, it would not matter if the individual later started to use passwords. Unless a manual review was done of all code in the program areas, the attack would be effective. If a person regularly uses passwords, one lapse and the PC-6 could be rendered vulnerable indefinitely. Originally titled: "Trapdoor/Trojan Horse Vulnerability in the PC-6 Pocket Scientific Computer" 2600 Magazine, Volume 12, Number 1, Spring 1995