Forgot your password?
typodupeerror
Cellphones Handhelds Security

Palm WebOS Hacked Via SMS Messages 99

Posted by Soulskill
from the and-a-sausage dept.
gondaba writes "Security researchers at the Intrepidus Group have hacked into Palm's new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities. The white hat hackers found that the WebOS SMS client did not properly perform input/output validation on any SMS messages sent to the handset, leading to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over an SMS message)."
This discussion has been archived. No new comments can be posted.

Palm WebOS Hacked Via SMS Messages

Comments Filter:
  • Lol (Score:2, Funny)

    These are always my favorite posts to read. Nothing like hiring 12 year olds to code your software.
    • I think the problem is that they didn't have 12 year olds try to hack their software during the security QA phase.
    • Re:Lol (Score:5, Insightful)

      by jsnipy (913480) on Monday April 19, 2010 @01:43PM (#31899054) Journal
      Its more about testing processes as opposed development processes ("coding").
      • Re: (Score:2, Insightful)

        by 228e2 (934443)
        Nah, parent is correct.

        its really not that hard to write protective measures for, of all things, input validation. thats literally day 3 material in any intro web programming class these days.
        • Re: (Score:2, Funny)

          by FatdogHaiku (978357)
          Obligatory XKCD [xkcd.com]
        • by ensignyu (417022) on Monday April 19, 2010 @03:00PM (#31900256)

          You have to explicitly enable the "I know what I'm doing, stop protecting me" flag in your app to allow these types of exploits.

          http://developer.palm.com/index.php?option=com_content&view=article&id=1756 [palm.com]

          • That may indeed be true but how many release-quality products do you think ship with that code turned off for performance reasons?

        • Day 3 material? This is day 1 material. "Never trust user input." Hell, it could be lesson 1.
    • Re: (Score:3, Insightful)

      by ravenscar (1662985)

      Sure, the developers should have known better, but issues like this pop up due to an inherent problem in most software development processes. That problem is that specs are written that say what the software should do. Every once in a while the specs note a couple things the software shouldn't do. The specs then go to testers who make sure that the software does everything in the specs and, when it meets spec, everyone signs off. There's often little attention paid to making sure that software DOESN'T d

    • RTFA - webOS 1.4 (the current version) patches this vulnerability. Stop beating up on Palm.
      • Other 'news' - Apparently, Apple is going to make a phone! Maybe it's will be as big as the Ipod!

      • by aXis100 (690904)

        Why give them credit? They must have had very shitty standards to allow this bug to exist in the first place, so who's to say there arent more?

  • this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....
    • Re: (Score:3, Insightful)

      by SoTerrified (660807)

      What if you're trying to call 911 but your phone has been rooted? I'd call that dangerous and could very easily cost lives or property...

      • Re: (Score:3, Insightful)

        by Itninja (937614)
        What if you need to call 911 and you battery is dead? Are dead batteries a danger to lives or property?
        • what if you are trying to call 911 and at&t network is gone? is at&t a danger to lives or property?
          • by netsharc (195805)

            To be pedantic, emergency calls are priority-routed through any available GSM network, and it even works without a SIM card in the phone. Although apparently they want to disable that last feature because too many idiots call up 911 without a card in the phone, and they can't trace them.

            • Routing calls without a SIM card is not the case in some countries. In New Zealand, for example, all carriers have disabled non-SIM emergency calls at the request of the emergency services. However any phones with a valid SIM in it will be able to make emergency calls.
        • by ianare (1132971)

          Yes, they are. I would consider a phone that has longer battery life to be safer.

          • by NiteShaed (315799)

            Yes, they are. I would consider a phone that has longer battery life to be safer.

            How long is long enough for you then? Emergencies generally can't be predicted, so unless your battery life is "infinite", it's just as possible that you'll desperately need your phone 5 minutes after you take it from the charger as it is that you'll need it 12 hours after its last charge....

            • by ianare (1132971)

              I would say at least 48 hours, if I spend the night out I should'nt have to bring a charger. This is becoming less of a problem with the introduction of universal chargers, but most people have proprietary chargers still. An emergency can and has arrived on my way home from a friend's house late one night, my phone was dead - it only lasts about 10 hours.

    • this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....

      What if they used the dreaded "KaBoom" SMS exploit to trigger the Palm's self destruct mechanism? Then their personal data would be allllll over the place.

    • this bug and vulnerabilities are bad, even severe, but dangerous?

      Considering the WebOS has only about 5% of the smartphone market [prethinking.com], it's probably not very dangerous at all.

    • by izomiac (815208)

      I can think of a few, especially with the medical field. If a hospital can't get in touch with the doctors on call because they all have similarly compromised phones then I'd imagine that patient care would suffer. Or if the phones become so glitchy that Epocrate's drug interaction checker doesn't work, leading to that step geting skipped since there's no time to do it manually (3! to 15! possible interactions per patient). Or the doctor's account on the EMR system is compromised so patient information i

      • Um, know any doctors with Palm WebOS based phones?

        Of course not, they all carry Blackberries.

        • by izomiac (815208)
          Actually I do. The iPhone and Android predominate though, since they run the best versions of medical software (colored graphs, pill identifiers, misc. smaller apps, etc.). Blackberries aren't very popular around here since they require a $100 software package plus an extra $20/month to check one's university e-mail. Palms are the rarest, but a few people use them. OTOH, the relative popularity of each platform differs by demographics and institution.
      • I can think of a few, especially with the medical field. If a hospital can't get in touch with the doctors on call because they all have similarly compromised phones then I'd imagine that patient care would suffer. Or if the phones become so glitchy that Epocrate's drug interaction checker doesn't work, leading to that step geting skipped since there's no time to do it manually (3! to 15! possible interactions per patient). Or the doctor's account on the EMR system is compromised so patient information is l

        • by izomiac (815208)
          I'm still a student, a couple months away from clinical rotations, so it's very possible there are multiple methods of contact. I have seen very few people carrying multiple devices though, so I don't think there is that much redundancy here. OTOH, "here" is a pretty large hospital in a decent sized city with good cell coverage, so I suspect only the most essential personnel have a dual device requirement.
          • by gmhowell (26755)

            Trust me, most of the time, the nurses don't need you. You just get in the way of people doing actual patient care.

            (GF is a nurse, father is a doctor, sadly, this isn't a troll.)

  • Wow (Score:5, Insightful)

    by coniferous (1058330) on Monday April 19, 2010 @01:36PM (#31898888) Homepage
    I cannot belive that: a) An exploit like this exists. SANITIZE ALL INPUTS! b) It took this long to find. This reminds me a lot of the exploit on android where it acted like all text entered was typed into a terminal.
    • No kidding, this is like html 101. Every employer I've spoken to since the 90's who was considering me for any kind of web work has asked me if I know how to guard against xss and sql injection attacks. This is not some arcane black art. No wonder Palm is failing. And I like WebOS as a platform.
    • It took this long to find.

      Hey, this is the fastest exploit ever done by a user community... of about 3 people. ^^

    • You are making the assumption that the part that does the rendering of the SMS calls and formatting were part of the same group that takes the SMS and call the function. You assume that this was in the specs for people to follow. And no one brought it up because they though the other team has the problem fixed. And the they had a timeline where they could make this issues for all systems...

    • Re:Wow (Score:4, Interesting)

      by teknopurge (199509) on Monday April 19, 2010 @02:59PM (#31900238) Homepage
      There was an SMS exploit for a version of iPhone OS that would brick it, and just checking with a few people there are some nasty 0-days out there for it. At least you can't turn the Palm into a paperweight from 10,000 miles away...
    • by omglolbah (731566)

      That wasnt actually an exploit.

      That was someone forgetting to disable a debugging shell with a global input hook :-p

  • "...rudimentary HTML injection bug...."

    There are so many wrongs going on at once there. I'll just pick one, load a round in the chamber and mutter 'rudimentary' is redundant. Ok, two...'injection bug'? WTF? --- now get off my lawn!
  • WebOS 1.4 (Score:5, Interesting)

    by spiderbitendeath (577712) on Monday April 19, 2010 @01:41PM (#31899008) Homepage
    My Pre is running the latest 1.4.1.1 WebOS version. I tried their "exploits" on it, it did nothing, had no affect on it. In the video they're running an outdated version of WebOS, 1.3.5. WebOS will download updates OTA automatically, and install them if you don't do it after a certain number of days. To me, the likeliness of these still being issues is close to null and void.
  • Anonymous Coward (Score:2, Informative)

    by Anonymous Coward

    This has been fixed with the 1.4 update, not sure why it's news.

    • by hduff (570443)

      This has been fixed with the 1.4 update, not sure why it's news.

      It's news because it was in a 1.x version and it's a basic coding fuckup they were slow and careless not to have fixed before now.

      Who knows what else they have yet to fix?

      That's why it's news.

    • The whitehat team that found it told Palm about it before 1.4 was released and did not publish the exploit until it had been patched. I don't think they should get punished publicity-wise because they decided to follow ethical practices.
  • by loftwyr (36717) on Monday April 19, 2010 @04:35PM (#31901762)

    From the source release:

    (Note: the findings herein affect WebOS 1.3.5. Palm has since released WebOS 1.4, which fixes these vulnerabilities, though not all handsets or carriers are running this version. Due to contractual agreements, the public disclosure of this information was delayed.)

  • These bugs can all be traced back to that fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML.

    The article is accurate in so far as JavaScript is concerned. Palm has a long way to go if they ever hope to implement javascript securely on the scale they're using it. Checks have to be built into the SDK and the client engine, and they have to be updated regularly (quite frequently if Firefox' Noscript is any benchmark).

    I've authored enough JS (not to be confused with CSS) to doubt that Palm will be able to do it. Nobody else has implemented JS securely, so WebOS device owners should expect to be hack

  • Yay, Slashdot. Some days I wonder if my time wouldn't be better spent in the comments section of Digg.
  • This is why "software engineering" fails to be taken seriously. How in this day and age an OS can be released without simple checks and balances like input validation is beyond me. The only excuse is "the developer couldnt be bothered, and no-one checked up on him".

    Most programmers these days are the equivalent or tradespeople and artisans - sure many of them are very talented, but as a group still lack the formal QA and inherent attention to risk management that any real engineering should have.

    • by aXis100 (690904)

      Sorry, it was the SMS client and not the core OS, but the fact that it could still be hacked though injection is bad.

  • How are things like this even possible? Did someone someday decide it would be a good idea to interpret data as code?
  • See the 26th Chaos Communications Congress: Fuzzing the Phone in your Phone. http://events.ccc.de/congress/2009/Fahrplan/events/3507.en.html [events.ccc.de]

[Crash programs] fail because they are based on the theory that, with nine women pregnant, you can get a baby a month. -- Wernher von Braun

Working...