Palm WebOS Hacked Via SMS Messages

gondaba writes "Security researchers at the Intrepidus Group have hacked into Palm's new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities. The white hat hackers found that the WebOS SMS client did not properly perform input/output validation on any SMS messages sent to the handset, leading to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over an SMS message)."

Lol

[Codename Dutchess]

These are always my favorite posts to read. Nothing like hiring 12 year olds to code your software.

Re:

[WrongSizeGlass]

I think the problem is that they didn't have 12 year olds try to hack their software during the security QA phase.

Re:Lol

[jsnipy]

Its more about testing processes as opposed development processes ("coding").

Re:

[228e2]

Nah, parent is correct.

its really not that hard to write protective measures for, of all things, input validation. thats literally day 3 material in any intro web programming class these days.

Re:

[FatdogHaiku]

Obligatory XKCD [xkcd.com]

Re:

[Anonymous Coward]

Obligatory post pointing out that nobody cares what an AC says ... including this post.

Re:

[znerk]

Re:Lol (Score:0)
by Anonymous Coward writes: on Monday April 19, @02:08PM (#31900426)
Obligatory post pointing out that nobody cares what an AC says ... including this post.

Where are my mod points?!?

Re:

[bhtooefr]

Obligatory post pointing out that funny doesn't give karma.

WebOS does display sanitization by default

[ensignyu]

You have to explicitly enable the "I know what I'm doing, stop protecting me" flag in your app to allow these types of exploits.

http://developer.palm.com/index.php?option=com_content&view=article&id=1756 [palm.com]

Re:

[ensignyu]

Sanitization has been on by default [google.com] since WebOS 1.1.

It's up to the individual developers to make sure their app is secure -- which it is by default if they don't disable the security features provided by WebOS.

Re:

[Jahava]

Sanitization has been on by default [google.com] since WebOS 1.1.

It's up to the individual developers to make sure their app is secure -- which it is by default if they don't disable the security features provided by WebOS.

This suggests that the developer of the SMS app in question (which is still Palm, I think) explicitly declined to utilize WebOS's sanitization support. While I'll give basic kudos to the WebOS developers for foreseeing this issue and negating it by default, it still stands that Palm released a live operating system with a vulnerable (at its own request) SMS application. The WebOS developers might have been smart, but the SMS application developers ruined the party for everyone.

So anyone want to brainstorm w

Re:

[someSnarkyBastard]

That may indeed be true but how many release-quality products do you think ship with that code turned off for performance reasons?

Re:

[Mister Whirly]

Day 3 material? This is day 1 material. "Never trust user input." Hell, it could be lesson 1.

Re:

[ravenscar]

Sure, the developers should have known better, but issues like this pop up due to an inherent problem in most software development processes. That problem is that specs are written that say what the software should do. Every once in a while the specs note a couple things the software shouldn't do. The specs then go to testers who make sure that the software does everything in the specs and, when it meets spec, everyone signs off. There's often little attention paid to making sure that software DOESN'T d

Re:

[mantis2009]

RTFA - webOS 1.4 (the current version) patches this vulnerability. Stop beating up on Palm.

This Just in...

[chriso11]

Other 'news' - Apparently, Apple is going to make a phone! Maybe it's will be as big as the Ipod!

Re:

[aXis100]

Why give them credit? They must have had very shitty standards to allow this bug to exist in the first place, so who's to say there arent more?

Dangerous?

[Itninja]

this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....

Re:

[SoTerrified]

What if you're trying to call 911 but your phone has been rooted? I'd call that dangerous and could very easily cost lives or property...

Re:

[Itninja]

What if you need to call 911 and you battery is dead? Are dead batteries a danger to lives or property?

Re:

[perryizgr8]

what if you are trying to call 911 and at&t network is gone? is at&t a danger to lives or property?

Re:

[netsharc]

To be pedantic, emergency calls are priority-routed through any available GSM network, and it even works without a SIM card in the phone. Although apparently they want to disable that last feature because too many idiots call up 911 without a card in the phone, and they can't trace them.

Re:

[KiwiSurfer]

Routing calls without a SIM card is not the case in some countries. In New Zealand, for example, all carriers have disabled non-SIM emergency calls at the request of the emergency services. However any phones with a valid SIM in it will be able to make emergency calls.

Re:

[ianare]

Yes, they are. I would consider a phone that has longer battery life to be safer.

Re:

[NiteShaed]

Yes, they are. I would consider a phone that has longer battery life to be safer.

How long is long enough for you then? Emergencies generally can't be predicted, so unless your battery life is "infinite", it's just as possible that you'll desperately need your phone 5 minutes after you take it from the charger as it is that you'll need it 12 hours after its last charge....

Re:

[ianare]

I would say at least 48 hours, if I spend the night out I should'nt have to bring a charger. This is becoming less of a problem with the introduction of universal chargers, but most people have proprietary chargers still. An emergency can and has arrived on my way home from a friend's house late one night, my phone was dead - it only lasts about 10 hours.

Re:

[WrongSizeGlass]

this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....

What if they used the dreaded "KaBoom" SMS exploit to trigger the Palm's self destruct mechanism? Then their personal data would be allllll over the place.

Re:

[gyrogeerloose]

this bug and vulnerabilities are bad, even severe, but dangerous?

Considering the WebOS has only about 5% of the smartphone market [prethinking.com], it's probably not very dangerous at all.

Re:

[Itninja]

About as dangerous as leaving you phone unattended for as few as 5 minutes. No lives or property would be at stake. What's more, as soon an any investigation started this hack would be detected and the charges dropped.

Re:

[dgatwood]

Six weeks after the newspaper runs a story accusing you, your employer gives you a pink slip, and the entire town vilifies you....

Re:

[Itninja]

Doubtful. It's not like it is on TV. In many vicious custody battles (or any other heated legal conflict) accusations of "being a pedophile" or planting "kiddie porn" (along with many other false accusations) are not that uncommon. Just like anything else, the issues are investigated (usually via search warrant on our computer) and, if found to be fraudulent, dismissed. Nothing even goes to court.

Re:

[izomiac]

I can think of a few, especially with the medical field. If a hospital can't get in touch with the doctors on call because they all have similarly compromised phones then I'd imagine that patient care would suffer. Or if the phones become so glitchy that Epocrate's drug interaction checker doesn't work, leading to that step geting skipped since there's no time to do it manually (3! to 15! possible interactions per patient). Or the doctor's account on the EMR system is compromised so patient information i

Re:

[dmmiller2k]

Um, know any doctors with Palm WebOS based phones?

Of course not, they all carry Blackberries.

Re:

[izomiac]

Actually I do. The iPhone and Android predominate though, since they run the best versions of medical software (colored graphs, pill identifiers, misc. smaller apps, etc.). Blackberries aren't very popular around here since they require a $100 software package plus an extra $20/month to check one's university e-mail. Palms are the rarest, but a few people use them. OTOH, the relative popularity of each platform differs by demographics and institution.

Re:

[Achromatic1978]

I can think of a few, especially with the medical field. If a hospital can't get in touch with the doctors on call because they all have similarly compromised phones then I'd imagine that patient care would suffer. Or if the phones become so glitchy that Epocrate's drug interaction checker doesn't work, leading to that step geting skipped since there's no time to do it manually (3! to 15! possible interactions per patient). Or the doctor's account on the EMR system is compromised so patient information is l

Re:

[izomiac]

I'm still a student, a couple months away from clinical rotations, so it's very possible there are multiple methods of contact. I have seen very few people carrying multiple devices though, so I don't think there is that much redundancy here. OTOH, "here" is a pretty large hospital in a decent sized city with good cell coverage, so I suspect only the most essential personnel have a dual device requirement.

Re:

[gmhowell]

Trust me, most of the time, the nurses don't need you. You just get in the way of people doing actual patient care.

(GF is a nurse, father is a doctor, sadly, this isn't a troll.)

Wow

[coniferous]

I cannot belive that: a) An exploit like this exists. SANITIZE ALL INPUTS! b) It took this long to find. This reminds me a lot of the exploit on android where it acted like all text entered was typed into a terminal.

Re:

[interval1066]

No kidding, this is like html 101. Every employer I've spoken to since the 90's who was considering me for any kind of web work has asked me if I know how to guard against xss and sql injection attacks. This is not some arcane black art. No wonder Palm is failing. And I like WebOS as a platform.

Re:

[Hurricane78]

It took this long to find.

Hey, this is the fastest exploit ever done by a user community... of about 3 people. ^^

Re:

[jellomizer]

You are making the assumption that the part that does the rendering of the SMS calls and formatting were part of the same group that takes the SMS and call the function. You assume that this was in the specs for people to follow. And no one brought it up because they though the other team has the problem fixed. And the they had a timeline where they could make this issues for all systems...

Re:Wow

[teknopurge]

There was an SMS exploit for a version of iPhone OS that would brick it, and just checking with a few people there are some nasty 0-days out there for it. At least you can't turn the Palm into a paperweight from 10,000 miles away...

Re:

[omglolbah]

That wasnt actually an exploit.

That was someone forgetting to disable a debugging shell with a global input hook :-p

eh hem...

[djupedal]

"...rudimentary HTML injection bug...."

There are so many wrongs going on at once there. I'll just pick one, load a round in the chamber and mutter 'rudimentary' is redundant. Ok, two...'injection bug'? WTF? --- now get off my lawn!

WebOS 1.4

[spiderbitendeath]

My Pre is running the latest 1.4.1.1 WebOS version. I tried their "exploits" on it, it did nothing, had no affect on it. In the video they're running an outdated version of WebOS, 1.3.5. WebOS will download updates OTA automatically, and install them if you don't do it after a certain number of days. To me, the likeliness of these still being issues is close to null and void.

Re:

[Codename Dutchess]

But the fact remains, that if this went so long without being published, what else could be buggy? This might have been small, but at revision 1.3.5 they still didn't figure it out? I can't imagine what comes next.

Re:

[aitikin]

Mind you, these were disclosed to Palm so they could fix them before 1.4 was released (at least that's what is claimed in the video).

Re:WebOS 1.4

[X0563511]

1.4 explicitly fixed these issues.

Re:

[nurb432]

But a headline of 'Severe bug fixed several revisions back, all is safe' isn't as likely to get readers.

Re:

[X0563511]

Indeed. I actually jumped into the developer's IRC channel to check in on this, and one of them told me about it being fixed already.

I felt like an ass. Thanks, Slashdot.

Anonymous Coward

[Anonymous Coward]

This has been fixed with the 1.4 update, not sure why it's news.

Re:

[hduff]

This has been fixed with the 1.4 update, not sure why it's news.

It's news because it was in a 1.x version and it's a basic coding fuckup they were slow and careless not to have fixed before now.

Who knows what else they have yet to fix?

That's why it's news.

Re:

[gtbritishskull]

The whitehat team that found it told Palm about it before 1.4 was released and did not publish the exploit until it had been patched. I don't think they should get punished publicity-wise because they decided to follow ethical practices.

Re:

[changa]

How is that rock you have been living under?

Re:

[dahud]

Nice and cozy, thanks.

Re:

[joetomato]

I just bought one last week, and my wife's will be getting here either today or tomorrow, you insensitive clod!

Re:

[zullnero]

Oh, darn it. Slashdot's login script didn't execute in time for me to post this as myself.

Nohing to see here, please move along

[loftwyr]

From the source release:

(Note: the findings herein affect WebOS 1.3.5. Palm has since released WebOS 1.4, which fixes these vulnerabilities, though not all handsets or carriers are running this version. Due to contractual agreements, the public disclosure of this information was delayed.)

Javascript Handicap

[r7]

These bugs can all be traced back to that fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML.

The article is accurate in so far as JavaScript is concerned. Palm has a long way to go if they ever hope to implement javascript securely on the scale they're using it. Checks have to be built into the SDK and the client engine, and they have to be updated regularly (quite frequently if Firefox' Noscript is any benchmark).

I've authored enough JS (not to be confused with CSS) to doubt that Palm will be able to do it. Nobody else has implemented JS securely, so WebOS device owners should expect to be hack

Minor thing on minor OS in old version has bug

[SlappyBastard]

Yay, Slashdot. Some days I wonder if my time wouldn't be better spent in the comments section of Digg.

I'm going to get flamed for this but...

[aXis100]

This is why "software engineering" fails to be taken seriously. How in this day and age an OS can be released without simple checks and balances like input validation is beyond me. The only excuse is "the developer couldnt be bothered, and no-one checked up on him".

Most programmers these days are the equivalent or tradespeople and artisans - sure many of them are very talented, but as a group still lack the formal QA and inherent attention to risk management that any real engineering should have.

Re:

[aXis100]

Sorry, it was the SMS client and not the core OS, but the fact that it could still be hacked though injection is bad.

I don't understand

[Pence128]

How are things like this even possible? Did someone someday decide it would be a good idea to interpret data as code?

Obligatory...

[Illogical Spock]

FacePALM!

For Extra Credit...

[UnknownIdiot]

See the 26th Chaos Communications Congress: Fuzzing the Phone in your Phone. http://events.ccc.de/congress/2009/Fahrplan/events/3507.en.html [events.ccc.de]