Palm WebOS Hacked Via SMS Messages

gondaba writes "Security researchers at the Intrepidus Group have hacked into Palm's new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities. The white hat hackers found that the WebOS SMS client did not properly perform input/output validation on any SMS messages sent to the handset, leading to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over an SMS message)."

Lol

[Codename+Dutchess]

These are always my favorite posts to read. Nothing like hiring 12 year olds to code your software.

Re:Lol

[WrongSizeGlass]

I think the problem is that they didn't have 12 year olds try to hack their software during the security QA phase.

Re:Lol

[jsnipy]

Its more about testing processes as opposed development processes ("coding").

Re:Lol

[228e2]

Nah, parent is correct.

its really not that hard to write protective measures for, of all things, input validation. thats literally day 3 material in any intro web programming class these days.

Re:Lol

[ravenscar]

Sure, the developers should have known better, but issues like this pop up due to an inherent problem in most software development processes. That problem is that specs are written that say what the software should do. Every once in a while the specs note a couple things the software shouldn't do. The specs then go to testers who make sure that the software does everything in the specs and, when it meets spec, everyone signs off. There's often little attention paid to making sure that software DOESN'T do things that aren't spec'd. This problem is further exacerbated in many shops that outsource testing to vendors. In such situations the testers cover only the very specific items noted in the contract and nothing else.

Shops that want to prevent problems like this need to bring back some creative types for testing. You know, the ones you can hand a device to and say "I dare you to f*ck this thing up" and who will take it as a challenge. Unfortunately, those types often command a higher $$ figure than management is willing to pay when "there is a team of people in India who'll test this thing to spec for $30 an hour."

Of course, you need a little bit of both in this world. It's important to have spec testers who'll follow strict methodology just as it's important to have creative testers that will find all that stuff nobody thought about.

Re:Lol

[FatdogHaiku]

Obligatory XKCD

Re:Lol

In the real world of software production it is a matter of verification vs. developer judgment. Small shop folks who write code small projects cowboy style typically do not understand this.

Re:Lol

[mantis2009]

RTFA - webOS 1.4 (the current version) patches this vulnerability. Stop beating up on Palm.

Re:Lol

Obligatory post pointing out that everyone has seen that comic, and that posting it is a wonderful example of karma whoring.

Re:Lol

Obligatory post pointing out that nobody cares what an AC says ... including this post.

Re:Lol

[Mister+Whirly]

Day 3 material? This is day 1 material. "Never trust user input." Hell, it could be lesson 1.

Re:Lol

[znerk]

Re:Lol (Score:0)
by Anonymous Coward writes: on Monday April 19, @02:08PM (#31900426)
Obligatory post pointing out that nobody cares what an AC says ... including this post.

Where are my mod points?!?

Re:Lol

[bhtooefr]

Obligatory post pointing out that funny doesn't give karma.

Re:Lol

(whining loludly)Leave (Palm)Britany alone... sniff... sniff...

Re:Lol

[aXis100]

Why give them credit? They must have had very shitty standards to allow this bug to exist in the first place, so who's to say there arent more?

Dangerous?

[Itninja]

this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....

Re:Dangerous?

this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....

Something like this isn't dangerous (unless it's a Microsoft product with the vulnerability).

Re:Dangerous?

[SoTerrified]

What if you're trying to call 911 but your phone has been rooted? I'd call that dangerous and could very easily cost lives or property...

Re:Dangerous?

[WrongSizeGlass]

this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....

What if they used the dreaded "KaBoom" SMS exploit to trigger the Palm's self destruct mechanism? Then their personal data would be allllll over the place.

Re:Dangerous?

[gyrogeerloose]

this bug and vulnerabilities are bad, even severe, but dangerous?

Considering the WebOS has only about 5% of the smartphone market, it's probably not very dangerous at all.

Re:Dangerous?

[Itninja]

What if you need to call 911 and you battery is dead? Are dead batteries a danger to lives or property?

Re:Dangerous?

Downloading kiddie porn to someone's phone? Uhh yeah.. very dangerous.

Re:Dangerous?

[perryizgr8]

what if you are trying to call 911 and at&t network is gone? is at&t a danger to lives or property?

Re:Dangerous?

[ianare]

Yes, they are. I would consider a phone that has longer battery life to be safer.

Re:Dangerous?

[Itninja]

About as dangerous as leaving you phone unattended for as few as 5 minutes. No lives or property would be at stake. What's more, as soon an any investigation started this hack would be detected and the charges dropped.

Re:Dangerous?

[izomiac]

I can think of a few, especially with the medical field. If a hospital can't get in touch with the doctors on call because they all have similarly compromised phones then I'd imagine that patient care would suffer. Or if the phones become so glitchy that Epocrate's drug interaction checker doesn't work, leading to that step geting skipped since there's no time to do it manually (3! to 15! possible interactions per patient). Or the doctor's account on the EMR system is compromised so patient information is leaked and used nefariously.

For people that don't deal with life or death situations, it is much harder to contrive a scenario where an electronic device malfunctioning might cause harm (well, economic harm is easy). I suppose someone could cause the phone to play a loud noise to distract a vehicle driver at a crucial moment. Or perhaps someone could make a cheap lithium ion battery explode, although there should be dozens of safeguards preventing that. The most likely though, would be for stalkers to be able to track their victims much more effectively, which would cause emotional harm if nothing else.

Re:Dangerous?

[dmmiller2k]

Um, know any doctors with Palm WebOS based phones?

Of course not, they all carry Blackberries.

Re:Dangerous?

[netsharc]

To be pedantic, emergency calls are priority-routed through any available GSM network, and it even works without a SIM card in the phone. Although apparently they want to disable that last feature because too many idiots call up 911 without a card in the phone, and they can't trace them.

Re:Dangerous?

[dgatwood]

Six weeks after the newspaper runs a story accusing you, your employer gives you a pink slip, and the entire town vilifies you....

Re:Dangerous?

[izomiac]

Actually I do. The iPhone and Android predominate though, since they run the best versions of medical software (colored graphs, pill identifiers, misc. smaller apps, etc.). Blackberries aren't very popular around here since they require a $100 software package plus an extra $20/month to check one's university e-mail. Palms are the rarest, but a few people use them. OTOH, the relative popularity of each platform differs by demographics and institution.

Re:Dangerous?

[NiteShaed]

Yes, they are. I would consider a phone that has longer battery life to be safer.

How long is long enough for you then? Emergencies generally can't be predicted, so unless your battery life is "infinite", it's just as possible that you'll desperately need your phone 5 minutes after you take it from the charger as it is that you'll need it 12 hours after its last charge....

Re:Dangerous?

[maxwell+demon]

The longer your battery lasts, the less the fraction of time the battery is empty.

Re:Dangerous?

[ianare]

I would say at least 48 hours, if I spend the night out I should'nt have to bring a charger. This is becoming less of a problem with the introduction of universal chargers, but most people have proprietary chargers still. An emergency can and has arrived on my way home from a friend's house late one night, my phone was dead - it only lasts about 10 hours.

Re:Dangerous?

[Itninja]

Doubtful. It's not like it is on TV. In many vicious custody battles (or any other heated legal conflict) accusations of "being a pedophile" or planting "kiddie porn" (along with many other false accusations) are not that uncommon. Just like anything else, the issues are investigated (usually via search warrant on our computer) and, if found to be fraudulent, dismissed. Nothing even goes to court.

Re:Dangerous?

[KiwiSurfer]

Routing calls without a SIM card is not the case in some countries. In New Zealand, for example, all carriers have disabled non-SIM emergency calls at the request of the emergency services. However any phones with a valid SIM in it will be able to make emergency calls.

Re:Dangerous?

[Achromatic1978]

I can think of a few, especially with the medical field. If a hospital can't get in touch with the doctors on call because they all have similarly compromised phones then I'd imagine that patient care would suffer. Or if the phones become so glitchy that Epocrate's drug interaction checker doesn't work, leading to that step geting skipped since there's no time to do it manually (3! to 15! possible interactions per patient). Or the doctor's account on the EMR system is compromised so patient information is leaked and used nefariously.

Since you mention Epocrates, I'm going to presume you're in the field. To which I say, if your on-call system for emergency physicians relies solely on cell systems, you're doing something wrong. As someone also in the field, a day job involving EMR, part time EMS, training as a full time medic, if there's even the slightest possibility you might be required on call/demand in our system, pre-hospital or hospital, you have a cell phone and a pager (and in our case we run a pager network, with county-owned towers to ensure as high a quality of reception as possible).

Re:Dangerous?

[izomiac]

I'm still a student, a couple months away from clinical rotations, so it's very possible there are multiple methods of contact. I have seen very few people carrying multiple devices though, so I don't think there is that much redundancy here. OTOH, "here" is a pretty large hospital in a decent sized city with good cell coverage, so I suspect only the most essential personnel have a dual device requirement.

Re:Dangerous?

[gmhowell]

Trust me, most of the time, the nurses don't need you. You just get in the way of people doing actual patient care.

(GF is a nurse, father is a doctor, sadly, this isn't a troll.)

Sausage?

After watching that, I somehow feel compelled to review all the security risks and exploits on the iPhone, and use my sausage *cough* on the touch screen...

Wow

[coniferous]

I cannot belive that: a) An exploit like this exists. SANITIZE ALL INPUTS! b) It took this long to find. This reminds me a lot of the exploit on android where it acted like all text entered was typed into a terminal.

Re:Wow

[interval1066]

No kidding, this is like html 101. Every employer I've spoken to since the 90's who was considering me for any kind of web work has asked me if I know how to guard against xss and sql injection attacks. This is not some arcane black art. No wonder Palm is failing. And I like WebOS as a platform.

Re:Wow

Apple did the same with the iPhone, and it was discovered only last year. And I don't think Apple is failing.

Re:Wow

[Hurricane78]

It took this long to find.

Hey, this is the fastest exploit ever done by a user community... of about 3 people. ^^

Re:Wow

They do sanitize *some* text message inputs -- like they strip everything between , so that the messages from my Asterisk answering machine never show the actual phone number.

I.e., they strip actual valuable content. Sweet!

Poor Roger McNamee is going to lose a few dozen million on Palm if / when they ever do get sold. Huge tears of woe.

Re:Wow

[jellomizer]

You are making the assumption that the part that does the rendering of the SMS calls and formatting were part of the same group that takes the SMS and call the function. You assume that this was in the specs for people to follow. And no one brought it up because they though the other team has the problem fixed. And the they had a timeline where they could make this issues for all systems...

Re:Wow

[teknopurge]

There was an SMS exploit for a version of iPhone OS that would brick it, and just checking with a few people there are some nasty 0-days out there for it. At least you can't turn the Palm into a paperweight from 10,000 miles away...

Re:Wow

[omglolbah]

That wasnt actually an exploit.

That was someone forgetting to disable a debugging shell with a global input hook :-p

eh hem...

[djupedal]

"...rudimentary HTML injection bug...."

There are so many wrongs going on at once there. I'll just pick one, load a round in the chamber and mutter 'rudimentary' is redundant. Ok, two...'injection bug'? WTF? --- now get off my lawn!

WebOS 1.4

[spiderbitendeath]

My Pre is running the latest 1.4.1.1 WebOS version. I tried their "exploits" on it, it did nothing, had no affect on it. In the video they're running an outdated version of WebOS, 1.3.5. WebOS will download updates OTA automatically, and install them if you don't do it after a certain number of days. To me, the likeliness of these still being issues is close to null and void.

Re:WebOS 1.4

[Codename+Dutchess]

But the fact remains, that if this went so long without being published, what else could be buggy? This might have been small, but at revision 1.3.5 they still didn't figure it out? I can't imagine what comes next.

Re:WebOS 1.4

But the fact remains, that if this went so long without being published, what else could be buggy? This might have been small, but at revision 1.3.5 they still didn't figure it out? I can't imagine what comes next.

DO NOT breathe air! You don't know what else could be in it! Surely it could be POISON! MUAHAHAHAHAH

Re:WebOS 1.4

[aitikin]

Mind you, these were disclosed to Palm so they could fix them before 1.4 was released (at least that's what is claimed in the video).

Re:WebOS 1.4

[X0563511]

1.4 explicitly fixed these issues.

Re:WebOS 1.4

So a whitehat security firm practiced responsible disclosure and got things patched before publishing, and you're here to get marked "Interesting" for complaining that you can't exploit a production handset?

I love this website.

Re:WebOS 1.4

[nurb432]

But a headline of 'Severe bug fixed several revisions back, all is safe' isn't as likely to get readers.

Re:WebOS 1.4

[X0563511]

Indeed. I actually jumped into the developer's IRC channel to check in on this, and one of them told me about it being fixed already.

I felt like an ass. Thanks, Slashdot.

Anonymous Coward

This has been fixed with the 1.4 update, not sure why it's news.

Re:Anonymous Coward

Yeah and not only that, it's not even made by Apple. If we're not bashing the iP*, we've got nothing to talk about!

Re:Anonymous Coward

[hduff]

This has been fixed with the 1.4 update, not sure why it's news.

It's news because it was in a 1.x version and it's a basic coding fuckup they were slow and careless not to have fixed before now.

Who knows what else they have yet to fix?

That's why it's news.

Re:Anonymous Coward

It's news because Apple didn't announce a product today. This was reported and fixed a long ass time ago. If they ran an article for every fixed bug in windows no matter how simple the bug may seem, we'd never read news about anything else.

Re:Anonymous Coward

[gtbritishskull]

The whitehat team that found it told Palm about it before 1.4 was released and did not publish the exploit until it had been patched. I don't think they should get punished publicity-wise because they decided to follow ethical practices.

Re:Anonymous Coward

webOS has been out for 10 months and you're bashing them for an SMS vulnerability the quickly fixed when notified. Jesus. The iPhone had SMS flaws for YEARS before they were discovered and fixed (all the way up through the 3.0 firmware): http://news.cnet.com/8301-27080_3-10299378-245.html

Get a life. Kudos to Palm for quickly resolving the issue and to the finders of the vulnerability for notifying Palm and giving them time to produce a fix.

Little Bobby Tables?

Those aren't randon text messages; they're student records.

http://xkcd.com/327/

Re:Little Bobby Tables?

best xkcd ever!

If SS7 gateways are hackable, why not phones ?

This isn't at all surprising. Even infratructure equipment is hackable using SMS messages.

Re:If SS7 gateways are hackable, why not phones ?

[Neuroelectronic]

Only if you consider purposeful backdoors disguised as simple vulnerabilities the same thing as simple vulnerabilities.

What comes next

[Neuroelectronic]

Automatic uploading of videos to Youtube, integration of MyFace contacts.

Fixed in the 1.4

Since this was fixed in the 1.4, this can only be some no name "security" company trying to make a name for itself. A really poor one at that, they can take already known issues and exploit them... And hey with results like these, they should have no problems exploiting any unpatched Windows 95 machine still running out there.

Well, whaddaya know?

[dahud]

Palm? I'm surprised they still even exist. The last contact I had with them was a b&w PDA ten years ago.

Re:Well, whaddaya know?

[changa]

How is that rock you have been living under?

Re:Well, whaddaya know?

[dahud]

Nice and cozy, thanks.

This Just in...

[chriso11]

Other 'news' - Apparently, Apple is going to make a phone! Maybe it's will be as big as the Ipod!

Re:Fixed in the 1.4

Or, alternatively, it was the security company that found the exploit and warned Palm about it so they could fix it for 1.4, and is now releasing the vulnerability for discussion.

But hey, that would have required reading the article.

On the positive side

At least noone will actually be affected because noone owns a palm phone anymore

Re:On the positive side

[joetomato]

I just bought one last week, and my wife's will be getting here either today or tomorrow, you insensitive clod!

Intrepidus are straight up losers.

Basically, here's the deal: Palm fixes all these bugs, but Intrepidus wants to drum up more business, so they release a mocking video of all the bugs that Palm ALREADY FIXED in an OS that updates itself really well (and most users want the updates badly because Palm releases features with each of them). Would you want to pay a company to pull that kind of crap with your product? I wouldn't think so.

Oh, yeah...and the OS itself has only been out for less than a year. Of course you're going to find exploits...what do you expect, absolute perfect security right out of the gate?

Not only that, Intrepidus takes the biggest cop out for a security company there is: "Well, uhhh, because it's browser based or something...uhhh...there's like, security holes and whatever." It's NOT browser based. webOS is LINUX BASED. It has a UI that incorporates a modified WebKit engine. Not only that, just saying there's a browser integrated into the front end isn't an instant security hole. Browsers are software. Software can have bugs, and bugs can be fixed. Would you say that unrelated software product A is instantly vulnerable to the same holes as unrelated software product B? When I hear a security engineer take that track with me, he/she loses all credibility. Security outfits are specialized QA houses and nothing more. Their job is to take money, use a systematical process to find bugs, then report them. They are paid for their confidentiality and their work. When they cop out on both fronts, they prove themselves to be nothing more than a scam shop of 14 year old jackoffs with a 23 year old douchebag boss trying to make a name for themselves.

Re:Intrepidus are straight up losers.

[zullnero]

Oh, darn it. Slashdot's login script didn't execute in time for me to post this as myself.

Re:Intrepidus are straight up losers.

Oh, darn it. Slashdot's login script didn't execute in time for me to post this as myself.

I'm getting tired of this. Stop trying to take credit for my work!

WebOS does display sanitization by default

[ensignyu]

You have to explicitly enable the "I know what I'm doing, stop protecting me" flag in your app to allow these types of exploits.

http://developer.palm.com/index.php?option=com_content&view=article&id=1756

Re:WebOS does display sanitization by default

They work by default on 1.3.5. Your statement is only true after the Intrepidus exploit was reported and patched.

Re:WebOS does display sanitization by default

[ensignyu]

Sanitization has been on by default since WebOS 1.1.

It's up to the individual developers to make sure their app is secure -- which it is by default if they don't disable the security features provided by WebOS.

Re:WebOS does display sanitization by default

[Jahava]

Sanitization has been on by default since WebOS 1.1.

It's up to the individual developers to make sure their app is secure -- which it is by default if they don't disable the security features provided by WebOS.

This suggests that the developer of the SMS app in question (which is still Palm, I think) explicitly declined to utilize WebOS's sanitization support. While I'll give basic kudos to the WebOS developers for foreseeing this issue and negating it by default, it still stands that Palm released a live operating system with a vulnerable (at its own request) SMS application. The WebOS developers might have been smart, but the SMS application developers ruined the party for everyone.

So anyone want to brainstorm why an SMS application would want to manually opt-out of input sanitization? Seriously ... I can't think of any... :-/

Re:WebOS does display sanitization by default

Plausible deniability for a way to 'jailbreak' the OS.

Re:WebOS does display sanitization by default

[someSnarkyBastard]

That may indeed be true but how many release-quality products do you think ship with that code turned off for performance reasons?

I tried this on my phone

and it failed.

Security Team: 0
Palm: 1

Re:I tried this on my phone

My god, I remember a time when slashdot didn't had all those stupid looser making comments on things they didn' understand. More than half of the comments down there are yay palm fixed it so meh.

Stupid stupid people, please don't post your turd if you didn't even read the story neiher understood the stuff that happened

Nohing to see here, please move along

[loftwyr]

From the source release:

(Note: the findings herein affect WebOS 1.3.5. Palm has since released WebOS 1.4, which fixes these vulnerabilities, though not all handsets or carriers are running this version. Due to contractual agreements, the public disclosure of this information was delayed.)

Javascript Handicap

[r7]

These bugs can all be traced back to that fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML.

The article is accurate in so far as JavaScript is concerned. Palm has a long way to go if they ever hope to implement javascript securely on the scale they're using it. Checks have to be built into the SDK and the client engine, and they have to be updated regularly (quite frequently if Firefox' Noscript is any benchmark).

I've authored enough JS (not to be confused with CSS) to doubt that Palm will be able to do it. Nobody else has implemented JS securely, so WebOS device owners should expect to be hacked and use their cell phones accordingly.

Minor thing on minor OS in old version has bug

[SlappyBastard]

Yay, Slashdot. Some days I wonder if my time wouldn't be better spent in the comments section of Digg.

I'm going to get flamed for this but...

[aXis100]

This is why "software engineering" fails to be taken seriously. How in this day and age an OS can be released without simple checks and balances like input validation is beyond me. The only excuse is "the developer couldnt be bothered, and no-one checked up on him".

Most programmers these days are the equivalent or tradespeople and artisans - sure many of them are very talented, but as a group still lack the formal QA and inherent attention to risk management that any real engineering should have.

Re:I'm going to get flamed for this but...

[aXis100]

Sorry, it was the SMS client and not the core OS, but the fact that it could still be hacked though injection is bad.

I don't understand

[Pence128]

How are things like this even possible? Did someone someday decide it would be a good idea to interpret data as code?

Obligatory...

[Illogical+Spock]

FacePALM!

For Extra Credit...

[UnknownIdiot]

See the 26th Chaos Communications Congress: Fuzzing the Phone in your Phone. http://events.ccc.de/congress/2009/Fahrplan/events/3507.en.html