Palm WebOS Hacked Via SMS Messages

← Back to Stories (view on slashdot.org)

Palm WebOS Hacked Via SMS Messages

Posted by Soulskill on Monday April 19, 2010 @05:26AM from the and-a-sausage dept.

gondaba writes "Security researchers at the Intrepidus Group have hacked into Palm's new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities. The white hat hackers found that the WebOS SMS client did not properly perform input/output validation on any SMS messages sent to the handset, leading to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over an SMS message)."

65 of 99 comments (clear)

Lol by Codename+Dutchess · 2010-04-19 05:29 · Score: 2, Funny

These are always my favorite posts to read. Nothing like hiring 12 year olds to code your software.
1. Re:Lol by WrongSizeGlass · 2010-04-19 05:43 · Score: 1
  
  I think the problem is that they didn't have 12 year olds try to hack their software during the security QA phase.
2. Re:Lol by jsnipy · 2010-04-19 05:43 · Score: 4, Insightful
  
  Its more about testing processes as opposed development processes ("coding").
  
  --
  -- if you mod me down, I will become more powerful than you can possibly imagine
3. Re:Lol by 228e2 · 2010-04-19 05:47 · Score: 2, Insightful
  
  Nah, parent is correct.
  
  its really not that hard to write protective measures for, of all things, input validation. thats literally day 3 material in any intro web programming class these days.
  
  --
  Since when does being a Socialist mean 'someone who has a different opinion than me'?
4. Re:Lol by ravenscar · 2010-04-19 06:16 · Score: 3, Insightful
  
  Sure, the developers should have known better, but issues like this pop up due to an inherent problem in most software development processes. That problem is that specs are written that say what the software should do. Every once in a while the specs note a couple things the software shouldn't do. The specs then go to testers who make sure that the software does everything in the specs and, when it meets spec, everyone signs off. There's often little attention paid to making sure that software DOESN'T do things that aren't spec'd. This problem is further exacerbated in many shops that outsource testing to vendors. In such situations the testers cover only the very specific items noted in the contract and nothing else.
  Shops that want to prevent problems like this need to bring back some creative types for testing. You know, the ones you can hand a device to and say "I dare you to f*ck this thing up" and who will take it as a challenge. Unfortunately, those types often command a higher $$ figure than management is willing to pay when "there is a team of people in India who'll test this thing to spec for $30 an hour."
  Of course, you need a little bit of both in this world. It's important to have spec testers who'll follow strict methodology just as it's important to have creative testers that will find all that stuff nobody thought about.
5. Re:Lol by FatdogHaiku · 2010-04-19 06:23 · Score: 2, Funny
  
  Obligatory XKCD
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
6. Re:Lol by mantis2009 · 2010-04-19 06:24 · Score: 1
  
  RTFA - webOS 1.4 (the current version) patches this vulnerability. Stop beating up on Palm.
7. Re:Lol by Anonymous Coward · 2010-04-19 07:08 · Score: 1, Funny
  
  Obligatory post pointing out that nobody cares what an AC says ... including this post.
8. Re:Lol by Mister+Whirly · 2010-04-19 07:18 · Score: 1
  
  Day 3 material? This is day 1 material. "Never trust user input." Hell, it could be lesson 1.
  
  --
  "But this one goes to 11!"
9. Re:Lol by znerk · 2010-04-19 07:40 · Score: 1
  
  Re:Lol (Score:0)
  by Anonymous Coward writes: on Monday April 19, @02:08PM (#31900426)
  Obligatory post pointing out that nobody cares what an AC says ... including this post.
  Where are my mod points?!?
  
  --
  This work is licensed under a Creative Commons Attribution 3.0 Unported License.
10. Re:Lol by bhtooefr · 2010-04-19 08:43 · Score: 2, Funny
  
  Obligatory post pointing out that funny doesn't give karma.
11. Re:Lol by aXis100 · 2010-04-19 14:34 · Score: 1
  
  Why give them credit? They must have had very shitty standards to allow this bug to exist in the first place, so who's to say there arent more?
Dangerous? by Itninja · 2010-04-19 05:32 · Score: 1

this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....

--
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
1. Re:Dangerous? by SoTerrified · 2010-04-19 05:44 · Score: 2, Insightful
  
  What if you're trying to call 911 but your phone has been rooted? I'd call that dangerous and could very easily cost lives or property...
2. Re:Dangerous? by WrongSizeGlass · 2010-04-19 05:46 · Score: 1
  
  this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....
  What if they used the dreaded "KaBoom" SMS exploit to trigger the Palm's self destruct mechanism? Then their personal data would be allllll over the place.
3. Re:Dangerous? by gyrogeerloose · 2010-04-19 06:17 · Score: 1
  
  this bug and vulnerabilities are bad, even severe, but dangerous?
  
  Considering the WebOS has only about 5% of the smartphone market, it's probably not very dangerous at all.
  
  --
  This ain't rocket surgery.
4. Re:Dangerous? by Itninja · 2010-04-19 06:19 · Score: 2, Insightful
  
  What if you need to call 911 and you battery is dead? Are dead batteries a danger to lives or property?
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
5. Re:Dangerous? by perryizgr8 · 2010-04-19 06:44 · Score: 1
  
  what if you are trying to call 911 and at&t network is gone? is at&t a danger to lives or property?
  
  --
  Wealth is the gift that keeps on giving.
6. Re:Dangerous? by ianare · 2010-04-19 06:45 · Score: 1
  
  Yes, they are. I would consider a phone that has longer battery life to be safer.
7. Re:Dangerous? by Itninja · 2010-04-19 06:46 · Score: 1
  
  About as dangerous as leaving you phone unattended for as few as 5 minutes. No lives or property would be at stake. What's more, as soon an any investigation started this hack would be detected and the charges dropped.
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
8. Re:Dangerous? by izomiac · 2010-04-19 06:54 · Score: 1
  
  I can think of a few, especially with the medical field. If a hospital can't get in touch with the doctors on call because they all have similarly compromised phones then I'd imagine that patient care would suffer. Or if the phones become so glitchy that Epocrate's drug interaction checker doesn't work, leading to that step geting skipped since there's no time to do it manually (3! to 15! possible interactions per patient). Or the doctor's account on the EMR system is compromised so patient information is leaked and used nefariously.
  For people that don't deal with life or death situations, it is much harder to contrive a scenario where an electronic device malfunctioning might cause harm (well, economic harm is easy). I suppose someone could cause the phone to play a loud noise to distract a vehicle driver at a crucial moment. Or perhaps someone could make a cheap lithium ion battery explode, although there should be dozens of safeguards preventing that. The most likely though, would be for stalkers to be able to track their victims much more effectively, which would cause emotional harm if nothing else.
9. Re:Dangerous? by dmmiller2k · 2010-04-19 07:15 · Score: 1
  
  Um, know any doctors with Palm WebOS based phones?
  Of course not, they all carry Blackberries.
  
  --
  "No matter how cynical you get, it is impossible to keep up." -- Lily Tomlin
10. Re:Dangerous? by netsharc · 2010-04-19 07:18 · Score: 1
  
  To be pedantic, emergency calls are priority-routed through any available GSM network, and it even works without a SIM card in the phone. Although apparently they want to disable that last feature because too many idiots call up 911 without a card in the phone, and they can't trace them.
  
  --
  What time is it/will be over there? Check with my iPhone app!
11. Re:Dangerous? by dgatwood · 2010-04-19 07:29 · Score: 1
  
  Six weeks after the newspaper runs a story accusing you, your employer gives you a pink slip, and the entire town vilifies you....
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
12. Re:Dangerous? by izomiac · 2010-04-19 08:59 · Score: 1
  
  Actually I do. The iPhone and Android predominate though, since they run the best versions of medical software (colored graphs, pill identifiers, misc. smaller apps, etc.). Blackberries aren't very popular around here since they require a $100 software package plus an extra $20/month to check one's university e-mail. Palms are the rarest, but a few people use them. OTOH, the relative popularity of each platform differs by demographics and institution.
13. Re:Dangerous? by NiteShaed · 2010-04-19 09:24 · Score: 1
  
  Yes, they are. I would consider a phone that has longer battery life to be safer.
  How long is long enough for you then? Emergencies generally can't be predicted, so unless your battery life is "infinite", it's just as possible that you'll desperately need your phone 5 minutes after you take it from the charger as it is that you'll need it 12 hours after its last charge....
  
  --
  Some bring out the best in others, some the worst. Some bring out far more.
14. Re:Dangerous? by ianare · 2010-04-19 10:15 · Score: 1
  
  I would say at least 48 hours, if I spend the night out I should'nt have to bring a charger. This is becoming less of a problem with the introduction of universal chargers, but most people have proprietary chargers still. An emergency can and has arrived on my way home from a friend's house late one night, my phone was dead - it only lasts about 10 hours.
15. Re:Dangerous? by Itninja · 2010-04-19 10:30 · Score: 1
  
  Doubtful. It's not like it is on TV. In many vicious custody battles (or any other heated legal conflict) accusations of "being a pedophile" or planting "kiddie porn" (along with many other false accusations) are not that uncommon. Just like anything else, the issues are investigated (usually via search warrant on our computer) and, if found to be fraudulent, dismissed. Nothing even goes to court.
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
16. Re:Dangerous? by KiwiSurfer · 2010-04-19 10:38 · Score: 1
  
  Routing calls without a SIM card is not the case in some countries. In New Zealand, for example, all carriers have disabled non-SIM emergency calls at the request of the emergency services. However any phones with a valid SIM in it will be able to make emergency calls.
17. Re:Dangerous? by Achromatic1978 · 2010-04-19 11:42 · Score: 1
  
  I can think of a few, especially with the medical field. If a hospital can't get in touch with the doctors on call because they all have similarly compromised phones then I'd imagine that patient care would suffer. Or if the phones become so glitchy that Epocrate's drug interaction checker doesn't work, leading to that step geting skipped since there's no time to do it manually (3! to 15! possible interactions per patient). Or the doctor's account on the EMR system is compromised so patient information is leaked and used nefariously.
  Since you mention Epocrates, I'm going to presume you're in the field. To which I say, if your on-call system for emergency physicians relies solely on cell systems, you're doing something wrong. As someone also in the field, a day job involving EMR, part time EMS, training as a full time medic, if there's even the slightest possibility you might be required on call/demand in our system, pre-hospital or hospital, you have a cell phone and a pager (and in our case we run a pager network, with county-owned towers to ensure as high a quality of reception as possible).
18. Re:Dangerous? by izomiac · 2010-04-19 14:13 · Score: 1
  
  I'm still a student, a couple months away from clinical rotations, so it's very possible there are multiple methods of contact. I have seen very few people carrying multiple devices though, so I don't think there is that much redundancy here. OTOH, "here" is a pretty large hospital in a decent sized city with good cell coverage, so I suspect only the most essential personnel have a dual device requirement.
19. Re:Dangerous? by gmhowell · 2010-04-19 14:58 · Score: 1
  
  Trust me, most of the time, the nurses don't need you. You just get in the way of people doing actual patient care.
  (GF is a nurse, father is a doctor, sadly, this isn't a troll.)
  
  --
  Jesus was all right but his disciples were thick and ordinary. -John Lennon
Wow by coniferous · 2010-04-19 05:36 · Score: 5, Insightful

I cannot belive that: a) An exploit like this exists. SANITIZE ALL INPUTS! b) It took this long to find. This reminds me a lot of the exploit on android where it acted like all text entered was typed into a terminal.
1. Re:Wow by interval1066 · 2010-04-19 05:49 · Score: 1
  
  No kidding, this is like html 101. Every employer I've spoken to since the 90's who was considering me for any kind of web work has asked me if I know how to guard against xss and sql injection attacks. This is not some arcane black art. No wonder Palm is failing. And I like WebOS as a platform.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
2. Re:Wow by Hurricane78 · 2010-04-19 06:29 · Score: 1
  
  It took this long to find.
  Hey, this is the fastest exploit ever done by a user community... of about 3 people. ^^
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
3. Re:Wow by jellomizer · 2010-04-19 06:32 · Score: 1
  
  You are making the assumption that the part that does the rendering of the SMS calls and formatting were part of the same group that takes the SMS and call the function. You assume that this was in the specs for people to follow. And no one brought it up because they though the other team has the problem fixed. And the they had a timeline where they could make this issues for all systems...
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
4. Re:Wow by teknopurge · 2010-04-19 06:59 · Score: 3, Interesting
  
  There was an SMS exploit for a version of iPhone OS that would brick it, and just checking with a few people there are some nasty 0-days out there for it. At least you can't turn the Palm into a paperweight from 10,000 miles away...
  
  --
  Website Hosting
5. Re:Wow by omglolbah · 2010-04-19 08:39 · Score: 1
  
  That wasnt actually an exploit.
  That was someone forgetting to disable a debugging shell with a global input hook :-p
eh hem... by djupedal · 2010-04-19 05:40 · Score: 1

"...rudimentary HTML injection bug...."

There are so many wrongs going on at once there. I'll just pick one, load a round in the chamber and mutter 'rudimentary' is redundant. Ok, two...'injection bug'? WTF? --- now get off my lawn!
WebOS 1.4 by spiderbitendeath · 2010-04-19 05:41 · Score: 5, Interesting

My Pre is running the latest 1.4.1.1 WebOS version. I tried their "exploits" on it, it did nothing, had no affect on it. In the video they're running an outdated version of WebOS, 1.3.5. WebOS will download updates OTA automatically, and install them if you don't do it after a certain number of days. To me, the likeliness of these still being issues is close to null and void.

--
Sometimes when I'm working on projects things disappear, I suspect gremlins.
1. Re:WebOS 1.4 by Codename+Dutchess · 2010-04-19 05:46 · Score: 1
  
  But the fact remains, that if this went so long without being published, what else could be buggy? This might have been small, but at revision 1.3.5 they still didn't figure it out? I can't imagine what comes next.
2. Re:WebOS 1.4 by aitikin · 2010-04-19 05:59 · Score: 1
  
  Mind you, these were disclosed to Palm so they could fix them before 1.4 was released (at least that's what is claimed in the video).
  
  --
  "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
3. Re:WebOS 1.4 by X0563511 · 2010-04-19 06:04 · Score: 4, Informative
  
  1.4 explicitly fixed these issues.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
4. Re:WebOS 1.4 by nurb432 · 2010-04-19 08:18 · Score: 1
  
  But a headline of 'Severe bug fixed several revisions back, all is safe' isn't as likely to get readers.
  
  --
  ---- Booth was a patriot ----
5. Re:WebOS 1.4 by X0563511 · 2010-04-19 10:59 · Score: 2, Funny
  
  Indeed. I actually jumped into the developer's IRC channel to check in on this, and one of them told me about it being fixed already.
  I felt like an ass. Thanks, Slashdot.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Anonymous Coward by Anonymous Coward · 2010-04-19 05:43 · Score: 2, Informative

This has been fixed with the 1.4 update, not sure why it's news.
1. Re:Anonymous Coward by hduff · 2010-04-19 06:43 · Score: 1
  
  This has been fixed with the 1.4 update, not sure why it's news.
  It's news because it was in a 1.x version and it's a basic coding fuckup they were slow and careless not to have fixed before now.
  Who knows what else they have yet to fix?
  That's why it's news.
  
  --
  "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
2. Re:Anonymous Coward by gtbritishskull · 2010-04-19 09:09 · Score: 1
  
  The whitehat team that found it told Palm about it before 1.4 was released and did not publish the exploit until it had been patched. I don't think they should get punished publicity-wise because they decided to follow ethical practices.
This Just in... by chriso11 · 2010-04-19 06:29 · Score: 1

Other 'news' - Apparently, Apple is going to make a phone! Maybe it's will be as big as the Ipod!

--
No, I don't trust in god. He'll have to pay up front, like everybody else.
Re:Well, whaddaya know? by changa · 2010-04-19 06:36 · Score: 1

How is that rock you have been living under?
Re:Well, whaddaya know? by dahud · 2010-04-19 06:49 · Score: 1

Nice and cozy, thanks.
Re:Intrepidus are straight up losers. by zullnero · 2010-04-19 06:59 · Score: 2, Informative

Oh, darn it. Slashdot's login script didn't execute in time for me to post this as myself.
WebOS does display sanitization by default by ensignyu · 2010-04-19 07:00 · Score: 4, Interesting

You have to explicitly enable the "I know what I'm doing, stop protecting me" flag in your app to allow these types of exploits.
http://developer.palm.com/index.php?option=com_content&view=article&id=1756
1. Re:WebOS does display sanitization by default by ensignyu · 2010-04-19 08:00 · Score: 1
  
  Sanitization has been on by default since WebOS 1.1.
  It's up to the individual developers to make sure their app is secure -- which it is by default if they don't disable the security features provided by WebOS.
2. Re:WebOS does display sanitization by default by Jahava · 2010-04-19 08:26 · Score: 1
  
  Sanitization has been on by default since WebOS 1.1.
  It's up to the individual developers to make sure their app is secure -- which it is by default if they don't disable the security features provided by WebOS.
  This suggests that the developer of the SMS app in question (which is still Palm, I think) explicitly declined to utilize WebOS's sanitization support. While I'll give basic kudos to the WebOS developers for foreseeing this issue and negating it by default, it still stands that Palm released a live operating system with a vulnerable (at its own request) SMS application. The WebOS developers might have been smart, but the SMS application developers ruined the party for everyone.
  So anyone want to brainstorm why an SMS application would want to manually opt-out of input sanitization? Seriously ... I can't think of any... :-/
3. Re:WebOS does display sanitization by default by someSnarkyBastard · 2010-04-19 16:44 · Score: 1
  
  That may indeed be true but how many release-quality products do you think ship with that code turned off for performance reasons?
Re:On the positive side by joetomato · 2010-04-19 07:56 · Score: 1

I just bought one last week, and my wife's will be getting here either today or tomorrow, you insensitive clod!
Nohing to see here, please move along by loftwyr · 2010-04-19 08:35 · Score: 2, Informative

From the source release:
(Note: the findings herein affect WebOS 1.3.5. Palm has since released WebOS 1.4, which fixes these vulnerabilities, though not all handsets or carriers are running this version. Due to contractual agreements, the public disclosure of this information was delayed.)
Javascript Handicap by r7 · 2010-04-19 08:53 · Score: 1

These bugs can all be traced back to that fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML.
The article is accurate in so far as JavaScript is concerned. Palm has a long way to go if they ever hope to implement javascript securely on the scale they're using it. Checks have to be built into the SDK and the client engine, and they have to be updated regularly (quite frequently if Firefox' Noscript is any benchmark).
I've authored enough JS (not to be confused with CSS) to doubt that Palm will be able to do it. Nobody else has implemented JS securely, so WebOS device owners should expect to be hacked and use their cell phones accordingly.
Minor thing on minor OS in old version has bug by SlappyBastard · 2010-04-19 13:00 · Score: 1

Yay, Slashdot. Some days I wonder if my time wouldn't be better spent in the comments section of Digg.

--
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
I'm going to get flamed for this but... by aXis100 · 2010-04-19 13:07 · Score: 1

This is why "software engineering" fails to be taken seriously. How in this day and age an OS can be released without simple checks and balances like input validation is beyond me. The only excuse is "the developer couldnt be bothered, and no-one checked up on him".
Most programmers these days are the equivalent or tradespeople and artisans - sure many of them are very talented, but as a group still lack the formal QA and inherent attention to risk management that any real engineering should have.
1. Re:I'm going to get flamed for this but... by aXis100 · 2010-04-19 13:38 · Score: 1
  
  Sorry, it was the SMS client and not the core OS, but the fact that it could still be hacked though injection is bad.
I don't understand by Pence128 · 2010-04-19 14:27 · Score: 1

How are things like this even possible? Did someone someday decide it would be a good idea to interpret data as code?

--
404: sig not found.
Obligatory... by Illogical+Spock · 2010-04-19 14:36 · Score: 1

FacePALM!

--
--- Illogical Spock
For Extra Credit... by UnknownIdiot · 2010-04-20 00:17 · Score: 1

See the 26th Chaos Communications Congress: Fuzzing the Phone in your Phone. http://events.ccc.de/congress/2009/Fahrplan/events/3507.en.html