Researchers crack Palm's WebOS via text message

Palm appears to have put 'almost no thought' into the security of the WebOS platform powering the Palm Pre, according to security researchers
Written by Matthew Broersma, Contributor

Palm's WebOS, the software on which the company's Pre smartphone is based, is 'riddled' with dangerous security flaws, according to security researchers who said they were able to crack the operating system via text message.

A probe of WebOS uncovered a number of easy-to-find bugs, giving the impression that Palm had put minimal effort into security, researchers from Intrepidus Group said in an advisory published on Friday.

The firm also published a video demonstrating a Palm Pre being cracked via text message.

The researchers demonstrated text messages being used to point the device's web browser to a particular website, forcing the device to begin downloading a message and turning off the handset's radio, among other actions.

The advisory publicised flaws Intrepidus discovered in WebOS 1.3.5, a release dating from December 2009. The researchers said before publishing the information, they informed Palm, which patched the bugs specifically mentioned in the advisory in WebOS 1.4, released in February.

"The specific vulnerabilities depicted in the video have been responsibly disclosed and remedied to the best of Palm's abilities," Intrepidus said in the video.

However, not all Palm devices use the newer software. Moreover, Intrepidus said, the platform contains many other security bugs that haven't yet been publicly disclosed due to weaknesses in the way Palm developed the platform.

"We feel that Palm put almost no thought into security during their development of WebOS," Intrepidus said. "All of the low-hanging fruit discovered should have been identified in the most basic of threat models, which should have been performed during the very early development stages of WebOS, way before any code was written."

The flaws are all due to WebOS's programming model, which treats the operating system as a web browser, with applications written in JavaScript and HTML, the researchers said.

"This... means that WebOS applications are subject to the numerous web-application vulnerabilities that any seasoned penetration tester would be all too familiar with," the researchers stated.

They found the SMS client was not performing input/output validation on the messages sent to the handset, allowing them to carry out an HTML injection attack.

"Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous — especially considering they could all be delivered over a SMS message," the researchers stated.

Intrepidus warned that similar bugs could be present in other WebOS applications.

"We hope that by seeing these attacks in action, WebOS application developers will know what kind of defences they must code into their applications," the firm stated.

Palm last month reported disappointing earnings for its third quarter, and the company said fourth-quarter revenue would be less than half what Wall Street was expecting.

The company's smartphones, such as the Pre, have struggled to compete against the likes of RIM's BlackBerry, Apple's iPhone and Google's Android, Palm said. Industry reports have suggested Palm may be up for sale, with the company's principal value being the patents and technology in WebOS.

"Security is very important to Palm, and we have a track record of quickly responding to reports of suspected vulnerabilities through our established reporting process. Our over-the-air updates allow us to seamlessly correct any vulnerabilities that Palm or the community identify. We are unable to address vulnerabilities that are not responsibly reported to us, but we are committed to working with any third parties who contact us," a Palm spokesman told ZDNet UK on Tuesday.

Editorial standards