Security researchers at the Intrepidus Group have hacked into Palm's new WebOS platform, using nothing more than text messages to load potentially malicious Web pages or turn off the device's radio.
Hackers at the security consulting firm found that the WebOS SMS client did not properly validate input/output validation on any SMS messages sent to the handset.In a blog post, the researchers explained:
This led to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over a SMS message).
The researchers were able to send a number of text messages to a device running WebOS to perform HTML injection attacks that opened a Web site by simply reading a text message or, worse, turned off the handset's radio.
The research team said the flaws were uncovered "within a matter of hours," suggesting that Palm "put almost no thought into security during their development of WebOS."
All of the low-hanging fruit discovered should have been identified in the most basic of threat models, which should have been performed during the very early development stages of WebOS, way before any code was written. If they were, then we would imagine that slight changes to the underlying architecture of WebOS could have been implemented to protect against common web application vulnerabilities that are found in WebOS applications. Or, at the very least, common web application vulnerabilities would not have surfaced in WebOS applications written by Palm themselves.
The team created a video (embedded below) to demonstrate the HTML injection attack vectors.
While the research was limited to the Palm WebOS platform, Intrepidus cautioned that any app installed via the market place (even other Palm developed apps) may be vulnerable to this or other common web applications vulnerabilities.
Palm provided a stock "we care about security" comment in this CNBC story on the problems.