Friday, April 16, 2010

Security Experts 'Shocked' by Palm's WebOS Vulnerabilities

Via -

It's the last thing Palm needed to hear: The crown jewel in its family of assets, its WebOS operating system, is fraught with security vulnerabilities, according to mobile security consultancy Intrepidus which will release details of a year-long investigation early next week.

The firm's co-founder and Chief Technology Officer Aaron Higbee tells me he was "shocked" when he discovered how easily it was to hack Palm's WebOS, believing the company rushed its operating system to market at the expense of addressing fundamental security issues. "There is a problem with the architecture," says Higbee, who says the original security issues discovered have been addressed and resolved by Palm, but that once his firm's methodology is published, "researchers will re-apply our methods. Palm and WebOS vendors are gonna have a slew of problems disclosed to them."


Intrepidus was contracted by an unnamed, third party software maker trying to create an application for the WebOS platform. The Intrepidus client asked for a security review of the platform so it could understand what measures might need to be taken in its app development.

"I was shocked," says Rajendra Umadas, an Intrepidus consultant who made the initial discovery. "When I first stumbled upon it, I stood back from the computer and thought to myself, 'I didn't just do that, did I?' So, I went out for some coffee, came back, I saw what I did and I was pretty shocked. It was too easy. It was definitely very shocking."


What he had discovered was that merely by sending a single, SMS text to a WebOS handset, he could essentially take over the entire device. The vulnerabilities allowed him to remotely dial 911 from a handset and lift contact lists. Because the WebOS operating system is essentially a mobile browser, it's susceptible to all the weaknesses conventional browsers have faced in the past, and that's what was so surprising to the Intrepidus team; that apparently Palm didn't take steps to protect against so many threats that had already been so well known.

"Palm released this WebOS with prior knowledge that these web app vulnerabilities existed. They rushed it to market," says Higbee.

No comments:

Post a Comment