webOS Q&A Metrix App Mill Forums About Contact Tip Us
News

webOS Remote Bugging Vulnerability discovered

By: , 8/12/2010 11:06 am | 19 comments

There has been a new shift in the focus of malware writers. For many years, the majority of malware was written for Microsoft Windows. Why Windows? Because it has the most number of users. The more users, the more potential victims. The shift that we are seeing recently is towards mobile operating systems. Mobile computing is growing exponentially, and malware writers want to take advantage of this new market.

We’ve heard of exploits malware for Android, iOS (Jailbreaking is exploiting a vulnerability in iOS), and there have been some security issues found (and fixed) in webOS. Lets face it. We’re doing a lot of stuff on our mobile devices that nefarious folks would like to get access to.

webOS is a Linux-based OS. This means that webOS devices are pretty much immune to attacks that would infect a Windows machine. However, like any kind of software, there are bound to be a few bugs and vulnerabilities. If you looked at the release notes for webOS version 1.4.5, you may have seen something in the Security section.

This release addresses several security issues with the Palm webOS software.

We’d like to thank Nils of MWR InfoSecurity and Chris Clark for their help in identifying the issues addressed in this release.

Since Palm most likely was not going to come out and tell the world what the security issue was, we may have never known what the actual issue was. Thankfully, MWR InfoSecurity spoke with the British Tech website, V3.co.uk

Alex Fidgen, director of MWR, told V3.co.uk that a specially crafted text message can subvert Palm’s webOS completely.

The flaw allows the phone to be used as a recorder and transmitter for anything within its microphone’s range.

You receive a specially crafted business card and, once you open it, game over,” said Fidgen. “We were surprised to find the lack of security architecture we needed to exploit in the way that we did.

That’s a bit scary…turning a Pre or Pixi into a remote listening device that someone else is secretly sending somewhere. We’re very glad that this got fixed. But just because this security issue was fixed, doesn’t mean that there are no other security holes in webOS. So, our recommendation is be cautious while using your webOS phone; there is no webOS Anti-virus software to help protect you. Be sure to use the same sort of safe internet practices on your webOS device that you would on your regular computer. If something looks fishy, it probably is.

[Source: V3.co.uk and Palm webOS Release Notes]

flattr this!


  • http://twitter.com/wormdood @wormdood

    A zero day exploit means the exploit was discovered by finding the exploit in the wild and actually infecting devices.

    Is there any evidence this exploit was in the wild?

    • bjshedwick

      Its less of a zero-day, and more of a proof-of-concept. I haven't seen any evidence of this being found infecting webOS devices.

      • http://twitter.com/wormdood @wormdood

        In the security world, there's a big difference between "proof of concept" and "zero day".

        • bjshedwick

          The reference article called it a zero-day flaw.

        • bjshedwick

          Updated the title, so as not to cause undue freak-outs

  • http://www.invasivebamboo.com Vaslin

    You could always get the latest version of Virus Defense available for the Palm Pre and Pixi!
    http://developer.palm.com/appredirect/?packageid=…

    • bjshedwick

      Yeah…… :)

  • http://twitter.com/wormdood @wormdood

    A zero day exploit means the exploit was discovered by finding the exploit in the wild and actually infecting devices.

    Is there any evidence this exploit was in the wild?

    • bjshedwick

      Its less of a zero-day, and more of a proof-of-concept. I haven't seen any evidence of this being found infecting webOS devices.

      • http://twitter.com/wormdood @wormdood

        In the security world, there's a big difference between "proof of concept" and "zero day".

        • bjshedwick

          The reference article called it a zero-day flaw.

        • bjshedwick

          Updated the title, so as not to cause undue freak-outs

  • http://www.invasivebamboo.com Vaslin

    You could always get the latest version of Virus Defense available for the Palm Pre and Pixi!
    http://developer.palm.com/appredirect/?packageid=…

    • bjshedwick

      Yeah…… :)

  • http://twitter.com/tsaunders @tsaunders

    Well looks like VZW is still exposed. I am assuming this is fixed in 1.4.5. If this is such a big flaw they really should get 1.4.5 out (As you can tell I am bitter about not having 1.4.5 – lol)

  • http://twitter.com/tsaunders @tsaunders

    Well looks like VZW is still exposed. I am assuming this is fixed in 1.4.5. If this is such a big flaw they really should get 1.4.5 out (As you can tell I am bitter about not having 1.4.5 – lol)

  • Panagiotis Govotsos

    This is nothing new. There were other exploits using text messages to attack WebOS that were patched by updates. I think it was 1.2 that fixed the first major hole. Personally I’m not so worried about these holes so much as web based attacks. Yes the Pre is a Linux based system that offers a sort of protection simply based on the reatively low number of exploits. What concerns me more is that the Pre as a whole is basically a glorified web browser. HTML & Java based attacks seem the most llikely vulnerability – especially drive bys – all you have to do is open an “infected” webpage and your system gets infected. Other than opening the page, you don’t have to do anything else – not open email, not click on anything, not run anything, just open the page & you’re hit. That’s an inherent vulnerability of a web browser. This accounts for most of the security patches for Internet Explorer. It’s only a matter of time before exploits are crafted for mobile browsers.

  • Panagiotis Govotsos

    This is nothing new. There were other exploits using text messages to attack WebOS that were patched by updates. I think it was 1.2 that fixed the first major hole. Personally I’m not so worried about these holes so much as web based attacks. Yes the Pre is a Linux based system that offers a sort of protection simply based on the reatively low number of exploits. What concerns me more is that the Pre as a whole is basically a glorified web browser. HTML & Java based attacks seem the most llikely vulnerability – especially drive bys – all you have to do is open an “infected” webpage and your system gets infected. Other than opening the page, you don’t have to do anything else – not open email, not click on anything, not run anything, just open the page & you’re hit. That’s an inherent vulnerability of a web browser. This accounts for most of the security patches for Internet Explorer. It’s only a matter of time before exploits are crafted for mobile browsers.

  • Panagiotis Govotsos

    This is nothing new. There were other exploits using text messages to attack WebOS that were patched by updates. I think it was 1.2 that fixed the first major hole. Personally I’m not so worried about these holes so much as web based attacks. Yes the Pre is a Linux based system that offers a sort of protection simply based on the reatively low number of exploits. What concerns me more is that the Pre as a whole is basically a glorified web browser. HTML & Java based attacks seem the most llikely vulnerability – especially drive bys – all you have to do is open an “infected” webpage and your system gets infected. Other than opening the page, you don’t have to do anything else – not open email, not click on anything, not run anything, just open the page & you’re hit. That’s an inherent vulnerability of a web browser. This accounts for most of the security patches for Internet Explorer. It’s only a matter of time before exploits are crafted for mobile browsers.