Two researchers with SecTheory have announced that they have uncovered flaws in older versions of webOS that would allow for remote command and control of the devices. These exploits were discovered in webOS 1.4.X (1.4.0 through 1.4.5), but some have since been patched in webOS 2.0.

Due to webOS’ web-tech base, it will always be possible to hack the operating system using techniques similar to those used to exploit websites, though taking into consideration the fact that our phones generally contain far more personal information than any single website, it can be slightly worrying. Of course, the other side of the coin tells us that webOS wouldn’t be webOS without these web technologies. With every mobile platform there are trade-offs. Easy of programming and accessibility leads to a more easily exploited operating system.

According to the researchers, the Company field in the 1.4.X Contacts app is “unsantized,” allowing them to inject code that allowed them to pull other information from the Contacts database. Additionally, they were able to insert a JavaScript hook that enabled the use of tools such as keyloggers, possibly leading to botnets and the like.

There are at least two unmentioned caveats to this exploit: first the code isn’t executed until the user views it (it sits there until the contact containing the malicious code is opened and viewed), and the code still has to get on the device somehow. We can think of a few ways to get the code into a contacts field of your device. Insert it through a web-based contacts application (e.g. Google Contacts or their Exchange database, but then you still have to crack the user’s password) is the only remote manner we can fathom. Everything else requires either interaction with the user (accepting a transmitted vCard contact through email or other means) or physical access to the device. And if somebody else has access to your phone, you’re pretty much screwed anyway.

Overall, like every other security exploit revealed to date about webOS, we’re not too concerned. There are all sorts of ways to exploit webOS, some of which are essential to fun stuff like homebrew. That said, we’re not super huge fans of malicious exploits, and we’re glad to see that Palm has fixed this particular problem with the release of webOS 2.0. Now if only those of us that don’t have Pre 2 phones could download the new OS…

Source: Darkreading; Via: Engadget; Thanks to everybody that sent this in.

READ THE FULL ARTICLE >>

After a rulemaking process lasting more than a year, the U.S. Copyright Office (which is part of the Library of Congress) has issued new rules about the types of activities, which includes some smartphone-related ones, that it feels do not violate the anti-circumvention rules of the Digital Millennium Copyright Act ("DMCA"). 

By way of background, the DMCA, in addition to clarifying how online activities would be treated under U.S. copyright law, created a new prohibition against circumventing (going around) a copyright holder’s protections, whether code-based or otherwise, in addition to any claims of infringement. Not only is it illegal to do this circumvention, but it’s also illegal to "traffic" in technologies for doing so (which is how the people who published the DeCSS Linux DVD decryption algorithm also got into trouble). The problem is that, while the anti-circumvention rules may help to prevent piracy, they can also make it harder to do things that are otherwise legal, such as excerpting a small portion of a copy-protected DVD movie to show as part of a review, or creating tools that work well on locked-down smartphones. As a result, the Copyright Office proposed and has now finalized carveouts for some of these activities.

Among the six exceptions to the DMCA (to be published on Tuesday, July 27 in the Federal Register) are two that are of immediate relevance to our community:

(2) Computer programs that enable wireless telephone handsets to execute software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset.

(3) Computer programs, in the form of firmware or software, that enable used wireless telephone handsets to connect to a wireless telecommunications network, when circumvention is initiated by the owner of the copy of the computer program solely in order to connect to a wireless telecommunications network and access to the network is authorized by the operator of the network.

How does this affect webOS? Well, there are already plenty of open source components in webOS and beyond that, it’s much more accessible than, say, iOS. While Palm and HP have been substantially more friendly to patchers, there are still elements of the operating system and especially the third-party applications bundled with it whose interoperability and background function is, shall we say, of interest to some. Having this new guidance from the Copyright Office may provide some comfort to our developer community that their exploration might not be as potentially hazardous to their legal health as they’d previously thought.

Still – it’s fun to note that webOS is more open than some open source projects and that the very idea of having to jailbreak or root a webOS is kind of silly – that access is baked in and documented for any and all to use right out of the box.

More coverage: Android Central & What jailbreaking/unlocking DMCA means for end users at TiPb

READ THE FULL ARTICLE >>