Two researchers with SecTheory have announced that they have uncovered flaws in older versions of webOS that would allow for remote command and control of the devices. These exploits were discovered in webOS 1.4.X (1.4.0 through 1.4.5), but some have since been patched in webOS 2.0.

Due to webOS’ web-tech base, it will always be possible to hack the operating system using techniques similar to those used to exploit websites, though taking into consideration the fact that our phones generally contain far more personal information than any single website, it can be slightly worrying. Of course, the other side of the coin tells us that webOS wouldn’t be webOS without these web technologies. With every mobile platform there are trade-offs. Easy of programming and accessibility leads to a more easily exploited operating system.

According to the researchers, the Company field in the 1.4.X Contacts app is “unsantized,” allowing them to inject code that allowed them to pull other information from the Contacts database. Additionally, they were able to insert a JavaScript hook that enabled the use of tools such as keyloggers, possibly leading to botnets and the like.

There are at least two unmentioned caveats to this exploit: first the code isn’t executed until the user views it (it sits there until the contact containing the malicious code is opened and viewed), and the code still has to get on the device somehow. We can think of a few ways to get the code into a contacts field of your device. Insert it through a web-based contacts application (e.g. Google Contacts or their Exchange database, but then you still have to crack the user’s password) is the only remote manner we can fathom. Everything else requires either interaction with the user (accepting a transmitted vCard contact through email or other means) or physical access to the device. And if somebody else has access to your phone, you’re pretty much screwed anyway.

Overall, like every other security exploit revealed to date about webOS, we’re not too concerned. There are all sorts of ways to exploit webOS, some of which are essential to fun stuff like homebrew. That said, we’re not super huge fans of malicious exploits, and we’re glad to see that Palm has fixed this particular problem with the release of webOS 2.0. Now if only those of us that don’t have Pre 2 phones could download the new OS...

Source: Darkreading; Via: Engadget; Thanks to everybody that sent this in.

Firesheep is a Firefox extension designed as a way to show just how insecure some websites are. You can sit on an open network and 'listen' for passwords to popular sites that don't properly or fully implement HTTPS and SSL. The folks at codebutler want to call attention to poorly coded sites and users who don't think before sending their passwords over open WiFi Networks (and yes, people with less high-minded goals can also use the tool).

PreCentral reader Sebastian has ported the plugin over to webOS. The above video shows Firesheep on the Pre easily hijacking a Gowalla session. The webOS Firesheep app does not show a list of nearby logged in accounts like the Firefox plug in, but in the video it automatically detects the Gowalla log in and takes it over. 

The lesson? Ask websites that don't offer secure login to do so. Or use VPN (which, by the by, is built-in to webOS 2.0). Or just keep an eye out for Pre owners at your local Starbucks and pay special attention if one happens to look at you and cackle maniacally.

Source: Youtube; Thanks Sebastian!  

Research company KPMG conducted a survey of some 5,600 people in 22 countries to ascertain what their mobile banking habits were, and the results are rather interesting.  Only 16% of respondents in the US said they were comfortable using their mobile devices for financial transactions, up from 7% last year. The report reveals that while US consumers are beginning to adopt the practice in greater numbers, they're still behind much of the world:  a good third of the respondents in other countries are comfortable making financial transactions from their mobile devices.  The reason against engaging in such activities on their mobiles, according to 56% of the American respondents, were security and privacy concerns.

The PreCentral readership is generally a tech-savvy bunch, so we we're curious: how many of you access your bank accounts and otherwise engage in financial transactions through your phone/tablet/web-connected microwave?

Source: Press Release

In an article over at cnbc, we read that a security consultant firm called Intrepidus has performed a year-long review of security on webOS and have come away 'shocked' at the holes they've found. Chief among them was a remote exploit based on sending a simple SMS messages that gives the attacker the ability to gather all sorts of nefarious information.

It's important to note that 'the original security issues discovered have been addressed and resolved by Palm.' However, the company suggested that their methodology could be repeated in other contexts to discover more security holes. At core, Intrepidus appears to allege that webOS' security issues stem from the fact that it's essentially a web-browser-based system and so therefore vulnerable to many of the same issues that have plagued desktop browsers for years.

In a comment within the article, Palm notes that they have a good track record of responding quickly to vulnerabilities and can't 'address vulnerabilities that are not responsibly reported to us.' That last a not-so-subtle reminder about the tension between telling a company about a security hole privately and publicly releasing it to gather greater attention for the problem.

We briefly overviewed webOS' security from a high level back in September but there are always holes to be found and filled. Last year Palm, true to their word, showed remarkable agility at patching up various security issues related to the OS and the App Catalog. In fact, Palm has included security updates and fixes in ten OS releases for webOS since launch.

Folks are already talking in our forums - what do you think? Nervous? Calling FUD?

Thanks to subzero80 for the tip!

Update: Intrepidus Group has posted up examples of the SMS injection 'sploit, along with some pretty strong words regarding their thoughts on webOS security:

As we started to pry a little it became quite apparent that Palm’s new WebOS platform was riddled with some pretty dangerous bugs. These bugs can all be traced back to that fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML. This also means that WebOS applications are subject to the numerous web applications vulnerabilities that any seasoned penetration tester would be all too familiar with. We were also quite surprised at how quickly these vulnerabilities were discovered. Within a matter of hours we started to uncover a number of low-hanging-fruit vulnerabilities that would be considered quite dangerous under even the most forgiving of standards.

They also have a snark-filled video showing that the issues with webOS 1.3.5.x - all of which have been remedied by Palm in 1.4 and beyond. Video embedded after the break and steel yourself for some vitriol.

read more

With all the coverage of President Obama's efforts to keep his BlackBerry after being elected, as well as the almost daily reports of data breaches (including from lost smartphones and laptops), the issue of security and smartphones is an important one. It's not just politicians with national security clearance either; most users have something they might want to keep away from unwelcome eyes, and those of us with formal obligations of confidentiality (attorneys, doctors, etc.) must be sure that our smartphones won't cause us to break those rules.

So where does the Pre fall in terms of security? In considering security and privacy issues related to any smartphone, there are a number of areas on which to focus, including:

• Operating system
• Transmission and interception
• Phone data

Let's take those in turn, after the break!

read more

This is a good opportunity to point people to http://www.palm.com/us/company/security/index.html on our web site. We have contact information there for reporting security-related issues and appreciate it when people reach out to us. We try to stay on top of the forums and sites, but proactive notification helps make webOS a better and safer platform. We always appreciate the work the developer community does and the efforts made by folks to report such issues.

Brian Hernacki
Chief Security Architect, Palm Inc.
brian.hernacki@palm.com