In an article over at cnbc, we read that a security consultant firm called Intrepidus has performed a year-long review of security on webOS and have come away ‘shocked’ at the holes they’ve found. Chief among them was a remote exploit based on sending a simple SMS messages that gives the attacker the ability to gather all sorts of nefarious information.
It’s important to note that ‘the original security issues discovered have been addressed and resolved by Palm.’ However, the company suggested that their methodology could be repeated in other contexts to discover more security holes. At core, Intrepidus appears to allege that webOS’ security issues stem from the fact that it’s essentially a web-browser-based system and so therefore vulnerable to many of the same issues that have plagued desktop browsers for years.
In a comment within the article, Palm notes that they have a good track record of responding quickly to vulnerabilities and can’t ‘address vulnerabilities that are not responsibly reported to us.’ That last a not-so-subtle reminder about the tension between telling a company about a security hole privately and publicly releasing it to gather greater attention for the problem.
We briefly overviewed webOS’ security from a high level back in September but there are always holes to be found and filled. Last year Palm, true to their word, showed remarkable agility at patching up various security issues related to the OS and the App Catalog. In fact, Palm has included security updates and fixes in ten OS releases for webOS since launch.
Folks are already talking in our forums – what do you think? Nervous? Calling FUD?
Thanks to subzero80 for the tip!
Update: Intrepidus Group has posted up examples of the SMS injection ‘sploit, along with some pretty strong words regarding their thoughts on webOS security:
As we started to pry a little it became quite apparent that Palm’s new WebOS platform was riddled with some pretty dangerous bugs. These bugs can all be traced back to that fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML. This also means that WebOS applications are subject to the numerous web applications vulnerabilities that any seasoned penetration tester would be all too familiar with. We were also quite surprised at how quickly these vulnerabilities were discovered. Within a matter of hours we started to uncover a number of low-hanging-fruit vulnerabilities that would be considered quite dangerous under even the most forgiving of standards.
They also have a snark-filled video showing that the issues with webOS 1.3.5.x – all of which have been remedied by Palm in 1.4 and beyond. Video embedded after the break and steel yourself for some vitriol.