webOS SMS exploit revealed, fixed in 'current version' of webOS 21
Firm MWR Infosecurity claims to have discovered a vulnerability in webOS that would allow an attacker to create a specially crafted SMS message that would allow them to "subvert webOS completely." Once the attacker gains control, the phone's microphone could be utilized to record and transmit whatever is picked up around it.
Reached for comment, Palm has told us that "The current version of webOS fixes the security vulnerability reported to Palm."
We at PreCentral assume that the "current version" with the fix is webOS 1.4.5, which has been released to nearly all carriers in all regions, excepting most prominently AT&T and Verizon. As with OS updates in the past, we hope and expect that 1.4.5 will roll out to those users soon.
The exploit sounds awfully similar to the SMS injection exploit that was discovered in webOS 1.3.1 and subsequently remedied by Palm in later releases of the operating system. It is notable that webOS 1.4.5's release notes for Sprint do mention MWR in regard to fixing a security issue.
Via: The Inquirer, Source: V3, webOS 1.4.5 Release Notes; More coverage: webosroundup; Thanks to fusion 158 for the tip!
21 Comments
"Once the attacker gains control, the phone's microphone could be utilized to record and transmit whatever is picked up around it."
How can this happen when the microphone API is not available and developers can't get access to the microphone with their apps?
Because it probably allows somebody to install an IPK file via TXT (some sort of file redirect exploiting SMS and browser) which has something similar to zcorder (in that it is using methods to directly capture microphone audio).
Oh, dang. Hackers gone wild. And stupid Palm for not resolving this issue sooner. Well, I'm still vulnerable cuz I'm with Verizon!
No platform is 100% secure. Palm fixed the hole and it loks like they fixed it right after finding out about it. Hard to ask for more than that.
Pretty crazy stuff - hopefully after seeing this information, Verizon will make it a point to speed up the process to get 1.4.5 out sooner. Would hate to see anybody get exploited like that because of the lack of updates.
Where is this PIN entry screen from? My Pre let's you enter more then 4 numbers and makes you hit enter.
sprint
this is an old screen shot as with old WebOS versions we sprint users could not enter more than four numbers - we can now thanks to the enhancements Palm has made through WebOS updates
Will the creators of this exploit please port a version of Shazam for WebOs, thank you!
wow thank god I'm on Sprint running version 1.4.5.... Most companies don't know weaknesses to their OS until a security company finds it. Hence the AT&T ipad problem a little while ago, HTC Android phones saving screen shots (god forbid if you were doing online banking if your Android phone decided to save a screenshot at that moment), I just heard Androids having another security exploit right now I heard on Cnet Buzz Out Loud this week. Lets not forget windows and their weakness they've had for years dealing with their shortcut icons on windows tha was jus exploited.. So it's not Palms fault.. Takes hackers/security firms to find this so we can have a more secure OS.. Whatever OS we are using...
oh and bdubdrum your Shazaam comment was funny as hell
Thank you! :-)
how can i get a copy of this hack for my friends?
just keep your thumb on the mic at all time. And occasionally scream at the phone for a minute to pop those little bastards' ear drums.
Joke is on the hacker.
My battery would only last like 30 minutes instead of 6 hours.
pwnd.
Yeah, isn't it funny how a virus can install itself in milliseconds illegally in 20 different places on your system, and then it takes hours to remove it manually, laboriously breaking several Windows rules in order to do it.
Same with this stupid exploit.
Wow that's a cool exploit - I can picture this happening in a spy movie or TV show. It's actually a great idea.
The Dark Knight.
& Eagle Eye.
CSI Miami has the best use of that kind of hack/tech stuff
This is interesting. Last week my phone was periodically freaking out. It was acting as though the screen was being touched; seemingly randomly tapping, scrolling or maximizing cards.
A while back there was a similar issue with the volume that was related to the inductive back but was fixed. But even when I put the original back, it was still periodically going wild.
I've not seen this behavior since the latest update.
Is it possible the exploit also granted other control beyond just the mic? Or was what I was seeing just some other unrelated bug that also got fixed?
Problem with the exploit is that the user has to know you use webOS and also know your number. I'd say that if your friends aren't malicious you've got little to worry about this exploit.