Intrepidus Group, a security and risk company, found a flaw in Palm's WebOS. Due to a flaw in the way SMS is implemented on the device, the researchers were able to send a specially formed SMS message containing HTML set to execute commands.
When a customer shipped us our first PRE devices to test their application, we spent spare cycles exploring the rest of WebOS. Our initial impressions were quite positive. There was just so much to love: Linux underneath, the platform’s open nature, the user interface, and the hardware. There was just so much to love. However, the honeymoon ended abruptly once we started to explore WebOS’s security posture.
The security team was able to send SMS messages that would automatically open webpages and dial numbers to shut off the handsets radio . They say the reason the attacks are possible is because the OS is essentially a web browser written in javascript and HTML.
A note at the top of the page states the findings herein affect WebOS 1.3.5. Palm has since released WebOS 1.4, which fixes these vulnerabilities, though not all handsets or carriers are running this version. Due to contractual agreements, the public disclosure of this information was delayed.
8 Comments - Add comment