According to mobile security consultancy Intrepidus, webOS is “fraught with security vulnerabilities” and will release details of a year long investigation next week. Since the release of the Palm Pre, Palm has been responsive to security issues, with a number of webOS updates addressing security issues. Intrepidus CTO Aaron Higbee used the word “shocking” when discussing how easy it was to hack Palm’s webOS.
“There is a problem with the architecture,” says Higbee, who says the original security issues discovered have been addressed and resolved by Palm, but that once his firm’s methodology is published, “researchers will re-apply our methods. Palm and WebOS vendors are gonna have a slew of problems disclosed to them.”
Palm’s Lynn Fox responded to the report saying, “Security is very important to Palm And we have a track record of quickly responding to reports of suspected vulnerabilities through our established reporting process. Our over-the-air updates allow us to seamlessly correct any vulnerabilities that Palm or the community identifies. We are unable to address vulnerabilities that are not responsibly reported to us, but are committed to working with any third parties who contact us.”
Intrepidus was contracted by an unnamed third party app developer who asked for a security review of the platform. It’s not clear why the report has taken close to a year, but we’ll be sure to find out the details when released next week.
“I was shocked,” says Rajendra Umadas, an Intrepidus consultant who made the initial discovery. “When I first stumbled upon it, I stood back from the computer and thought to myself, ‘I didn’t just do that, did I?’ So, I went out for some coffee, came back, I saw what I did and I was pretty shocked. It was too easy. It was definitely very shocking.”
According to Umadas, he found that sending a single SMS message, he could take over the entire device. “Palm released this WebOS with prior knowledge that these web app vulnerabilities existed. They rushed it to market,” says Higbee.The news comes via a CNBC report. As soon as we get further info, we’ll pass it along.
If all the bugs of 1.3.5 were fixed with 1.4 IMO it was not smart to post this info by CNBC and just when Palm is about to launch Pre Plus and Pixi plus with 3 carriers, O2, Vodafone and SFR.
Who wants to make evil damage to Palm at this time, with old news, already not happening anymore.