Security Experts 'Shocked' by Palm's WebOS Vulnerabilities


It's the last thing Palm needed to hear: The crown jewel in its family of assets, its WebOS operating system, is fraught with security vulnerabilities, according to mobile security consultancy Intrepidus which will release details of a year-long investigation early next week.

The firm's co-founder and Chief Technology Officer Aaron Higbee tells me he was "shocked" when he discovered how easily it was to hack Palm's WebOS, believing the company rushed its operating system to market at the expense of addressing fundamental security issues. "There is a problem with the architecture," says Higbee, who says the original security issues discovered have been addressed and resolved by Palm, but that once his firm's methodology is published, "researchers will re-apply our methods. Palm and WebOS vendors are gonna have a slew of problems disclosed to them."

I reached Palm for comment earlier this morning, and spokesperson Lynn Fox told me: "Security is very important to Palm. And we have a track record of quickly responding to reports of suspected vulnerabilities through our established reporting process. Our over-the-air updates allow us to seamlessly correct any vulnerabilities that Palm or the community identifies. We are unable to address vulnerabilities that are not responsibly reported to us, but are committed to working with any third parties who contact us." Beyond that, Palm won't comment on specific findings from Intrepidus until the study, and the firm's methodology, is released.

Intrepidus was contracted by an unnamed, third party software maker trying to create an application for the WebOS platform. The Intrepidus client asked for a security review of the platform so it could understand what measures might need to be taken in its app development.

"I was shocked," says Rajendra Umadas, an Intrepidus consultant who made the initial discovery. "When I first stumbled upon it, I stood back from the computer and thought to myself, 'I didn't just do that, did I?' So, I went out for some coffee, came back, I saw what I did and I was pretty shocked. It was too easy. It was definitely very shocking."

What he had discovered was that merely by sending a single, SMS text to a WebOS handset, he could essentially take over the entire device. The vulnerabilities allowed him to remotely dial 911 from a handset and lift contact lists. Because the WebOS operating system is essentially a mobile browser, it's susceptible to all the weaknesses conventional browsers have faced in the past, and that's what was so surprising to the Intrepidus team; that apparently Palm didn't take steps to protect against so many threats that had already been so well known.

"Palm released this WebOS with prior knowledge that these web app vulnerabilities existed. They rushed it to market," says Higbee.

News of significant security problems comes at the worst possible time for Palm. There has been a flood of coverage recently that Palm has put itself up for sale, that smart phone maker HTC and computer powerhouse Lenovo are likely candidates, that Motorola might also be in the running. Palm's financial dire straits stem from its inability to realize any real marketplace success for its Pre and Pixi smart phones. But just about every expert following this drama has pointed to the company's library of 400 patents and its WebOS operating system as crown jewels -- the key to Palm's true value -- for any potential suitor.

Kaufman Bros. estimates that Palm invested about $600 million into developing its Linux-based software. One of WebOS's top selling points was its instant ability to offer so-called multi-tasking, something Apple's iPhone only recently began to offer. Palm had always espoused the "information everywhere" mantra, aggregating data from all kinds of sources and making it available simultaneously on the handset.

Analysts I talked to say it is potentially a big problem for both Palm's corporate and consumer clients. Individual security threats crop up all the time; just ask the folks at Microsoft . But systemic, architecture issues stretching across an entire platform could lead potential corporate clients to look for smart phone alternatives. And consumers, leary of any security threat they may not fully understand, may do the same, whether the issue has been corrected or not. One analyst told me that in the competitive world of smart phones today, "uncertainty sometimes becomes a bigger problem than the problem itself."

A platform vulnerability like this can also affect how, and how many, developers create for it. Nowadays, companies -- including Apple, Research in Motion and Google -- regularly tout how many "apps" have been developed for their phones. Apple's App Store, as an example, leads the industry with more than 185,000 apps available. Consumers and companies want as much choice as they can possibly get; and with Apple taking 30 percent of the revenue these apps generate, it can also become a significant revenue generator. Intrepidus' Higbee questions whether apps creators will continue to develop for WebOS because of the added steps they'll need to take to protect their programs from security issues other platforms have already addressed.

" There's gonna be a huge amount of attention and extra work to address security issues and that can kill a platform," says Higbee.

Questions? Comments?