Another hack for Symbian Platform Security
One of my articles that has gained lots of attention was written about hacking Symbian Platform Security. Although it turned out that reproducing the workaround found by Symbiaali
is laborous, requires strong technical knowledge and its wide-spread
use is very unlikely, it clearly showed me that people were interested
in this topic.
Today I found another post at Symbian Freak
that describes just another way to turn Symbian operating system's
well-known permission checking feature off. Although I don't agree with
the title of the article (good-bye?? S60??), I think at least it's worth a few words.
What
is this crack about? How can we cheat Platform Security capability
checking so that it does not care if our program really has the
capability being checked or not? Well, in a very special way:
- Take a development environment for Symbian, like CodeWarrior Pro or Carbide.C++ Pro. Please note that you will need the ability of on-device debugging, that's why CodeWarrior Personal/Carbide.C++ Expert is not enough. I'm unsure if Carbide.C++ Developer Edition was enough (this is between Expert and Professional), but I doubt that. More on this later.
- Prepare everything for on-device debugging (connect phone to PC, install MetroTRK to phone, etc.).
- Start any program from within the development environment (aka IDE) in debug mode.
- Change some bits in the kernel stack responsible for security enforcement. This is the most critical place, where you can really turn everything upside-down. And since you can do that, I believe it's Carbide.C++ Professional Edition that you need and not Developer - latter is less expensive, but in turn it provides only on-device application debugging in contrast with Pro's system debugging.
- Voilà, we're done - we have access basically to anything.
- The crack is temporary, since everything is done in RAM.
- Required tools are expensive: CW Pro was available at ~$1.700 (the product is discontinued and cannot be bought officially), Carbide.C++ Pro can be purchased for $1.300.
- Break is limited to one device.
- Proved to work only on Nokia N80, on other "hotter" devices (like the N95) it does not work or at least nobody has been able to make it work so far.
What kind of damage can a cracker still do?
- Explore file system, discover what is stored where and how (as if you had AllFiles and/or TCB capability) and exploit it.
- Access to DRM-protected content (as if you had DRM capability). This might be more dangerous as you can download e.g. DRMed music once and sell it multiple times later on.
What do you think?
Tote
Re: Another hack for Symbian Platform Security
The title of that posting is totally ridiculous.
Surely the point of platform security is to protect an unsuspecting phone user from malicious software. If the owner of the phone is able, via a convoluted process to be able to make their own phone less secure, then to me that is not a hole in platform security.
Re: Another hack for Symbian Platform Security
A superb method to catch the eye. I very much agree to Numpty's comments above, It is simply ridiculous article in symbian freak about saying a good bye to s60.
Anyways, Symbian platform security is a superb way to keep our phone secure unless the user wants to destroy it himself.
Re: Another hack for Symbian Platform Security
Pretty natural, I would say. The recent troubles with Symbian Signed, impossible-to-get developer certificates, etc., must have gotten the attention of some hackers, because suddenly there is a little fame to win for the one who cracks Platform Security where before there was only a vast plain of boring-ness, uninteresting for the average hackers, and they played elsewhere, e.g. hacking the iPhone again and again after each firmware update.
I have seen things where a hacker modified the kernel of one of his Linux smartphones and emulated some ARM commands that his older CPU does not implement but that Android needs, just to be able to run said Android on his device. Attract people like this to Symbian PlatSec, and it won't hold long.