Symbian OS
read last symbian news on www.newlc.com read last symbian reviews on www.newlc.com
read last symbian tutorial on www.newlc.com read last symbian download on www.newlc.com
Symbian Platform Security - hacked?
29 oct. 2007 - 09:25
Keywords :

Well, 3:00am has already passed and I'm tired and sleepy. One thing doesn't let me sleep, though. I've just stumbled upon these articles (Exploring S60 with AllFiles and Goodbye S60 Platform Security, Hello CAPABILITIES!) and I can't believe my eyes: Platform Security hacked?!

Briefly, the solution is as follows:

  • Take a firmware update package (currently supported only by Nokia for their S60 phones).
  • Edit a well-isolated part of it, where all those capabilities (i.e. rights) are listed that a user can grant to a 3rd party application upon installation. Remove existing capabilities, add new ones, whatever.
  • Flash it.
Now you have such a phone (software) that allows you to give so powerful rights to any 3rd party application that they can do basically anything on the device. For example, your program can access DRM-protected content (you've downloaded it once and share it with others), browse other applications' secret folders, etc. You just need to
  • Extract a signed SIS (Symbian Installation) file
  • Add rights to it (whatever gives them more power)
  • Re-pack & sign it again
  • And install it
  • Although the Software Installer will notice that the application was not properly signed (== acquires for more capabilities than it can normally have), the user will be in such a position that he can grant those extra rights.
Actually, this is the approach that the author of the aforementioned articles followed with regards to a very popular file browser application: he added AllFiles capability to the program so that he could explore the entire file system, which he hadn't been able to do until then.

Unfortunately, I can't prove or disprove whether this solution really works, since I haven't even updated my N95's firmware yet (shame on me!). However, this guy seems to know what he was talking about and I sort of a believe him.

In any case, if what he wrote happens to be true, then I have a few questions:

  • Why on earth did Symbian publish such a confidential information that is useful solely for phone manufacturers? You know, the documentation of Software Installation Policy is a very internal thing, not anyone's business. You can see that it's enough if one talented person stumbles upon that documentation and uses it.
  • Why is a firmware package in such a format that anyone can edit it? I mean, locally on their machine. Okay, with such a low-level tool that very few people are familiar with, but it's still possible. Wouldn't it have made more sense to encrypt and sign the package so that
    • it cannot be decrypted by 3rd parties (well, easily at least)
    • it gets decrypted only on the target device right before flashing?

    • You know, I'm not a security expert, so I might easily be suggesting a stupid thing, but if there's any chance to do it that way, I think it's definitely worth the effort.

  • But even if it's not viable, then why does the firmware package update the whole system including the most critical parts? You could see that one can change the software installation policy this way. Why not make a process consisting of two steps:
    • User can download and flash a firmware package that updates the (vast) majority of the system, but it doesn't allow him to touch the critical parts
    • Those critical parts can either NOT be updated at all or only at service points.
I just really don't know what I've expected from Platform Security, but I have a feeling that in my secret dreams I thought it was unbreakable (I know, I'm naive). Again, I'm still looking for confirmation as to whether this solution really works, but I'm afraid that I already feel the bitter taste in my mouth. You know, a system that Symbian is proud of, operators love (some developers hateSmiling and even competitors acknowledge shall not be attackable and even if a security hole is discovered it shall be closed quickly without any major impacts. Nevertheless, I think this problem can be solved - hopefully very easily. But as to injecting the fixed version on to old phones, it will just take another firmware update. Smiling


From mobile-thoughts.blogspot.com


Tote
Review posted octobre 29th, 2007 by tote

Soumis par paul le lun, 2007-10-29 11:05.

There was a very similar problem with the first Windows Smartphone models (SPV's) - there was a proviisioning file in the root that specified the security model and this could be updated in the ROM image on the pc then reflashed.

Certainly sounds plausable.

Soumis par alh le lun, 2007-10-29 11:25.

At least you have to modify your phone firmware to do this, so it isn't really much more useful then a DevCert, which also grants you any capabilities for a given phone.
And it also does not mean a security breach that could be used by a malicious attacker.

Soumis par tote le lun, 2007-10-29 11:56.

Well, you can't grant any capabilities with your DevCert, unless you have a (VeriSign) Publisher ID that enables you to do so. You know, the most powerful capabilities are still phone manufacturer dependent. On the other hand, as I'm sure you know Symbian signing will change considerably: you can't have a DevCert w/o (TrustCenter) Publisher ID. In other words, for a hacked firmware package you don't have to be "traceable", for a new DevCert you do.

And I'm unsure if it's a local problem, either. I haven't updated the firmware of my phone, so my assumption can be very easily wrong, but: can I hack a firmware update package (say, for N95) and then make it downloadable for others?

Soumis par twmd le mer, 2007-10-31 21:17.

It's a failing in Nokia's firmware update format which will be addressed quickly no doubt now that it's public.
It doesn't break the capability model.

No technology solution to security will ever be 100% secure because there are humans involved in the chain. An ex nokia empoyee who is familiar with the flashing mechanism could also "turn bad".

Hacks like this are not mainstream problems for the casual user. But they totally undermine the use of platsec for enforcing DRM.
I can now write some code which will stream the PCM audio from a DRM codec into a file and then dump it as an MP3 yay!

Soumis par alh le lun, 2007-10-29 16:04.

Yes, it is indeed bad, of course a malicious person could hand out patched updates...

One immediately ask, even if they don't encrypt the flash image data as suggested, shouldn't they at least have a signed checksum? or any checksum?
From the description, it seems there is no such checks... not even an unsigned checksum.
I should be able to use this for a lot more advanced hacks then just changing installer settings.

Even the flash updates to my old calculator has signed checksums...

Edit: There seems to be some checks, judging from the comments with people who have turned their N-phones into bricks...

Soumis par wl le mer, 2007-10-31 11:27.

btw, for UIQ3 was made the same long time ago:
http://www.seuniverse.com/forums/thread9850.html

Soumis par tote le mer, 2007-10-31 13:43.

Wow, they're selling the hack, that's amusing! Smiling Or not? Puzzled


Soumis par wl le mer, 2007-10-31 13:55.

not exactly, davinci team flashes (and unlock) FW to almost any Sony Ericsson phone. Hacked FW for UIQ3 just one of options.

Soumis par free_f9999 le sam, 2007-11-03 22:37.

Hi! To my mind you need not to hack symbian. Just throw away this slow and stupid operational system and buy linux or windows communicator, like ASUS P535 etc.

Soumis par tote le sam, 2007-11-03 23:11.

Yep, you're right! Having read your comment I think I'll forget all those joyful years that I've spent with Symbian development and change to other better operational (sic!) systems. Damn, why does such an idiot comment an article that doesn't even know what he's talking about? Puzzled


Soumis par eric le dim, 2007-11-04 20:22.

Can you name just one good and reliable smartphone running Linux ? (not a feature phone running java apps only, not a developer preview model, just a smartphone for average user).

And considering that Windows Mobile is fast compared to Symbian OS is probably just a joke (Or we never used the same phone - but I admit that I don't know the P535 - which can be fast it has a 520MHz processor in it....).

Soumis par free_f9999 le lun, 2007-11-05 00:02.

Hi, Eric! "name just one good ... Linux" It is bored. I think you are clever enough to google it. But if you wish, look at this wiki.xda-developers.com for example. I am not going to compare symbian and microsoft phones. I just remember words from one user. After inserting 2 Gb card, phones are freezing for time. User said that it is faster and cheaper to use P535 with 4Gb card. For me, symbian is not the best, and now sertificates do not let programmers to do it better.
I think it will be like Sun Microsystems and solaris. After losing everything, they will open symbian, but it will be too late.
By the way, I was a symbian developer for 3 years(3650(my own old phone),6600,P800,6630...). I remember a lot of bugs and disadvantages of symbian. I used your site too, it was very usful. But now I stop any symbian development and begin to learn windows and linux mobile. You can do what ever you want, remove my comment for example. It is up to you.

Soumis par alh le lun, 2007-11-05 09:25.

And.. the smart developer develops for whatever phone system that sells at the moment, and doesn't lock himself to one system...
Right now it is still quite easy to decide what smartphone system to put the most focus on though.
Check the numbers for symbian phones vs windows mobile and linux...

But of course, never forget to keep your eye on the horizon....

But all this "this system is better then that" is mostly amusing for anyone with some insight in the business...


copyright 2003-2009 NewLC SARL