Symbian Platform Security - hacked?
Well, 3:00am has already passed and I'm tired and sleepy. One thing doesn't let me sleep, though. I've just stumbled upon these articles (Exploring S60 with AllFiles and Goodbye S60 Platform Security, Hello CAPABILITIES!) and I can't believe my eyes: Platform Security hacked?!
Briefly, the solution is as follows:
- Take a firmware update package (currently supported only by Nokia for their S60 phones).
- Edit a well-isolated part of it, where all those capabilities (i.e. rights) are listed that a user can grant to a 3rd party application upon installation. Remove existing capabilities, add new ones, whatever.
- Flash it.
- Extract a signed SIS (Symbian Installation) file
- Add rights to it (whatever gives them more power)
- Re-pack & sign it again
- And install it
- Although the Software Installer will notice that the application was not properly signed (== acquires for more capabilities than it can normally have), the user will be in such a position that he can grant those extra rights.
Unfortunately, I can't prove or disprove whether this solution really works, since I haven't even updated my N95's firmware yet (shame on me!). However, this guy seems to know what he was talking about and I sort of a believe him.
In any case, if what he wrote happens to be true, then I have a few questions:
- Why on earth did Symbian publish such a confidential information that is useful solely for phone manufacturers? You know, the documentation of Software Installation Policy is a very internal thing, not anyone's business. You can see that it's enough if one talented person stumbles upon that documentation and uses it.
- Why is a firmware package in such a format that anyone can edit it? I mean, locally on their machine. Okay, with such a low-level tool that very few people are familiar with, but it's still possible. Wouldn't it have made more sense to encrypt and sign the package so that
- it cannot be decrypted by 3rd parties (well, easily at least)
- it gets decrypted only on the target device right before flashing?
- But even if it's not viable, then why does the firmware package update the whole system including the most critical parts? You could see that one can change the software installation policy this way. Why not make a process consisting of two steps:
- User can download and flash a firmware package that updates the (vast) majority of the system, but it doesn't allow him to touch the critical parts
- Those critical parts can either NOT be updated at all or only at service points.
Tote
Update: another fellow Forum Nokia Champion of mine, Antony Pranata, wrote an article about the very same topic. I think it completes my post in addition to confirming that the solution works. Worth reading.