Saturday, October 27, 2007

Symbian Platform Security - hacked?

Well, 3:00am has already passed and I'm tired and sleepy. One thing doesn't let me sleep, though. I've just stumbled upon these articles (Exploring S60 with AllFiles and Goodbye S60 Platform Security, Hello CAPABILITIES!) and I can't believe my eyes: Platform Security hacked?!

Briefly, the solution is as follows:

  • Take a firmware update package (currently supported only by Nokia for their S60 phones).
  • Edit a well-isolated part of it, where all those capabilities (i.e. rights) are listed that a user can grant to a 3rd party application upon installation. Remove existing capabilities, add new ones, whatever.
  • Flash it.
Now you have such a phone (software) that allows you to give so powerful rights to any 3rd party application that they can do basically anything on the device. For example, your program can access DRM-protected content (you've downloaded it once and share it with others), browse other applications' secret folders, etc. You just need to
  • Extract a signed SIS (Symbian Installation) file
  • Add rights to it (whatever gives them more power)
  • Re-pack & sign it again
  • And install it
  • Although the Software Installer will notice that the application was not properly signed (== acquires for more capabilities than it can normally have), the user will be in such a position that he can grant those extra rights.
Actually, this is the approach that the author of the aforementioned articles followed with regards to a very popular file browser application: he added AllFiles capability to the program so that he could explore the entire file system, which he hadn't been able to do until then.

Unfortunately, I can't prove or disprove whether this solution really works, since I haven't even updated my N95's firmware yet (shame on me!). However, this guy seems to know what he was talking about and I sort of a believe him.

In any case, if what he wrote happens to be true, then I have a few questions:
  • Why on earth did Symbian publish such a confidential information that is useful solely for phone manufacturers? You know, the documentation of Software Installation Policy is a very internal thing, not anyone's business. You can see that it's enough if one talented person stumbles upon that documentation and uses it.
  • Why is a firmware package in such a format that anyone can edit it? I mean, locally on their machine. Okay, with such a low-level tool that very few people are familiar with, but it's still possible. Wouldn't it have made more sense to encrypt and sign the package so that
    • it cannot be decrypted by 3rd parties (well, easily at least)
    • it gets decrypted only on the target device right before flashing?
You know, I'm not a security expert, so I might easily be suggesting a stupid thing, but if there's any chance to do it that way, I think it's definitely worth the effort.
  • But even if it's not viable, then why does the firmware package update the whole system including the most critical parts? You could see that one can change the software installation policy this way. Why not make a process consisting of two steps:
    • User can download and flash a firmware package that updates the (vast) majority of the system, but it doesn't allow him to touch the critical parts
    • Those critical parts can either NOT be updated at all or only at service points.
I just really don't know what I've expected from Platform Security, but I have a feeling that in my secret dreams I thought it was unbreakable (I know, I'm naive). Again, I'm still looking for confirmation as to whether this solution really works, but I'm afraid that I already feel the bitter taste in my mouth. You know, a system that Symbian is proud of, operators love (some developers hate:) and even competitors acknowledge shall not be attackable and even if a security hole is discovered it shall be closed quickly without any major impacts. Nevertheless, I think this problem can be solved - hopefully very easily. But as to injecting the fixed version on to old phones, it will just take another firmware update. :)

Tote

Update: another fellow Forum Nokia Champion of mine, Antony Pranata, wrote an article about the very same topic. I think it completes my post in addition to confirming that the solution works. Worth reading.

3 comments:

Anonymous said...

hi

why there is drm capability ? the nokia statement says that allfiles can not be given to file-explorers because of breaching drm security. i wonder why have drm and not protect drm content with this capability !

so i think the explanation of nokia regarding allfiles is not true !

buy

Gábor Török said...

AllFiles allows you to browse the entire file system, whereas DRM enables you to consume it. You know, DRM-protected content is encrypted and you can get the decrypted version (for playback, for example) only if you hold this capability. I think it makes sense to distinguish between these two rights.

Anonymous said...

Interesting blog Gabor. I was looking for some content on S-60 and found your blog.
In near future, i intend to write a blogpost on S-60 and will be quoting your blog link to my post. Keep blogging
Cheers
Vaibhav
Helping Laymen become Technology Enthusiast at http://technofriends.wordpress.com