Security on Symbian mobiles: Early signs of crumbling
Symbian, found in many mobile phones, especially those from Nokia, is one of the most widely used mobile operating systems and has now been in use for more than ten years. It continues to be viewed as a very secure operating system, with special security functions and a certification system which help to ensure that only signed code can run with high privileges. Anti-virus vendors occasionally report new malware capable of running on the Symbian platform, but so far none have managed to spread widely.
At the recent Pwn2Own 2009 security contest, none of the competitors succeeded in hacking a Symbian mobile. The only security problem of real consequence has been the curse-of-silence vulnerability, in which a crafted text message blocks reception of further texts. One reason for the scarcity of known vulnerabilities is that undertaking security analysis of Symbian systems is very time-consuming for independent specialists, not least because of the limited availability of suitable tools and documentation. Nonetheless, crashing applications suggest that there isn't a lack of vulnerabilities for Symbian.
In a paper entitled "From 0 to 0Day on Symbian", security specialist Bernhard Müller from SEC Consult has described ways of finding vulnerabilities in Symbian and Symbian applications and demonstrated options for exploiting them. The object of his analysis was a Nokia N96 with Symbian S60 (3rd), from which he read and carried out statistical analysis on the content of the ROM. The ROM contained a total of almost 3,300 DLLs and other executable files, which pointed to the presence of vulnerabilities. There were, for example, multiple calls to unsafe string functions such as strcpy and sprintf in many Symbian applications implemented in C and OpenC.
He also looked at processes dynamically, using the IDA Pro debugger and disassembler, although this latter analysis required a system hack in order to get around mechanisms for protecting system processes at runtime. Müller also wrote a fuzzing tool to trip up the Nokia-Symbian mobile's built-in multimedia codecs using error-laden files and to analyse the errors. In one case he did eventually succeed in manipulating one of the ARM processor's registers by passing a crafted file to an application. This can reportedly be exploited to deflect the program counter to foreign code.
Nonetheless, Müller does not present any complete exploits, as usable exploit techniques and shellcodes remain unavailable. Müller has told heise Security (The H's associated publication in Germany) that more research is required before targeted attacks or worms become a genuine risk. His paper does, however, show that the kinds of security vulnerability known from desktop systems are also present and can be uncovered on widely used Symbian smartphones once 'security through obscurity' measures are disabled.
It will be interesting to see how this story develops up to the end of this year, with Nokia, which owns Symbian, aiming to make Symbian open source via the Symbian Foundation – something which will make analysis substantially easier, for good as well as nefarious analysts. This may see the long-predicted increase in attacks on mobiles finally come to pass, with the effort and benefits for criminals finally reaching an acceptable ratio.
Criminals could, for example, use infected mobiles to call premium rate numbers or sniff out confidential data – this would also make mobiles as a secure platform for online banking, such as the German mTAN system, obsolete. Even mobile-based botnets – something the renowned Georgia Institute of Technology has predicted will be seen this year – would become conceivable.
More details can be found in in the "From 0 to 0Day on Symbian" whitepaper from SEC Consult.
- Pwn2Own 2009 ends: Smartphones & Chrome unbroken, a report from The H.
- Nokia releases "Curse of Silence" SMS cure, a report from The H.
- Symbian trojan steals money from mobile accounts, a report from The H.
- Experts predict botnets will spread to mobile devices in 2009, a report from The H.
- Warning of vulnerability in Symbian S60, a report from The H.