NEWS FROM THE LAB - Tuesday, June 3, 2008

Symbian Jailbreak Posted by Jarno @ 18:32 GMT

A Spanish modder has developed an easy to use privilege escalation hack for Symbian S60 3rd Edition phones. The hack provides unlimited access to the phone's file system. With this access any number of modifications can be made.

� jojojojo. Image from BigStockPhoto.comMobile modding is a very dynamic scene. See our recent Motorola Razr post — and of course Apple iPhone research has had a great deal of activity from the time of its introduction. Despite the diversity of platforms, mobile phone enthusiasts are drawn to popular hardware and are eager to unlock any restrictions that exist.

Hacks directed towards S60 3rd Edition have been evolving for a while now. A number of OS security enhancements were implemented between the 2nd and 3rd Editions of S60. One of the practical results of these enhancements was the prevention of malware for 3rd Edition phones. The OS is locked down and applications require a Symbian signature. It's essentially a whitelisting system and only "trusted applications" can be installed.

While this provides a very practical consequence to regular consumers — it also tends to frustrate enthusiasts.

Late last year we tested a hack technique using Nokia's firmware update application. It ended up bricking one of our test phones and we needed to get it re-flashed. The hack wasn't very, shall we say, user friendly. And being difficult to use it never really took off.

Modification of firmware is both difficult and error prone. So modders began to look for easier targets that were more reliable.

Recent techniques used a new approach targeting Symbian's debugging interface, thus giving the modders full control without having to touch the device's firmware. Once a hacker has access to debug controls the device is completely under his control.

The first versions of this approach still required the use of a PC and thus could only be used by someone who knew what he was doing and required some time. So from the security point of view this was rather harmless. It would never become popular with the average Joe.

But things went on and then last week the steps were reduced to running a single SISX installation file. And it works easily with no fuss. The SISX installation package contains a simple graphical application to remove the access restrictions of any application that is currently running on the device.

It makes modding an S60 phone as easy as jailbreaking an iPhone.

The privilege escalation is still not without side effects. After escalation the operating system is not able to start any new applications until the phone is rebooted. But whatever is running at the time has total control over the device.

So what does the future hold?

Will we see new malware for S60 3rd Edition phones? It's possible. Cabir, Commwarrior, or Beselo source code could be updated to work on 3rd Edition and with the addition of this privilege escalation they could do pretty much the same things as they do on 2nd Edition phones.

However — Nokia and Symbian have worked on more security features than just the platform security capabilities model. For example, S60 3rd Edition FP1's user interface was modified to prevent simple social engineering tactics used by Cabir variants. So user interaction would still be required and we think more of a social engineering challenge than with 2nd Edition phones.

More likely we'll see a small but growing subset of enthusiasts running homebrew applications… much as there exists for the iPhone. Those willing to risk the security consequences will run free applications from developers that skip the expensive development cost of the Symbian signing process. Just like those that will skip Apple iPhone's SDK applications which require Apple's approval.