After passing thru a number of hurdles, I put together a whitepaper documenting vulnerabilities that I found in the operating system and various security risks of the platform. The whitepaper was originally posted on the NCC Group research page (this is just another repost). There are a couple interesting bugs documented in the paper including details on how I chained together a HTML injection vulnerability, a CSP bypass, and an over permissioned application in order to gain root level access on one device.

“KaiOS is a mobile operating system, forked from the discontinued Firefox OS, in which all the mobile applications running on a KaiOS-based mobile device are built using web technologies, such as HTML, JavaScript, and CSS. In this independent research project, we demonstrate that six of the pre-installed mobile applications are vulnerable to remote, and local, HTML injection attacks, which when combined with bypasses in the Content Security Policy can result in the abuse of privileged JavaScript APIs resulting in remote file disclosure or local privilege escalation. Additionally, we explore the security implications of both documented and undocumented JavaScript APIs in the platform and general security risks of the mobile platform.”

Exploring the Security of KaiOS Mobile Apps