Black Hat 2013 session to discuss BlackBerry 10 OS from a security perspective

By Bla1ze on 18 Jun 2013 09:34 pm EDT

If you're genuinely interested in how effective BlackBerry 10 security is then you'll most certainly be interested in checking out the upcoming Black Hat US 2013 conference being held in Las Vegas July 27th - August 1st. At the event, there will be a briefing held by Ralf-Philipp Weinmann, who is a research associate at the Interdisciplinary Centre for Security, Reliability and Trust (SnT) of the University of Luxembourg. As noted on the Black Hat 2013 site, his briefing will cover BlackBerry 10 from a security perspective:

BlackBerry prides itself with being a strong contender in the field of secure mobile platforms. While traditionally BlackBerryOS was based on a proprietary RTOS with a JVM propped on top, the architecture was completely overhauled with BlackBerryOS 10. Now the base operating system is the formerly off-the-shelf RTOS QNX, which doesn't exactly have an excellent security track record. Moreover, for the first time in BBOS history, native code applications are allowed on the platform.

This talk will present an analysis of the attack surface of BBOS 10, considering both ways to escalate privileges locally and routes for remote entry. Moreover, since exploitation is only half the work of offense, we'll show ways for rootkits to persist on the device. Last but not least we will settle whether BlackBerry Balance really holds what it promises: are mobile devices really ready to securely separate crucial business data from Angry Birds?

With all that has been happening over the past little while with the NSA leaks and further questioning of BlackBerry security, it would certainly be an interesting session to take in. It's one I'm sure the BlackBerry Security Incident Response Team will be paying attention to as well.

Aside from BlackBerry 10 being discussed though, there will also be briefings on Android and iOS as well and the security exploits that exist for those systems. If you're looking to learn more about the Black Hat 2013 conference, you can hit the link below to be taken directly to the conference website.

Learn more about Black Hat 2013

Reader comments

Black Hat 2013 session to discuss BlackBerry 10 OS from a security perspective


Very interesting. Definitely curious to hear more.

@Bla1ze: typo in the title! "Seesion"

This is how you CB10, son!

Everyone should be paying attention to this. Every business rely on BB for its security. Black Hat never fails to show flaws though...

Also talking about security exploits through apple and android? Does the conference have the hall booked for a week? Too many to mention in one day lmao!

Posted via CB10

July 27th - August 1st is more than one day. Still might not be enough time though.

Posted via CB10

No system is perfect. But if black hat reveals ios and android to be just as or more secure I wonder how that would pan out for BlackBerry.

Posted via CB10

You'd see significant stock drops, nobody still not to buy, major OS underpinnings to bolster security. Marketing to state that change and highlight hiring on specifically that in all levels of engineering, more $$ into showing reliability - not been good during transitioning, a BOKF statement from the CEO, maybe even shuffling of the board to show theses adjustments.

Then we'd see ads about craftsmanship to bolster the other two efforts. Major ads on NOC as well - as a sales tool really.

Posted via CB10

Don't think that's gonna happen to soon, I think you will find the closing of the gap yes, but to say that the Swiss cheese that is android will trump blackberry is a stretch

From the Zed of Rockivy

Wow this will definitely be something to tune in to! No system is perfect but I hope this doesn't impact BlackBerry in a negative way - impossible I know.

Posted via CB10

This is going to be good.. hopefully everyone jumps on board to BlackBerry 10.. security, security, security!!!

Posted via CB10

Hmmmm....Vegas you say?
I mean....sure I'd like to check out Black Hat!

Posted via CB10 on a sexy Z10

BlackBerry has been the top company in mobile security for the past decade, in sure they knew these type of test were coming, especially when you have the most secure areas of the government using your phone .

Posted via CB10

Seems CVE stopped tracking QNX at some point since there are some vulnerabilities missing, like the one which allows people to root a PlayBook.

Any OS can be compromised if you are patient enough and have time. You could get owned on the old BlackBerry OS too if you installed malware. BB 10 is a young OS that will be maturing and only improve.

Posted via CB10

Since when was legacy BBOS a rtos?!

First it was c++ based, then built on cldc using jsr's from the j2me modified. Not a rtos.

Posted via CB10

Hmm I get the feeling that this conference will highlight the browser as the weakest hole for bb10, since it's pure html5 code it has access to so many things. Am I wrong?!

Posted via CB10

This will be interesting. I'll be watching closely, Let the best mobile security prevail.

I bought a BlackBerry device based on Security and UI, it's because I trust BlackBerry for handling my money eg. Online Banking, NFC payments, etc, etc

Posted via CB10

QNX doesn't have a good track record?

That has to be false. Has to be. I mean...come on. Why would BlackBerry choose it and build from the ground up with it otherwise?

QNX has to be secure. It is used for so many secure things. That sounds like hogwash to me. Can anyone explain what they are talking about or referring to?


QNX was typically used in protected environments. How many people connected their cars to the public network (until recently that is)?

QNX is a Unix type OS and therefore as likely to be exploited as any other Unix type OS (e.g. Android).

You can always add a firewall, or security layer to any os. With BlackBerry its probably second nature vs design of the Android and iphone systems. How many people does BlackBerry have who understand security? One person is not enough. Not enough eyes.

Posted via CB10

Sorry guys, QNX has nothing to do with UNIX (this is misrepresented almost everywhere except in official QNX documentation). The only thing it has in common with UNIX is that they are both POSIX compliant which means they are able to share code bases.

If you don't believe me, check out the QNX Architecture Guide on their site or do a Google search for it.

Google has already paid this guy over $30,000 for reported exploits. Maybe BlackBerry need to do the same (if they're not already).

However, there are different degrees of hacking. It's one thing to be able to take control of someones phone remotely without them knowing it. Quite another to root a phone that you already own. Though in this case the guy seems to be indicating both may be possible.

I hope they reveal lots of security vulnerabilities on OS10. Because so far I prefer the BBOS permission setting than OS10.

I don't want headless app gets in before I got control which app I allow to connect to internet. I want to see some indications when my device is sending or receiving data (like in BBOS the arrow in the corner that shows if there's something in my device is connecting to internet. I want to see more details on permission setting, at least make it like the setting on BBOS.

I want more control on permission setting in my device. I don't want other people can do what they want on my device. Free app is not an excuse to get control of my device.

Posted via CB10

BlackBerry is the most secure, hands down. Against the competition that's not hard though. I think the current scandal has rocketed the importance of this subject and we need strong statements from BlackBerry on warrant based handovers. Many people feeling vulnerable right now and are looking for sanity and privacy.

Posted via CB10

This will be a very interesting conference, indeed.
I still feel blackberry is the most secure phone available in the us. I feel Os 10 is stable, and secure like bbs of the past. My company uses blackberry's for this reason.
BlackBerry by choice BlackBerry for life.....

Posted via CB10

since this is an old thread i will just try to add my 2 cents. I attended this talk and it was not very informative. Most of the things he spoke about were well known, the rest was fluff to fill out his time. The real meaty topics were QUIP, lack of heap hardening protection, sshing in remotely, defining the bb10 security position as concept of least privilege.