News & Rumors

New malware exploits USB, but isn't really that scary

Special Coverage

Hands-on with Secusmart voice encryption

News & Rumors

BlackBerry acquires mobile security company Secusmart

News & Rumors

Blackphone fires back: 'BlackBerry betrayed its customers and jettisoned its credibility'

News & Rumors

BlackBerry discusses Blackphone and why its consumer-grade privacy is inadequate for businesses

News & Rumors

UK government set to rush through emergency surveillance legislation

News & Rumors

UK officials follow US counterparts by banning electronics with no charge from boarding flights

Editorial

Using strong passwords and keeping your online self secure

News & Rumors

First smartphone 'kill switch' bill in the US passed by… Minnesota

News & Rumors

BlackBerry kicks off security-focused Be Mobile Conference

News & Rumors

Bitly alerts users of widespread account compromises, claims no accounts have been accessed

Enterprise

BlackBerry earns two Govie Awards for outstanding security

From the Forums...

Research In Motion vs. BlackBerry - Which name is better?

Enterprise

BlackBerry CEO says Good is not good enough when it comes to security

BlackBerry Apps

BlackBerry tightens up on app security with BlackBerry Guardian and Trend Micro

Enterprise

BlackBerry issues statement on Air Force switch: 'There is nothing more secure than a BlackBerry'

Editorial

Despite growing security concerns, President Barack Obama stills trusts his BlackBerry

BlackBerry Apps

Your WhatsApp conversations may not be as safe as you think

Enterprise

BlackBerry 10 Receives NATO Approval for Restricted Communications

BlackBerry OS

Report claims NSA can access data on BlackBerry, Android and iOS devices

< >

BlackBerry security breached at Pwn2Own 2011

By Bla1ze on 10 Mar 2011 08:32 pm EST
0
loading...
0
loading...
78
loading...
BlackBerry security breached at Pwn2Own 2011

This year's Pwn2Own event is well underway in Vancouver. The yearly event takes the best White hat hackers and challenges them to exploit computers and operating systems so that their vulnerabilities may be shared with the owners of those operating systems in an effort to make them more secure. In previous years, Research In Motion has stood its ground but this year results are now in for BlackBerry. The news however, isn't the best. This year, a BlackBerry Torch running OS 6.0.0.246 was successfully exploited using the long awaited WebKit browser. The browser exploit allowed Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann to gain access to all contact information as well as the image database. Research In Motion's director of security, Adrian Stone was on hand to confirm the exploit and made the following statements about it:

“It happens. It’s not what you want but there’s no such thing as zero code defects,” in addition to that statement Stone also advised that RIM's security team would analyze the date to see if it was a true zero-day flaw and if so, then a fix would created and then rolled out to carrier partners so that end-users get it. This situation of course assumes that it hasn't already been fixed in a later revised OS. But that could not be confirmed at the time.

Given that Research In Motion doesn't use any underlying security in its OS such as ASLR or DEP and others do, it is something that Research In Motion is looking to be adding at a later time. When asked about the security within BlackBerry devices Vicenzo Izzo noted “The advantage for BlackBerry is the obscurity. It makes it a bit harder to attack a system if you don’t have documentation and information," which leads into the fact that WebKit while Open Source, is an Apple derived product with lots of detailed information about it being available to all.

Source: ZDNet

22 comments

Reader comments

BlackBerry security breached at Pwn2Own 2011

22 Comments
Sort by Rating

Prepare onslaught of Android fanboys saying that now Android is 112393129849287389724879598798724389752987x more secure than BlackBerry...

typical, one thing apple based and it all goes downhill lol.

so if its a webkit exploit would it be reasonable to assume that could be done to any webkit using device then?

yes, the part that isn't clear is the user participation, enter the rigged website, grant permission, whatever you've to do to have your device pwned.

And this go to every hack in the event, including Safari and IE

also as eluded to in the article, that happened on .246, which ran webkit version 534.1 (so does .337). but.448, .450 and .481 for torch (havent checked 486 yet) all run webkit version 534.8 so something has changed.

But, had the phone's information been encrypted, would that have made a difference as to what they could view or remove and still access? I'm not a programmer by any means, but I'm curious to know if that would make a difference.

Yes. If the phone's information had been encrypted using a reasonable method then the data would be essentially useless.

Thanks for the answer :) now if only BB Protect would let me keep my stuff encrypted and still utilize the app...

Not necessarily, if the exploit essentially operated as a service on the device then it may have the same privileges to access encrypted content as any other application or service which normally runs on the device.

The main thing now is, how fast will RIM be to patch the holes.

If they find it to be legit and everything they best have a patch within 2 days. If it goes on past that things will look pretty bad.

Now heres a big problem. Will RIM push an update? Or will they continue letting carriers decide when to put out an update?

The PB will be get updates independant of carriers so I really hope that they move that direction with their SmartPhones.

Super news. Hopefully this will let RIM tell carriers to F-off and tell carriers updates must be pushed out on RIM's schedule. I don't think this will affect Playbook at all.

and at the first comment. I hope that was a joke everyone knows Android is about the least safe OS out there with infected software left and right.

Lesson Learned RIM, Don't Use Apple Products. Just stay with your one Secure creations. But no worries, i still love blackberry :D

hoping for a blackberry jailbreak :P,(btw the name crackberry has nothing to do with, i think a lot of people came here hoping for wareZ Xd)