This year's Pwn2Own event is well underway in Vancouver. The yearly event takes the best White hat hackers and challenges them to exploit computers and operating systems so that their vulnerabilities may be shared with the owners of those operating systems in an effort to make them more secure. In previous years, Research In Motion has stood its ground but this year results are now in for BlackBerry. The news however, isn't the best. This year, a BlackBerry Torch running OS 18.104.22.168 was successfully exploited using the long awaited WebKit browser. The browser exploit allowed Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann to gain access to all contact information as well as the image database. Research In Motion's director of security, Adrian Stone was on hand to confirm the exploit and made the following statements about it:
“It happens. It’s not what you want but there’s no such thing as zero code defects,” in addition to that statement Stone also advised that RIM's security team would analyze the date to see if it was a true zero-day flaw and if so, then a fix would created and then rolled out to carrier partners so that end-users get it. This situation of course assumes that it hasn't already been fixed in a later revised OS. But that could not be confirmed at the time.
Given that Research In Motion doesn't use any underlying security in its OS such as ASLR or DEP and others do, it is something that Research In Motion is looking to be adding at a later time. When asked about the security within BlackBerry devices Vicenzo Izzo noted “The advantage for BlackBerry is the obscurity. It makes it a bit harder to attack a system if you don’t have documentation and information," which leads into the fact that WebKit while Open Source, is an Apple derived product with lots of detailed information about it being available to all.