BlackBerry security breached at Pwn2Own 2011

By Bla1ze on 10 Mar 2011 08:32 pm EST
BlackBerry security breached at Pwn2Own 2011

This year's Pwn2Own event is well underway in Vancouver. The yearly event takes the best White hat hackers and challenges them to exploit computers and operating systems so that their vulnerabilities may be shared with the owners of those operating systems in an effort to make them more secure. In previous years, Research In Motion has stood its ground but this year results are now in for BlackBerry. The news however, isn't the best. This year, a BlackBerry Torch running OS was successfully exploited using the long awaited WebKit browser. The browser exploit allowed Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann to gain access to all contact information as well as the image database. Research In Motion's director of security, Adrian Stone was on hand to confirm the exploit and made the following statements about it:

“It happens. It’s not what you want but there’s no such thing as zero code defects,” in addition to that statement Stone also advised that RIM's security team would analyze the date to see if it was a true zero-day flaw and if so, then a fix would created and then rolled out to carrier partners so that end-users get it. This situation of course assumes that it hasn't already been fixed in a later revised OS. But that could not be confirmed at the time.

Given that Research In Motion doesn't use any underlying security in its OS such as ASLR or DEP and others do, it is something that Research In Motion is looking to be adding at a later time. When asked about the security within BlackBerry devices Vicenzo Izzo noted “The advantage for BlackBerry is the obscurity. It makes it a bit harder to attack a system if you don’t have documentation and information," which leads into the fact that WebKit while Open Source, is an Apple derived product with lots of detailed information about it being available to all.

Source: ZDNet

Reader comments

BlackBerry security breached at Pwn2Own 2011


Prepare onslaught of Android fanboys saying that now Android is 112393129849287389724879598798724389752987x more secure than BlackBerry...

typical, one thing apple based and it all goes downhill lol.

so if its a webkit exploit would it be reasonable to assume that could be done to any webkit using device then?

yes, the part that isn't clear is the user participation, enter the rigged website, grant permission, whatever you've to do to have your device pwned.

And this go to every hack in the event, including Safari and IE

also as eluded to in the article, that happened on .246, which ran webkit version 534.1 (so does .337). but.448, .450 and .481 for torch (havent checked 486 yet) all run webkit version 534.8 so something has changed.

But, had the phone's information been encrypted, would that have made a difference as to what they could view or remove and still access? I'm not a programmer by any means, but I'm curious to know if that would make a difference.

Yes. If the phone's information had been encrypted using a reasonable method then the data would be essentially useless.

Thanks for the answer :) now if only BB Protect would let me keep my stuff encrypted and still utilize the app...

Not necessarily, if the exploit essentially operated as a service on the device then it may have the same privileges to access encrypted content as any other application or service which normally runs on the device.

The main thing now is, how fast will RIM be to patch the holes.

If they find it to be legit and everything they best have a patch within 2 days. If it goes on past that things will look pretty bad.

Now heres a big problem. Will RIM push an update? Or will they continue letting carriers decide when to put out an update?

The PB will be get updates independant of carriers so I really hope that they move that direction with their SmartPhones.

Super news. Hopefully this will let RIM tell carriers to F-off and tell carriers updates must be pushed out on RIM's schedule. I don't think this will affect Playbook at all.

and at the first comment. I hope that was a joke everyone knows Android is about the least safe OS out there with infected software left and right.

Lesson Learned RIM, Don't Use Apple Products. Just stay with your one Secure creations. But no worries, i still love blackberry :D

hoping for a blackberry jailbreak :P,(btw the name crackberry has nothing to do with, i think a lot of people came here hoping for wareZ Xd)