BlackBerry Vulnerability – Disable Java

Research in Motion is advising Blackberry users to disable Javascript as a work-around for a security vulnerability in its web browser.  An issue with the browser rendering engine, WebKit, provided in Blackberry Device Software version 6.0 and later, could allow a hacker to gain access to user data stored on media cards and media storage.  The issue could result in remote code execution on affected BlackBerry smartphones, requiring the user to browse to a website that the attacker has maliciously designed.

The security vulnerability was exposed at this year’s CanSecWest Pwn2Own contest, where hackers were able to retrieve contact list information and image files from a Blackberry Torch 9800.  Affected Blackberry devices include Bold 9650, 9700 and 9780; Curve 9300; Pearl 9100, Style 9670 and Torch 9800.

Turning off Javascript may affect the overall browsing experience and the ability to view some web pages, but RIM reassures users that data in e-mail, calendar and the contact applications store in application storage is not at risk.

How to disable Javascript.  (Blackberry Enterprise Server administrators can turn off JavaScript using the ‘Disable JavaScript in Browser’ IT policy rule.)

BlackBerry Vulnerabilities

RIM has issued 2 security advisories warning Blackberry users and corporate BlackBerry Enterprise Server (BES) administrators of newly discovered security flaws in many versions of it’s BlackBerry handheld software and in BES.

The first advisory applies to BlackBerry smartphone users, and it warns of what RIM is calling a “partial Denial of Service (Dos)” attack, where websites with malicious code could freeze BlackBerry browsers until the browser restarts or the device is rebooted.

The second BlackBerry security advisory relates to yet another flaw in the PDF Distiller component of  BlackBerry Enterprise Server. Issues with the troublesome PDF distiller component have been identified as “severe” risks in at least 5 different advisories since 2008.

For more information on these 2 vulnerabilities and patches, visit RIM’s advisory pages here and here.

RIM PlayBook Limitations

Kevin Michaluk reports on his blog that there’s been a bit of a confusion regarding the need to own a Blackberry smartphone to use the BlackBerry PlayBook tablet.   Not true, but it helps! 

Although a native email and calendar client may not be available at launch, it is definitely on the short-list roadmap.  In the meantime RIM is offering the BlackBerry Bridge that turns the PlayBook into a big screen for your phone’s email, calendar, contacts, tasks, and BBM, leaving no data on the PlayBook.  Oh, and you can browse, too.

Interesting to me at least, that the PlayBook uses QNX for the OS.  I used to support QNX and applications running on it way, way back in the day.  I think it was the ’80’s, but that period really is a blur for me… 

RIM also expects to be able to push updates out to consumers quickly, rather than having customers hunt them down.  This will be interesting, and I hope they do their usual due dilligence in securiing this update mechanism.  Last thing I want is an exploitable service that security researchers and malware authors will definitely target.

Blackberry B/U Encryption Cracked

Think your BlackBerry data’s safe because it’s encrypted on the phone, in the air, and on backup?   Unh-unh-unh, there goes the neighborhood!

Competitive Russian software developers ElcomSoft and AccentSoft together have developed effective password-cracking programs for most common desktop encryption formats and have targeted the BlackBerry with a Phone Password Breaker that was previously limited to Apple mobile devices.  Because the device itself can wipe itself if attacked directly, they developed a tool that works on the backups that the phone and its software can create on your desktop.

Like all password-cracking programs, this tool is a double-edged sword.  It can save your behind if you really need to get at the data backed up from a phone that’s been stolen or remotely wiped.  On the other hand, criminals who get their hands on your backup now have a way to read your business data. 

In testing, It takes much less time to brute force a password if the password is all one case, subject to a dictionary attack, or is partially known.  It only takes 3 days to break a 7-letter mixed-case password.  A little longer if there are numbers and special characters in the password, or the password is longer.