[Rumour?] Blackberry patched vulnerability that allows malicious app installation
- Didn't see this posted here, so wondering if this is legit or not. This was posted on Threatpost.com. Here is the link for your reference, but I will include the entire article in case there are those that are going to claim that I'm trying to get hits for them.
LINK:
https://threatpost.com/blackberry-10...llation/108830
ARTICLE:
BlackBerry has patched a vulnerability in its BlackBerry 10 devices that could allow an attacker to intercept users’ traffic to and from the BlackBerry World app store and potentially install malware on a targeted device.
The vulnerability is a weakness in the integrity checking system that BlackBerry uses to verify the apps that users download. If an attacker is able to gain a man-in-the-middle position between a user and the BlackBerry World servers, he could replace the legitimate requested app with malware. BlackBerry officials say that the vulnerability only affects the devices running BlackBerry 10, and recommend that install the new version of the World app as soon as possible.
“A vulnerability exists in the BlackBerry World service’s download mechanism, which is used by the BlackBerry World app on affected BlackBerry 10 smartphones. BlackBerry World allows you to search for and download apps for your BlackBerry device. BlackBerry World employs application integrity checking and secure download methods to ensure that the correct app is downloaded and installed,” the BlackBerry advisory says. “
In some cases, a weakness in these methods could allow an attacker, through a man-in-the-middle attack, to intercept a user’s BlackBerry World application download and, as a result, install malware on the device. Successful exploitation of this vulnerability could potentially result in an attacker gaining access to any data or settings that are accessible through the permissions that the user accepted when installing the malicious app.”
The vulnerability affects versions 10.2, 10.2.1 and 10.3 of the BlackBerry World app. The company said that user communications with
BlackBerry World now are done over SSL, which can help protect against MITM attacks.10-14-14 02:13 PMLike 0 - diegoneiRetired Mod & AmbassadorIf it is true, it most likely refers to a patch that has already been applied. They do this all the time, you know. We just don't hear from it often.
Unlike iOS and Android, where the patch is usually issues after some measure of disaster happens.10-14-14 02:31 PMLike 0 - You could always go to the official source :
BSRT-2014-008 Vulnerability in BlackBerry World service affects BlackBerry 10 smartphones
EDIT:
According to BlackBerry SRT I'm already running the fixed version of BlackBerry World. You probably are too.
Edit 2:
Got to my desktop and fixed up presentation.
Resolution:
BlackBerry 10 OS version Resolution BlackBerry World versions:
10.3.0 Versions 5.1.0.53 and later
10.2.1 Versions 5.0.0.263 and later
10.2.0 Versions 5.0.0.262 and later
Interesting quote from Mitigations:
This issue is mitigated for all customers by the prerequisite that the attacker must persuade the customer to download the malicious application and accept the permissions.
In order to exploit this vulnerability, an attacker must gain control of the network that the customer is using to make the download/update request.
Posted via CB10Last edited by Richard Buckley; 10-14-14 at 04:27 PM.
10-14-14 04:10 PMLike 0 -
-
Edit: You thought I was asking how BlackBerry fixed it without users noticing, not how the hackers are installing the malware.
If an attacker is able to gain a man-in-the-middle position between a user and the BlackBerry World servers, he could replace the legitimate requested app with malware
User goes to BBW. Selects a file to download/install. File is first downloaded, and then installed (just checked, and it was downloaded and installed in 1 step). The malicious behaviour is that user wants file "X", and instead downloads file "Y", unbeknownst to them.
The fix could simply be "check MD5 of bar on server. check MD5 of bar that was downloaded".
But to repeat my point, it is my understanding that .bar files can only be installed if signed by BlackBerry or a developer with keys issued by BlackBerry. To install unsigned .bar files, you would need to be in development mode.
So the topic of my post, is really how is the malware packaged in .bar format that is successfully installed without being in developer mode? Is it from improper use of actual developer keys, or is it some spoofing/hacking/validation check bypass? Ever since we got the unlocked Android runtime, we haven't had to keep installing .bar's from self-signed developer keys like standard operating procedure in 2013. So I'm forgetting/unaware of the build process that makes the .bar file legit enough for BB10 to install it.10-14-14 09:00 PMLike 0 - Did you reply to the right post? Your reply doesn't make sense to reply to my post. I am talking about the man in the middle exploit (the vulnerability in question). Clarify where OS updates comes into discussion about apps and BBW vulnerability.
Edit: You thought I was asking how BlackBerry fixed it without users noticing, not how the hackers are installing the malware.
User goes to BBW. Selects a file to download/install. File is first downloaded, and then installed (just checked, and it was downloaded and installed in 1 step). The malicious behaviour is that user wants file "X", and instead downloads file "Y", unbeknownst to them.
The fix could simply be "check MD5 of bar on server. check MD5 of bar that was downloaded".
But to repeat my point, it is my understanding that .bar files can only be installed if signed by BlackBerry or a developer with keys issued by BlackBerry. To install unsigned .bar files, you would need to be in development mode.
So the topic of my post, is really how is the malware packaged in .bar format that is successfully installed without being in developer mode? Is it from improper use of actual developer keys, or is it some spoofing/hacking/validation check bypass? Ever since we got the unlocked Android runtime, we haven't had to keep installing .bar's from self-signed developer keys like standard operating procedure in 2013. So I'm forgetting/unaware of the build process that makes the .bar file legit enough for BB10 to install it.
Essentially, if you connect to BlackBerry World over a compromised network, such a a maliciously run Wi-Fi hotspot, the operator of the network could exploit a weakness in the protocol to substitute a different BAR file for the one requested.
Posted via CB10BCITMike likes this.10-14-14 10:38 PMLike 1 - Developers are able to fully sign their applications to run on a device not in development mode. Running an application with the device in development mode requires that a developer token be installed on the device. Developer signing allows developers to provide unique applications to customers. If I'm paid to develop an application for company X specific to their business, they wouldn't want it in BlackBerry World for everyone to download. So this is not a miss use of signing.
Essentially, if you connect to BlackBerry World over a compromised network, such a a maliciously run Wi-Fi hotspot, the operator of the network could exploit a weakness in the protocol to substitute a different BAR file for the one requested.
Posted via CB10
Developer keys are issued by BlackBerry, IIRC, so if malware was ever found and analyzed, they would be able to trace back the IP that it was issued for? Though I imagine they're smart enough to use a VPN or something when connecting to BlackBerry servers.
This seems realistically exploitable so long as the replacement app has same/similar name as the intended app or a generic name enough not to draw attention when prompting for permissions. If it wasn't protected by an SSL connection before the BBW update, given how NSA has wire taps on major internet feeds, what would stop them from man in the middling this exploit? I think this is within the realm of people actually putting forth the effort to reproduce this attack (though not me).10-15-14 02:05 AMLike 0 -
Edit:
What you may be referring to here was the practice of some people pirating Android applications and making them available by using the developer token facility. The only reason they would have to do this is that their agreement with BlackBerry to get developer keys precluded using IP without permission. They probably felt that they couldn't get a proper signature, or if they did BlackBerry might cancel their keys. They were, however, at just as much risk using tokens because the BAR file is still signed by the developer keys and can be tracked back to the developer.
Developer keys are issued by BlackBerry, IIRC, so if malware was ever found and analyzed, they would be able to trace back the IP that it was issued for? Though I imagine they're smart enough to use a VPN or something when connecting to BlackBerry servers.
This seems realistically exploitable so long as the replacement app has same/similar name as the intended app or a generic name enough not to draw attention when prompting for permissions. If it wasn't protected by an SSL connection before the BBW update, given how NSA has wire taps on major internet feeds, what would stop them from man in the middling this exploit? I think this is within the realm of people actually putting forth the effort to reproduce this attack (though not me).BCITMike likes this.10-15-14 07:01 AMLike 1 - No, my app does not use this exploit. My app is known to work on the latest firmwares and the very latest Blackberry World.
Using this exploit did allow sideloading on-device (without contacting a third-party to first upload and then download the app such as an appInstaller proxy).
It's a fairly obvious exploit that I have never seen any point with. You need a local proxy or similar for this to work. Basically, someone has to be controlling your internet flow. I know it doesn't require the use of a password (which is needed for the traditional method that appInstaller proxies use) but for my purposes it did not provide any benefit.
Basically, there is no risk to normal users here. Especially since the switch to using SSL ages ago.
It must have been reported a long time ago. Possibly at the start of the year since it is #8. We're up to exploit #290 this year.Last edited by xsacha; 10-15-14 at 07:41 AM.
10-15-14 07:29 AMLike 0 - Didn't see this posted here, so wondering if this is legit or not. This was posted on Threatpost.com. Here is the link for your reference, but I will include the entire article in case there are those that are going to claim that I'm trying to get hits for them.
LINK:
https://threatpost.com/blackberry-10...llation/108830
ARTICLE:
Anyone in the know if this is true? I haven't seen an update to Blackberry World in a while (I don't have a good memory though). Good news is that they have patched it, but a bit shocked if this existed in the first place.10-15-14 10:17 AMLike 0 - Edit:
What you may be referring to here was the practice of some people pirating Android applications and making them available by using the developer token facility. The only reason they would have to do this is that their agreement with BlackBerry to get developer keys precluded using IP without permission. They probably felt that they couldn't get a proper signature, or if they did BlackBerry might cancel their keys. They were, however, at just as much risk using tokens because the BAR file is still signed by the developer keys and can be tracked back to the developer.10-15-14 03:49 PMLike 0 - No, not piracy per se. On crackberry last year, the reason for debug tokens taking off was that BlackBerry had blacklisted some API's that only worked in development mode. Or at least for me and the majority of people. The Android runtime was not complete and so the released android runtime did not expose everything that was accessible when debug token was used. So it was for app compatibility more so than piracy. By November 2013, the unlocked Android runtime was in BBW, and that stopped the need for using developer tokens to get 'unlocked' android runtime. That's just to clarify why/how I used it, not arguing. We are on the same page and I understand what you said.
Posted via CB1010-15-14 09:18 PMLike 0
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
[Rumour?] Blackberry patched vulnerability that allows malicious app installation
Similar Threads
-
Fix Crackberry App (for the Passport)
By Chavez78 in forum Site and App Feedback & HelpReplies: 7Last Post: 11-03-14, 12:57 PM -
BBM draining battery even without any use on BlackBerry 10
By avi369 in forum Ask a QuestionReplies: 3Last Post: 10-19-14, 10:04 PM -
Suggest an Internet radio app for Playbood?
By CTU2fan in forum BlackBerry PlayBookReplies: 11Last Post: 10-19-14, 02:41 PM -
Boundless icon organizing with GapCreator: Icon Organizer (BlackBerry 10.3)
By bobo.cz in forum BlackBerry 10 AppsReplies: 2Last Post: 10-14-14, 03:16 PM
LINK TO POST COPIED TO CLIPBOARD