1. gstking's Avatar
    My IT security guys who always look at me sideways when they see me using my playbook sent a note today asking me to disconnect my phone because of this article:


    Blackberry PlayBook Tablet Security Flaw Discovered - Mobile and Wireless - News & Reviews - eWeek.com

    I couldn't find any support or counter arguments for the article. Thoughts?
    01-16-12 07:19 AM
  2. Chaddface's Avatar
    01-16-12 07:23 AM
  3. alnamvet68's Avatar
    One has to go out of his way and purposely sideload the malicious content that would then create this "vulnerability." So long as you don't mess with the OS by looking for ways to download 'rroid apps, or those games a handfull think is necessary to make the PB "complete', I wouldn't worry much about it. Besides, OS2 will have this fixed.
    apg300, AggreX, peter9477 and 1 others like this.
    01-16-12 07:40 AM
  4. BuzzStarField's Avatar
    My IT security guys who always look at me sideways when they see me using my playbook sent a note today asking me to disconnect my phone because of this article:


    Blackberry PlayBook Tablet Security Flaw Discovered - Mobile and Wireless - News & Reviews - eWeek.com

    I couldn't find any support or counter arguments for the article. Thoughts?
    From the article:

    “There are no known exploits, and risk is mitigated by the fact that a user would need to install and run a malicious application after initiating a BlackBerry Bridge connection with their BlackBerry smartphone.”

    1. There are no malicious apps in app world
    2. It is not possible to deploy an app (sideload it) unless development mode is switched on
    3. There is no exploit that will allow an app to run secretly in the background on a 1.0.xx (unless the device is rooted). You must manually tap an icon to start an app. A device cannot be rooted unless development mode has been turned on.
    4. Apps cannot be automatically started at boot time (unless the device is rooted....)

    Conclusion: Your IT guys are paranoid. Phishing websites that abound on the internet are a far bigger security risk, but like this exploit, require the user to be a complete idi0t ignore standard advice about protecting oneself from malware.
    Last edited by BuzzStarField; 01-16-12 at 09:08 AM.
    apg300, AggreX, gstking and 1 others like this.
    01-16-12 07:48 AM
  5. apg300's Avatar
    Well, if it's a company-issued phone that you are using, and they advised you not to use your playbook which I am assuming is your personal property (or vice versa: personal phone, company-issued playbook), then you really would just have to do as they say.
    But if both are your personal property, then they shouldn't tell you what to do with them. If they feel it's not secure, then they should issue you a company phone and a tablet.

    About the security of Bridge, I honestly think that there can never be any secure system for a paranoid person. In the same manner that there will never be a healthy place for a hypochondriac.

    As alnamvet68 and BuzzStarField have already pointed out, one would have to go to serious lengths just to hack your Bridge. I'm imagining a pseudo-Mission Impossible type of operation where they'd have to steal your phone (or your playbook), replace it with a dummy/clone, install malicious software, and secretly switch them back with the dummy/clone as you're sipping coffee while working at your desk. Seriously, and I don't mean to offend you with this...but if you were the President of the United States, Bill Gates, Donald Trump, then I'd say they (IT guys) have a lot to worry about. If not, then there's no cause for exaggerated worries. (Again, I don't mean to imply that you're unimportant.)

    Anyway, since I'm obviously not an IT guy, I can't really give you counter-arguments for what they said. I would still refer back to my first paragraph. If the BB and PB are yours, you have every right to do what you want.
    gstking likes this.
    01-16-12 08:31 AM
  6. pmccartney's Avatar
    As Buzz says, your IT guys are paranoid.
    If it's such a big deal they could simply apply an IT Policy to your BB device (assuming it's company property) preventing the installation of BB Bridge, but they choose to leave it in the hands of the individual user.
    I guess they are lazy as well as paranoid.
    apg300 likes this.
    01-16-12 08:38 AM
  7. sjfwhite's Avatar
    This is what drives me crazy about trying to work with the IT folks. Often times it isn't really about security it's about who's in control. IT policies can go a long way towards crushing employees' ways of maximizing their productivity and innovation.
    apg300 likes this.
    01-16-12 09:39 AM
  8. bbfan1040's Avatar
    Bluetooth. not wifi. Not internet connection. Someone would have to be very close to you, and be prepared to infltrate your PB with very specialized tools.
    I doubt that most of us would be targets for that - except maybe in very busy public places.
    I can wait for OS2.
    Follow your it directive of course!
    P.S. Paris Hilton had her address book read & copied years ago. (Not properly setup).
    01-16-12 10:03 AM
  9. Spinal's Avatar
    on the note of bluetooth and security, does anyone set their BB smartphone's bluetooth security settings to 'high+encryption' or do you guys just use 'high'? im not sure if there is any benefit however, but i think there might be, at least regarding this issue.
    01-16-12 10:13 AM
  10. peter9477's Avatar
    Buzz and the others pretty much cover it. I don't actually know the details on the Bluetooth aspect itself, specifically what the "token" covers or when it's generated. It's possible it's generated afresh (and different) each time the connection is established, but also possible it is generated once per pairing, and never again. Depending on which it is, the malicious app would either have to be run each time you reconnected the phone, or only once after you established the pairing.

    That means even if we believed this had been exploited by someone (and RIM's basically saying all the apps in App World are safe), you would run the malicious app after you'd paired the phone, have the app transmit the data to the internet (it could then exit), and then be followed around by a hacker who manages to stay within about 30 feet of you at all times, snooping on the traffic.

    Oh, and I believe Bluetooth automatically adjusts the power levels. If true, and you have the phone and tablet near each other, the hacker probably needs to be sitting in your back pocket for this to work...

    And lastly, does this paranoid IT group work in the NSA? My guess is there are far larger holes on the company's network than this, but the IT guys will look like they're right on top of things by ordering you to stop using the phone.
    01-16-12 01:34 PM
  11. jaguari's Avatar
    Like many I would love to connect my 9700 to my playbook, but my company does not allow this type of connection.

    Question - has anyone looked or considered if there could be a physical connection between the phone and tablet. I was thinking that a usb cable could be connected with the tablet and phone in leather folder....it could be packaged into a neat looking business folder.

    The folder would let you make calls from the phone and use the tablet at the sametime. The physical connection if it could be made to work would avoid any complex security concerns.

    Anyone thinking this would work? I am sure there is a market for it.
    02-06-12 04:12 AM
  12. FF22's Avatar
    Like many I would love to connect my 9700 to my playbook, but my company does not allow this type of connection.

    Question - has anyone looked or considered if there could be a physical connection between the phone and tablet. I was thinking that a usb cable could be connected with the tablet and phone in leather folder....it could be packaged into a neat looking business folder.

    The folder would let you make calls from the phone and use the tablet at the sametime. The physical connection if it could be made to work would avoid any complex security concerns.

    Anyone thinking this would work? I am sure there is a market for it.
    At the very least, that would require what is called On-the-go usb support and currently the pb does not support connecting other usb devices except computers. Then, obviously, you'd need the "software" or other aspect to create your suggested secure connection between a certain phone and the pb. But it might be possible.
    02-06-12 09:05 AM
  13. Sith_Apprentice's Avatar
    Bridge and the Playbook is being approved by DoD for use as long as your Bluetooth settings are adjusted on your device. You have nothing to worry about in regards to this flaw. (which I believe has been fixed anyway)
    02-06-12 09:09 AM
  14. peter9477's Avatar
    Bridge and the Playbook is being approved by DoD for use as long as your Bluetooth settings are adjusted on your device. You have nothing to worry about in regards to this flaw. (which I believe has been fixed anyway)
    Sith is correct: this was confirmed fixed around end of October, about a month after I reported it to them.

    The latest beta has the fix, 2.0 definitely will, but 1.0.8 doesn't have it fixed yet (I just checked).
    02-06-12 02:31 PM
  15. TheScionicMan's Avatar
    If they aren't going to block it from their BES, then just turn off Bridge while you are at work. And when OS2 officially drops in the next few weeks, you can tell them the hole is closed.

    On another note, do they allow iPhones or more specifically iMessage to be used?
    02-06-12 03:14 PM
LINK TO POST COPIED TO CLIPBOARD