09-02-14 01:19 PM
58 123
tools
  1. jpvj's Avatar
    Hello fellow CrackBerry readers,

    Let me start with a disclaimer: This intent of this post is not to bash BlackBerry or any CB users.
    During this very long post, I will provide a few examples on BlackBerry security issues as well as try to prevent further “cheering” when another platform suffers from a security flaw.

    Let me start by serving my two main messages:

    First: BlackBerry ALSO have security issues.
    Secondly: Don’t point fingers at other platforms and claim BlackBerry is secure, when BlackBerry also has security issues.

    Most readers are probably aware about the BlackPhone session presented at BlackHat. As far as I understand, it contained three security issues: One was already identified and resolved, one was a “non-issue” and the third is still being investigated.

    The big headlines seems to cause happy faces for some BlackBerry fans. They seemed thrilled to see BlackPhone “in trouble” and many comments followed the article. A few CB users gave the impression that BlackBerry are 100%+ secure devices and never contains any security flaws that could compromise the device and provide either access to data or even “root” access. Others wisely stated, “No systems are 100% secure” which at least is a more conservative approach. I agree with the last group.

    Let me give you an example of a security flaw in BB10 giving access to the SMB file system without proper authentication.
    Yesterday BlackBerry (finally) released a security advisory. The company that discovered the issue worked with BlackBerry and agreed to delay the publication until the patch was widely distributed (read: Approved by carriers).
    Ref: http://www.modzero.ch/advisories/MZ-...on-By-Pass.txt
    KB36174-BSRT-2014-006 Vulnerability in file sharing service affects BlackBerry Z10, BlackBerry Z30, BlackBerry Q10, and BlackBerry Q5 smartphones
    Notice the timeline: Almost 14 months from discovery to publication!!! Try to imagine what a focused hacker could have gained by knowing this exploit and nobody outside BlackBerry knew about it.
    Modzero has also published this nice little demo: http://www.modzero.ch/advisories/media/mz-13-04-poc.mp4

    BlackBerry is still waaaay to dependent on carrier approvals and the only “responsible way” of handling issues seems to fix them in the code, delay the publication and secretly fix the issue until they are certain most of the install base is upgraded. Perhaps BlackBerry should “fix” their carrier relationship as it seems like a huge security risk to me.

    Speaking of BlackHat… We are also awaiting some more info about the flaw from https://www.blackhat.com/us-14/briefings.html#Solnik.
    I have not seen anything about the flaw and the impact of the BlackBerry 10 device. Some sources are talking about code execution and memory access and other are telling me the opposite. Until they release something detailed, we can only speculate if the flaw may provide access to data, root the device or just “modify carrier settings”.

    Justing Case also tweeted something about BlackBerry “threatening with legal actions to stay secure”. I cannot find the tweet anymore, but it could be interesting to ask him what he means by that. I could take a wild guess, and say, “BlackBerry demands security researchers to delay publication until BlackBerry has distributed a fix for most/all customers. If they refuse, they are threatened with legal actions”. It seems very possible, and if you know anything, please share it in the comments.

    For the enterprise you might remember something like 5 security issues found in the distiller component of BES 5.0 during a rather short timeframe. The flaw could potentially give remote code execution to the server and since BES servers typically was allowed to send HTTP traffic to the Internet (to let the devices browse web pages via BES) it could potentially be used to create LAN access for an attacker.
    Less than a week ago, this KB article was released KB36175-BSRT-2014-007 Information disclosure vulnerability affects BlackBerry Enterprise Service 10 and BlackBerry Enterprise Server 5.0.4. I don’t consider it a big issue but hopefully it removes some of the diamond dust about BlackBerry being 100% secure and perfect.

    One of the biggest brand values for BlackBerry is security. I have seen the security concept of the BlackBerry misunderstood numerous times by journalists and CB users and I still read questions or comments on CP everyday documenting it.
    In some use cases (enterprise mostly) BlackBerry has a very secure solution and in other cases they are no better than other devices. BlackBerry has done very little to set the record straight. Why? Because it has incredible value to be known as “the company with secure devices”.

    Security is hard to understand, as it requires high skills in several areas like programming and cryptography. BlackBerry has invested many resources in security during the years, but their employees are humans and they do make mistakes, which may lead to security flaws.
    Currently the BB10 platform has <<1% of the market share worldwide and is as such not attractive as a target. If the market share increases, expect more exploits to be identified.

    When looking at lists of published exploits it is obvious that BlackBerry has fewer *published* than the competition. BlackBerry *might* be more secure than the competition. It *may* be caused by a more security focused view on development or it *may* be caused by undetected flaws due to low market share.

    Final words: It is perfectly OK to be a hardcore fan, but pls. stay open-minded and realistic.

    If you made it all the way to the bottom, you truly are a hardcore BlackBerry fan
    08-13-14 03:12 PM
  2. djdragon's Avatar
    My that armchair sure does look comfy.
    08-13-14 03:24 PM
  3. dvarnai's Avatar
    1. the fact that it's them or a hired company finding the flaws makes it secure. if it would be a random hacker at a conference, that would be a completely different story, as that's what happens with ios and android all the time, random people finding exploits.

    2. back in the days when its marketshare was a lot more, people still ddint tend to hack it like they do with android and ios

    3. considering that 1% marketshare includes most of the fortune500 companies and goverenment agencies, that 1% alone is a lot more valuable than 14 year olds with their iphones.
    08-13-14 03:41 PM
  4. PHughes's Avatar
    Any phone/device that is connected to the internet or other outside connection can and will have potential security issues. Whether or not they will be exploited is another issue, it depends on how easily the device can be hacked and what the potential payoff is.

    What is more at issue is the built in privacy issues regarding Android and Google. I would rather have a phone that is provided by a company that does not seek to mine my private data and emails for its own purposes. The other issues are secondary and based on use paranoia for the most part.
    08-13-14 03:47 PM
  5. rthonpm's Avatar
    There's a few issues with your post:

    Firstly, asking for silence on a reported issue until a patch can be issued is fairly common in the security world because it closes the number of possible attack vectors from script kiddies and other bad agents who otherwise wouldn't have known of the issue. With the Samba issue, the number of possible requirements needed to even get information from the device make it a fairly difficult attack to undertake. Even the CERT vulnerability level is only 5.4, which is not considered critical. Even the BlackBerry bulletin includes mitigation steps:

    This issue is mitigated for all customers by the prerequisite that the attacker must persuade the customer to turn on file sharing over Wi-Fi or locate a customer on the Wi-Fi network who has file sharing over Wi-Fi turned on. File sharing over Wi-Fi is not enabled by default.

    The same issue is with the BES advisory, which is for older software versions of both BES 5 and BES 10. In that instance, the mitigating factors for a successful exploit are even more difficult to get to:

    This issue is mitigated for all customers by the prerequisite that the attacker must gain access to the affected diagnostic logs. Typically, only the system administrator would have this access.
    Additionally, the logs are historical in nature. As a result, logged information of this type may not be valid at the time that the log is read.


    While I do agree that no platform is ever completely secure, the real issue with security is how much of a direct threat an issue is: if I need to have access to the same limited range network, or access to administrative accounts then the threat is already under some control without any other intervention. From there it's more of making sure the doors are locked as opposed to closing the windows, locking the doors, and turning on the security system.
    08-13-14 03:53 PM
  6. Nugzie's Avatar
    Is that you Justin?

    Posted via CB10
    lazypapichulo21 likes this.
    08-13-14 03:56 PM
  7. Ment's Avatar
    Great post OP. One thing BB could do is to offer bounties for exploits like a few other companies do in exchange for waiting until it could be patched and distributed. Threatening legal action/DMCA violations is not a good strategy. Now of course that could attract more hackers to Blackberry but security thru obscurity is not a good model, look at Apple: forever they expounded how secure MacOS/IOS is but in recent years since Macs/Iphone/Ipads have become so popular many holes have been published.
    SnoozerBold and propeller10 like this.
    08-13-14 04:06 PM
  8. SnoozerBold's Avatar
    Any phone can be 'hacked' what's more important (to me) is how easily it can be made vulnerable to attacks and what's involved to do it. Like if you have to have physical access (think that was the case with the black phone) ,sure it's a security flaw and needs to be addressed asap but personally I'm more worried about remote access and exploits in apps, using websites etc...

    As for people gloating and what not. It's the internet. It's bound to happen. I know it's childish but I gotta tell you it's fun to sit back and watch. Like reality TV but for geeks. Lol

    Anyway I forget my point aside from any phone can be hacked. Anyone who thinks BlackBerry is 100% secure and can't be is an ***** or doesn't understand security that well. I still believe BlackBerry to be the most secure platform out there. Will it always be? Doubt it. But for now I'd say it is.



    Posted via CB10 with my Z10 (Via limited WiFi connection)
    jpvj, jiminica and lazypapichulo21 like this.
    08-13-14 05:35 PM
  9. jpvj's Avatar
    Thx for replying and sharing your thoughts. I agree with all posts.

    Delaying publication is completely fair. I think we all agree to that. But 14 months!!?

    I know the two flaws are not likely to happen due to happen, but I have a hard time finding an example of a remote exploit giving root/admin access :-) OK!? :-p

    Privacy is a huge part of trusting the device, but not directly relevant. My post was long enough ;-) I'm however 100% aligned with you in this matter.

    And no: I'm not Justin. He seems much more skilled with regards to development and Android. Also much more active on twitter and not so "diplomatic".

    Let's assume BlackBerry removed support "Development mode" and "Install Android apps from other sources" leaving the user to install only from BlackBerry World. Let's also imagine BlackBerry 10 had the same market share as iPhone.

    We are now looking at two devices behaving identically with regards to letting the user only run apps from the vendors app store and equal presence in the market. Bounty programs for security issues also identical for both.


    How would you expect the percentage of exploits found to be distributed across the two platforms and why?

    Posted via CB10
    08-13-14 05:56 PM
  10. SnoozerBold's Avatar


    How would you expect the percentage of exploits found to be distributed across the two platforms and why?

    Posted via CB10
    I'm not a developer or software engineer so I'm just taking a stab at this but given Blackberry's history, BES and what I've read about QNX I'd say BlackBerry would probably do better than apple. BUT if they were both as popular as Apple, I'd expect to see more exploits on BlackBerry than we have seen so far. Significantly more.

    Posted via CB10 with my Z10 (Via limited WiFi connection)
    jpvj likes this.
    08-13-14 06:27 PM
  11. early2bed's Avatar
    Security is a very convenient and easy claim to make. It's useful until someone pokes a hole in it and then your claim falls apart. That's the problem with using security as your claim to fame. That and the fact that most consumers simply aren't afraid that they are targets.
    SnoozerBold likes this.
    08-13-14 06:33 PM
  12. SnoozerBold's Avatar
    Security is a very convenient and easy claim to make. It's useful until someone pokes a hole in it and then your claim falls apart. That's the problem with using security as your claim to fame. That and the fact that most consumers simply aren't afraid that they are targets.
    Good point. I'd expect it makes some people overly confident and maybe a little lazy with their online practices.

    Posted via CB10 with my Z10 (Via limited WiFi connection)
    08-13-14 06:37 PM
  13. Heinz Katchup's Avatar
    BlackBerry stakes its livelihood on being known as the secure choice. Therefore you can always count on it being more secure than the rest. Regardless of what obstacles it might face.
    08-13-14 06:40 PM
  14. zocster's Avatar
    Getting pop corn out to watch this intent discussion going through in a civilised manner

    Sent from 2AD743B7 via Tapatalk Pro
    00_Agent, propeller10 and jpvj like this.
    08-13-14 06:41 PM
  15. propeller10's Avatar
    Getting pop corn out to watch this intent discussion going through in a civilised manner

    Sent from 2AD743B7 via Tapatalk Pro
    This thread is going to end up being a replay of that "blackphone hacked" thread in the Android subforum.
    08-13-14 06:50 PM
  16. dbmalloy's Avatar
    Guess it depends on how you view security... if as the OP puts forth it is platform vulnerability then there is no such thing as security.... all systems will have them.... it comes down to how hard is it to get into a given platform system... Most consumer vendors put ease of use over security as most consumers do not care about securuity.... as for Blaclphone... if they had not been so boastful about their product maybe the reaction would not have been so intense...... BB must have something over the rest as I do not believe India and UAE did not threaten the other smartphone platforms with banishment because they could not get access to the BB system... for me that is security....
    ultra07 likes this.
    08-13-14 06:52 PM
  17. propeller10's Avatar
    1. There have been multiple vulnerabilities found in BB10 in past and more will be found in the future.
    2. BB10 does not have a vast number of hackers/security analysts researching the platform.
    3. BB10 cannot be even considered to be a target given the marketshare.
    jpvj likes this.
    08-13-14 06:57 PM
  18. SnoozerBold's Avatar
    This thread is going to end up being a replay of that "blackphone hacked" thread in the Android subforum.
    So far so good I'd say.

    Posted via CB10 with my Z10 (Via limited WiFi connection)
    propeller10 likes this.
    08-13-14 06:59 PM
  19. dvarnai's Avatar
    can anyone explain me why the marketshare is important? fortune500 companies and governments use blacbkerry, they are alone worth more than all the iphone users and android users together... why would you hack a 16 year old teen girl's phone...
    08-13-14 07:20 PM
  20. propeller10's Avatar
    can anyone explain me why the marketshare is important? fortune500 companies and governments use blacbkerry, they are alone worth more than all the iphone users and android users together... why would you hack a 16 year old teen girl's phone...
    Majority of them don't use BB10. Also, majority of hackers go after regular people to steal personal info, identities and money. Why target the 1% when massive continuous success can be had by targeting the 99%. Also the people in that 1% are usually more educated about security and chances are they are required to follow certain protocols.
    08-13-14 07:27 PM
  21. djdragon's Avatar
    Here's my take on the whole supposed "BlackBerry security issue".

    Show me that you can root it or exploit it or GTFO. Otherwise your speculation is based on other platforms and their issues. I'm sure you'll spew off stats and articles to make me look "uneducated", but show me that it was done to specifically BlackBerry10 and QNX.

    Z10 10.2.1.3175 via CB10
    08-13-14 07:44 PM
  22. der_mit's Avatar
    Well said djdragon.

    Posted via CB10
    08-13-14 07:49 PM
  23. katiepea's Avatar
    Here's my take on the whole supposed "BlackBerry security issue".

    Show me that you can root it or exploit it or GTFO. Otherwise your speculation is based on other platforms and their issues. I'm sure you'll spew off stats and articles to make me look "uneducated", but show me that it was done to specifically BlackBerry10 and QNX.

    Z10 10.2.1.3175 via CB10
    Root access was achieved at the conference last week. The listed device was a z10.

    http://arstechnica.com/security/2014...acked-sort-of/
    propeller10 likes this.
    08-13-14 08:57 PM
  24. propeller10's Avatar
    Root access was achieved at the conference last week. The listed device was a z10.

    Blackphone goes to Def Con and gets hacked?sort of | Ars Technica
    No but that doesn't count because...because... well..IT'S CARRIERS FAULT OKAY? Sure blackberry did not detect the vulnerability because they were too focused on doing other security stuff. Anyways it doesn't count because I said so. Blackberry has no flaws and cannot be hacked. End of discussion. If you don't believe it you are not a tru fan.
    08-13-14 09:20 PM
  25. 00_Agent's Avatar
    This thread is going to end up being a replay of that "blackphone hacked" thread in the Android subforum.
    Can you please point that out?

    Z10 10.2.2.xxxx
    08-13-14 09:28 PM
58 123

Similar Threads

  1. Connecting Q10 via wifi with BlackBerry Link
    By BermudaPool in forum BlackBerry Q10
    Replies: 5
    Last Post: 08-14-14, 05:06 PM
  2. T-Mobile and Blackberry Passport
    By Calvin Harris in forum BlackBerry Passport
    Replies: 16
    Last Post: 08-14-14, 02:24 PM
  3. Blackberry wont turn on, HELP!!! please
    By CrackBerry Question in forum Ask a Question
    Replies: 1
    Last Post: 08-13-14, 01:34 PM
LINK TO POST COPIED TO CLIPBOARD