BlackBerry Cracked In Hacking Contest

The closely held BlackBerry is no longer a relative enigma in smartphone security: A team of three researchers yesterday at the Pwn2Own contest at the CanSec West conference in Vancouver hacked the device by exploiting a vulnerability in BlackBerry's newest browser version.

The team -- Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann -- exploited a flaw in the open-source WebKit browser code that RIM now uses in new versions of its smartphone platform, and then grabbing the contact list and image database of a RIM BlackBerry Torch 9800.

Aaron Portnoy, manager of security research for TippingPoint's Zero Day Initiative (ZDI), the sponsor of the contest, says this is the first public BlackBerry platform hack he has witnessed. "We did have the option [to hack BlackBerry] in last year's contest," Portnoy says, but a few contestants only tried fuzzing an emulator for the device and nothing materialized.

It took one exploit against a "use after free" flaw in Webkit to crack the BlackBerry Torch, Portnoy says.

BlackBerry's platform for the most part has been relatively difficult to hack due to its closed architecture and lack of widely available documentation, so researchers mainly have focused on things like pushing spyware onto the phones.

Mobile security experts say RIM's revamp of its browser with Webkit, as well as the smartphone's lack of DEP and ASLR protections, likely were its downfall. The Webkit hook gave the Pwn2Own winners an "in," experts say.

"The use of open-source code or more open components makes sense in the short-term from a business model because it allows more rapid development, and if you want more of a feature-packed solution, you don't have to build from scratch," says Tyler Shields, a security researcher with Veracode.

But it also makes for a better attack vector, he says. "An open component is easier to attack, and faster [to attack]," Shields says.

Had the BlackBerry also been running ASL or DEP, it would have taken longer and more effort for the winners to crack it, experts say.

Meanwhile, RIM, which had representatives on site at Pwn2Own, issued this statement about the flaw found in its Torch smartphone: "BlackBerry implements a number of defense in-depth strategies to provide resilience and robustness in protecting the platform from exploitation and is widely recognized for the high level of security built into BlackBerry smartphones. We are working with TippingPoint and security researchers to investigate the issue and resolve it as quickly as possible."

Dave Marcus, director, security research and communications says the BlackBerry hack was the most impressive of the wins in the contest. "What makes this so impressive? The fact that BlackBerry is an almost unknown system. The attackers had to rely on assumptions on Java Virtual Machine and browser functionality," Marcus blogged from CanSecWest today. "RIM is said to be planning to add ASLR and DEP in the future; however, because there are established evasions for these defenses, we shall see where this goes."

Meanwhile, Apple's iPhone was also taken down in the first day of the smartphone contest by researcher Charlie Miller, who logged his fourth consecutive win in the contest. Both the iPhone and BlackBerry attacks were over within seconds.

Will the BlackBerry hack open the floodgates to more research and attacks on the smartphone? Even though it's still considered mostly closed-source and there isn't much documentation on the inner workings of the operating system, Veracode's Shields says, it eventually will get reverse-engineered. "Assuming it doesn't decrease significantly in marketshare," Shields says, "it's just a matter of time before these tools are created."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.