[ISN] Security Hole Claimed for BlackBerrys
isn at c4i.org
Wed Jan 4 06:07:23 EST 2006
By Brian Krebs
January 3, 2006
Security Hole Claimed for BlackBerrys
New research released over the weekend indicated that BlackBerrys --
the ubiquitous handheld devices favored by on-the-go types -- are
vulnerable to a security hole that could let attackers break in to the
gadgets by convincing users to open a specially crafted image file
attached to an e-mail.
The information was released at the 22nd Chaos Communication Congress
hacker convention in Berlin by this guy -- "FX" of the security
research group Phenoelit.
Research in Motion Ltd., the Canadian company that makes the devices,
said it is a previously reported issue "that has been escalated
internally to our development team. No resolution time frame is
currently available." RIM's advisory downplays the threat, saying that
"a corrupt Tagged Image File Format (TIFF) file sent to a user may
stop a user's ability to view attachments. There is no impact on any
other services (for example, sending and receiving messages, making
phone calls, browsing the Internet, and running handheld applications
to access a corporate network)."
RIM didn't mention anything about the flaw allowing attackers to
download and execute programs on the targeted device, but I'm left
wondering whether they escalated this because of just such a threat. I
obviously didn't hear FX's talk, but an alert released over the
weekend by US-CERT says remote code execution is possible.
RIM doesn't say when it plans to have a fix available, but for now it
is urging companies who use the service to reconfigure any machine
serving as an internal BlackBerry Internet Server to filter TIFF
images or disable the file-attachment capability altogether.
Update, 10:27 a.m. ET: Having just spoken with FX (a.k.a Felix
Lindner), I definitely feel like I understand the threat here a bit
better, and it is a little more serious than I first thought. Lindner
said the real problem -- a vulnerability in the way Blackberry servers
handle portable network graphics (PNG) images, was not disclosed by
either RIM or the US-CERT advisory. Lindner said he suspects that's
because this PNG flaw is present not in the newest version of
Blackberry server but in all versions from 4.0 to 220.127.116.11 (the latter
was released roughly a month ago, and no doubt many companies still
run that version).
Lindner said he started looking into Blackberry's proprietary
communications protocols because the Blackberry server requires an
unusual level of access inside of a corporate network: the server must
be run inside a company's network firewall and on a Windows machine
that is granted full and direct administrative access to the
customer's internal e-mail server.
"We started looking at all of the privileges this server needs while
sitting right in the middle of the network and realized we didn't know
anything about it," Lindner said. "In a lot of companies, corporate
managers want to install it because they want their Blackberrys, but
we wanted to find out what risks are there connected to running this
Lindner's slides from his presentation -- which he agreed not to
release until RIM has fully fixed this problem -- show that the
Blackberry server which manages all of the encryption keys needed to
unscramble e-mail traffic to and from all Blackberry devices
registered on the network stores them on a Micorosft SQL database
server in plain, unencrypted text.
Lindner found that by convincing a Blackberry user to click on a
special image attachment, that handheld device could be made to pass
on malicious code to the Blackberry server, which could then be taken
over and used to intercept e-mails or as a staging point for other
attacks within the network.
I put in a call to the RIM folks: Will update the post if I get a
response from them directly.
More information about the ISN