http://blogs.washingtonpost.com/securityfix/2006/01/security_hole_e.html By Brian Krebs January 3, 2006 Security Hole Claimed for BlackBerrys New research released over the weekend indicated that BlackBerrys -- the ubiquitous handheld devices favored by on-the-go types -- are vulnerable to a security hole that could let attackers break in to the gadgets by convincing users to open a specially crafted image file attached to an e-mail. The information was released at the 22nd Chaos Communication Congress hacker convention in Berlin by this guy -- "FX" of the security research group Phenoelit. Research in Motion Ltd., the Canadian company that makes the devices, said it is a previously reported issue "that has been escalated internally to our development team. No resolution time frame is currently available." RIM's advisory downplays the threat, saying that "a corrupt Tagged Image File Format (TIFF) file sent to a user may stop a user's ability to view attachments. There is no impact on any other services (for example, sending and receiving messages, making phone calls, browsing the Internet, and running handheld applications to access a corporate network)." RIM didn't mention anything about the flaw allowing attackers to download and execute programs on the targeted device, but I'm left wondering whether they escalated this because of just such a threat. I obviously didn't hear FX's talk, but an alert released over the weekend by US-CERT says remote code execution is possible. RIM doesn't say when it plans to have a fix available, but for now it is urging companies who use the service to reconfigure any machine serving as an internal BlackBerry Internet Server to filter TIFF images or disable the file-attachment capability altogether. Update, 10:27 a.m. ET: Having just spoken with FX (a.k.a Felix Lindner), I definitely feel like I understand the threat here a bit better, and it is a little more serious than I first thought. Lindner said the real problem -- a vulnerability in the way Blackberry servers handle portable network graphics (PNG) images, was not disclosed by either RIM or the US-CERT advisory. Lindner said he suspects that's because this PNG flaw is present not in the newest version of Blackberry server but in all versions from 4.0 to 4.0.1.9 (the latter was released roughly a month ago, and no doubt many companies still run that version). Lindner said he started looking into Blackberry's proprietary communications protocols because the Blackberry server requires an unusual level of access inside of a corporate network: the server must be run inside a company's network firewall and on a Windows machine that is granted full and direct administrative access to the customer's internal e-mail server. "We started looking at all of the privileges this server needs while sitting right in the middle of the network and realized we didn't know anything about it," Lindner said. "In a lot of companies, corporate managers want to install it because they want their Blackberrys, but we wanted to find out what risks are there connected to running this thing." Lindner's slides from his presentation -- which he agreed not to release until RIM has fully fixed this problem -- show that the Blackberry server which manages all of the encryption keys needed to unscramble e-mail traffic to and from all Blackberry devices registered on the network stores them on a Micorosft SQL database server in plain, unencrypted text. Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server, which could then be taken over and used to intercept e-mails or as a staging point for other attacks within the network. I put in a call to the RIM folks: Will update the post if I get a response from them directly. _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Wed Jan 04 2006 - 03:37:02 PST