Each year the Pwn2Own event gets under way for teams to try and find exploits in various company’s products. This year Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann, the same trio to hack the iPhone, took a BlackBerry Torch 9800 and successfully hacked the WebKit. BlackBerrys have been known to be hacker safe, especially since there is no public documentation on the BlackBerry system.
The team set up a specially rigged web page that fired the exploit at the BlackBerry browser. They were able to successfully pull the contacts and images database from the Torch and even write a file to it for demonstrating full code execution. The team described that the process to exploit the BlackBerry browser was by trial and error and that it was bit easier since the new WebKit is based off Apple’s open source browser. Although, current BlackBerrys lack ASLR or DEP security features that have been implemented into the iPhone.
RIM had their security response team on hand to witness the exploit. Adrian Stone, the director of security response team responded to the exploit by saying “It happens. It’s not what you want but there’s no such thing as zero code defects,” The trio acknowledged that the BlackBerry benefits from no one really knowing whats inside, Iozzo said the absence of ASLR, DEP and code signing has put the device “way behind the iPhone” from a security point of view.
If some of the newer builds for OS 6 with the WebKit suffer from this same exploit, it means RIM will have to issue updates. However, this may take awhile for it to reach you as carriers will likely have to review it first. Does this make you feel any less prideful for having one of the most secure mobile devices? Do you think we’ll see a rise in security breach attempts in the road ahead? There is already the ZeuS Trojan we touched on the other day. Hopefully, this won’t snowball and we begin to see more and more exploits for the BlackBerry platform.