Forgot your password?

Security Testers Give the BlackBerry PlayBook a Thumbs Up

Attack area

Way back in April we pointed out some of the documentation RIM provided on the security features of the BlackBerry PlayBook. Those security features were put to the test by penetration testers working for NGS Secure who poked and prodded both actual PlayBook devices and the simulators and confirmed the devices security.

I did love some of the lines from the first part of the report which was just released like:

Although Neutrino is similar in many ways to a traditional UNIX environment, the QNX microkernel is substantially different from the monolithic Linux kernel.

Other stuff I found more interesting like the fact that early versions of the PlayBook simulator ran every application as Root but that has changed and now each app is assigned their own user and group for sandboxing. Also worth noting is the fact that the upd account is right behind root in terms of access to the system. On the other hand most people like developers will be relegated to the devuser which has very little privileges. NGS also tried mounting the file system and didn’t have much luck. On the other hand they found that the PlayBook runs NetBSD’s Bozotic HTTP server which is running as root which is odd… They found some interesting files through this web server but only managed to get them to crash the device. They also managed to make the device stop responding with a specially crafted HDMI fuzzer but once again nothing useful was gained from that. NGS also harped about the PlayBook allowing unsigned code in development mode but nothing much came of it.

The report is quite interesting if you want to learn about the attack surface of the PlayBook or simply what you can try to use to compile your own code or learn more about the OS. Check out the full PDF report on this page or directly at this link.

Thanks to everyone who sent this in!

23 total comments on this postSubmit your comment!
  1. While it is great to hear how secure the PlayBook is, it almost seems like consumers don’t care. What’s more astounding is that even the corporate world doesn’t. Otherwise they would all abandon their iPhones, iPads, and Android devices in favor of Blackberry phones and PlayBooks. I keep waiting for some company to suffer a major data breach due to an iPad or iPhone. Maybe then they will start to realize the value of a secure product.

    • Just like you don’t hear about bank accounts being emptied by thieves, you probably won’t hear of sensitive company data being leaked unless there is a whistle-blower.
      And you’re right about consumers not caring, that’s the reason RIM didn’t even bother to secure personal data on the PlayBook. It’s worse than on Android tablets and probably iPads.

      • What personal data isn’t secure on the PlayBook? There are passwords protecting the WiFi network share, and basic login.

        • The only encrypted data on the PlayBook is the ‘work’ data coming from a BlackBerry which means that the rest could possibly fall in the wrong hands.
          I don’t understand why they couldn’t use the same model they’ve been using for years on the smartphones unless the PlayBook is really slow at encryption.

          • Ah, the lack of encryption, yes. I was a bit surprised too, but am assuming for no particular reason it will become available in future, now that the FIPS 140-2 certification came out. (Yes, I know that’s technically irrelevant to the issue… as I said “for no particular reason”.)

      • for the matter of fact how is that different from ipad or any Android tablet, neither encrypt onboard data and how is one better than the playbook?, fyi..Blackberry is the only platform which does onboard data encryption..playbook yet to come with option

  2. Given what the HTTP server actually does in the system, it’s perhaps unsurprising it runs as root. That’s ultimately the means by which developers install apps, list and kill running tasks, and similar things. It’s probably not a big concern either way, however, since it is not running when the device is not in development mode. I think they failed to note that wee point.

    Also, I think it’s important to note that while the simulator allows unsigned code to be tested, the tablet itself requires either signed apps, or the use of a “debug token” which provides some of same protection that full signing gives.

  3. YAWN.. .wake me up when the device has a native email client and fails the test……

  4. Hmmm…just read the pdf… I wouldn’t call it a thumb up. Quite a few flaws were discovered and reported to RIM while a few others are still being researched.
    Just like the PlayBook itself, I would call its security promising 😉

    • The flaws they found would more or less be considered fluff in most pen test reports. Usually pen tests only report results if there is an actual exploitable vulnerability. None of those were found as far as I read. Just possibilities for vulnerabilities. They were really reaching with the hdmi fuzzer and claiming a local denial of service possible vulnerability is more or less a joke and even they admit it already has controls in place for it.

      • I would take the reading/writing from/to the file system from the browser as something pretty serious. Since it would let an attacker gather information and plant scripts wherever he wants.
        A nice way to steal API keys from apps or to send something to a rogue app, etc. if the other security measures in place don’t prevent it. A lot of attacks on iOS and Android come from the browser.

        It’s unclear whether the security ‘oversight’ where you can bypass login.cgi to have access to wipe.cgi is exploitable or if its just a simulator issue, but they didn’t insist on that, so I’m guessing it’s OK :).

        • @ofutur, there was *no* writing to the file system available from the browser, and the only reading was reading that *any* app can do, or any developer using the SSH access provided for the purpose. The browser is sandboxed, like any other app, so it has no greater permissions to read those files, and certainly cannot write to any but its own.

          • You seem to have skipped a few pages of the PDF. They clearly said they could write anywhere (apart from the folders owned by root I suspect) from the browser.

            • @ofutur, okay, I forgot about the silly “save anywhere” claim. It’s false. The browser, as I said, is sandboxed just like any app, and can write only to the places any app can write. Notice that their example is /var/tmp? That’s safe, and any app can write there. The browser cannot write to an “arbitrary” folder, as they claim, but only to one or two places outside its own sandbox, just as any app can do.

              • Well, it’s your words against theirs ;). They claim they have bypassed the sandbox, even though their example suggest they’re simply writing to publicly accessible folders. Their report suggests RIM has taken their comment on board and will fix the hole, so it could be that this company is trying to make a name for itself or maybe they have found some real problems.

                • Yeah I mentioned the “vulnerability” to RIMs browser team right when the PlayBook came out and they confirmed it was by design which is why they didn’t change it. They just limited the permissions to secure it.

      • A joke indeed. Hey, my playbook isn’t responding! Hmmm, what’s this thing stuck in my hdmi port? YANK! Hey my playbook works again! I wonder how much I can get for this dongley thing on ebay?

    • Actually, ofutur, there were very few flaws discovered, and none of them identified as being exploitable for anything. At least one was well-known and it and some others are considered security flaws at all by others. Here’s one way to look at it: if you were trying to hack the PlayBook, what the report contains provides almost no value whatsoever in assisting you to do so. But yes, the PlayBook’s security is, so far, very promising.

  5. Yes there should realize the opportunity to RSS commentary, quite simply, CMS is another on the blog.

1 pingback on this post

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2018’ BerryReview LLC