We told you earlier today about the Intrepidous Group who gave a speech at the Infiltrate conference about “several high risk vulnerabilities with RIM’s Blackberry Playbook that allows malicious applications to access personal information, contacts, and emails from connected Blackberry phones.” We finally had a chance to chat with both of the principles, Zach Lanier & Ben Nell, working on these vulnerabilities from Intrepidous Group. Both of them have a background in mobile penetration testing and security research and decided to step out of their usual iOS/Android box and test out the PlayBook.
What they discovered is two flaws in RIM’s usually paranoid security armor that allow them to access data they should not have access to. Both of these vulnerabilities boil down to a lack of proper permissions. The first one relates to the BlackBerry PlayBook and native applications. Developers of native applications on the BlackBerry PlayBook have access to a .ALL file on the QNX file system that enables them to access shared data or files. Essentially there is an information disclosure flaw in this .ALL file which allows native developers to access files they should not have permissions to through this .ALL file which is based on QNX’s PPS functionality to access any files in the same directory.
This .All file allowed Zach and Ben to access a PlayBook owners bookmarks, Wi-Fi access points, BBM username & info, desktop manager token, and most importantly the BlackBerry Bridge token. This token is what the BlackBerry bridge apps use to communicate/authenticate to the smartphone when the bridge connection is connected and unlocked. The way BlackBerry bridge works is as a sort of proxy server that Zach and Ben say may be loosely based on a Squidlet proxy. This proxy service runs on the BlackBerry PlayBook and terminates encryption while providing an HTTP interface for RIM’s bridge apps to access using the BlackBerry Bridge WebKit apps like email, calendar, and BBM. By having access to this Bridge Token Zach and Ben were able to query information from the connected unlocked BlackBerry smartphone. In short the Bluetooth connection and at rest data are secure but by accessing this Bluetooth token a native developer can query the bridge for data that they should not be able to.
Zach and Ben have confirmed that this issue has been fixed in the current PlayBook OS 2.0 beta and RIM confirmed as much in their statement to us. Still Zach and Ben speculate that RIM has simply moved this token to a different location or stored it in memory which means the potential for this creeping up again is possible in conjunction with another permissions backdoor or escalated privileges access. They are currently starting their analysis of PlayBook OS 2.0 and plan on researching this further including the entropy of the Bridge token and how it is structured.
During their research Zach and Ben also found that there was a bug in App World that relates to both smartphones and PlayBooks. As we have seen before the purchasing process and authorization is totally separate from the download. When you submit credentials and purchase an app or game RIM simply provides the app back a public download link to a file whether it be the appropriate .BAR or .COD files. These download links are sequential which means that you can create a script to easily download all of the files for apps and games in App World. RIM told the researchers that it was aware of this and responded with something along the lines of “The onus for licensing is up to the developers.” I am really hoping that changes because as QNX and BlackBerry gets more popular developers are going to look for a standard for application licensing.
The main thing to take away is that this Bridge token vulnerability and .ALL information disclosure bug are no longer exploitable by native apps in OS 2.0. The .ALL PPS function will still exist but it no longer allows the same access to the Bridge Token. On the other hand users of OS 1.0 may want to keep a close eye on what native apps they download for the PlayBook. Zach and Ben told us that they made RIM aware of the .ALL and App World issues back in October and told them about them discovering the bridge token through the .ALL information disclosure about a week ago.
According to Ben & Zach RIM does not plan on putting out a security advisory for this and as you can see from their statement RIM believes has “been resolved with BlackBerry PlayBook OS 2.0.” They also confirm what we learned that there are “no known exploits and risk is mitigated by the fact that a user would need to install and run a malicious application after initiating a BlackBerry Bridge connection with their BlackBerry smartphone.”
Thanks to Zach Lanier & Ben Nell for sharing their side of the story. At the end of the day I believe this will all help RIM continue to improve the security on the BlackBerry PlayBook.