Its unusual to find a vulnerability that is this cross platform on mobile devices. The latest attack vector was identified by CrowdStrike’s George Kurtz and Dmitri Alperovitch and demoed on an Android (OS 2.2) phone at the RSA security conference earlier this month. This drive by download takes advantage of users who click on a malicious link and using a vulnerability in the WebKit browsing engine they exploit the phone. According to Dmitri they are reforming the attack to work on Android 2.3 phones and the same attack vector would also work on iOS. They used the attack to install a RAT (Remote Access Tool) to eavesdrop on conversations and monitor the users location.
RIM has confirmed on their website that the exploit does effect all BlackBerry smartphones that use WebKit (OS 6, 7, & 7.1) along with all the versions of the PlayBook OS. The difference is that RIM clarifies that the RCE (Remote Code Execution) on both smartphones and the PlayBook is limited to the access of the browser which is only user level access. That means that attackers with this vulnerability alone cannot access user data beyond what the browser can access which is mostly the media card and not emails or phone calls like iOS and Android. On the PlayBook this is a little bit different if the code is in the messages app where it can then run with the access of the messages app but once again is sandboxed there.
Right now there is not much to worry about with this vulnerability since there are no known exploits in the wild beyond this proof of concept for Android v2.2 only. My guess is we will be seeing a fix from WebKit and then RIM shortly especially for the PlayBook.
What I found most interesting about this hack is that according to the NorthwestStar, CrowdStrike purchased the 20+ WebKit vulnerabilities (aka Bugs) that led to this exploit for $1,400. They then spent approximately $14,000 weaponizing it into an actual exploit and working on getting root access from it and then setting up their own command and control for the RAT tool. Just think of that as one malicious link, $15,000, and some know how being all it takes to break into a any of the most popular smartphones.
Check out the full details that RIM has released about the exploit here. I copied the most common questions below:
BlackBerry smartphones only
Can an attacker exploit these vulnerabilities when I am using email on my BlackBerry smartphone?
No. The act of sending, receiving, or reading email does not allow an attacker to exploit these vulnerabilities on your BlackBerry smartphone.
What is a user mode process and how does it relate to WebKit?
WebKit does not run in the context of the BlackBerry® Java® Virtual Machine (JVM). WebKit runs only in a user mode process, meaning that it has limited access to data stores on the smartphone. A user mode process can access any data in built-in media storage. Code running in the context of a user mode process has much less control of the device than code running within the operating system kernel.
How does the BlackBerry smartphone use its separate file systems?
The BlackBerry smartphone storage space consists of various sections that store BlackBerry device user data and sensitive information: application storage, built-in media storage, NV (non-volatile) store, and media card. Note that your BlackBerry smartphone may not have a media card inserted.
Separate processes have specific levels of access to the sections of BlackBerry smartphone storage space. For example, only the operating system can access the NV store. Email and phone functionality is provided by Java applications running on the device, so data such as contacts and email are in the application storage, not built-in media storage.
For more information about the separate file systems, see ”Device storage space” in the Deleting Data From Devices Security Note for BlackBerry Device Software.
Is turning on content protection an effective mitigation for these vulnerabilities?
While enabling content protection is a recommended best practice for BlackBerry smartphone security and does provide some level of data protection, RIM advises that it is not a comprehensive mitigation for these vulnerabilities.
BlackBerry smartphones and BlackBerry PlayBook tablet
How could an attacker use a message to a user to launch an attack that exploits this issue?
The most common scenario on a BlackBerry smartphone involves the user receiving a hyperlink to a malicious website either through SMS, email, or BBM. Clicking the link and visiting the malicious site allows exploitation of the WebKit issue. It is also possible for the vulnerability to be triggered when viewing a maliciously crafted email in the preview pane of the Messaging app on the BlackBerry PlayBook 2.0.
What can the attacker gain access to if a user clicks the malicious link?
The attacker would have the same permissions as the application used to browse the website. Applications, as well as the native WebKit based web browsers on BlackBerry devices, run in a sandbox with reduced permissions. Using this vulnerability by itself will not gain the attacker root level permissions on the device.