I have to say I am highly surprised that BlackHat offered Ralf-Phillip Weinmann of the University of Luxenbourg a chance to speak on BlackBerry 10 security during the conference. This is the same conference where researchers showed how to compromise the latest Apple iOS (even the iOS 7 beta) devices through a malicious USB cable and mount trojans or other spy tools. Weinmann on the other hand had very little of interest to share during his presentation. He proceeded to state the obvious by saying that the BlackBerry 10 security model “fundamentally hinges on privilege-escalation exploits not to be available.” The irony of that statement is that most secure devices hinge on that same exact model.
Weinmann promised to analyze the “attack surface of BBOS 10” and consider ways to escalate privileges locally and routes for remote entry including persistence on the device. He did a great job of highlighting theoretical issues if the devices are possibly exploited but other than that he came up short. His biggest “discovery” was that BlackBerry offers an optional diagnostics application in BlackBerry OS 10, QUIP, that users have to manually enable under Settings->Privacy & Security. That tool has the ability to collect data like screen captures, raw memory dumps, audio, and video and forward it to BlackBerry if an issue arises. He claims he “was not amused” by this though it is clearly disabled by default on ALL BlackBerry 10 devices.
BlackBerry’s Adrian Stone replied (via threatpost) that:
“All of it is clearly enumerated to the user. QUIP is off by default,” said Adrian Stone, head of security response at BlackBerry. “It’s a diagnostic tool. Users can turn it on if they want to. I wouldn’t expect that to be a large number. For us it was a clear choice. We wanted to have that diagnostic capability but we also wanted to respect users’ privacy.”
Weinmann really had a pretty lame duck presentation to offer at BlackHat. On the other hand he did confirm that ASLR, DEP, and stack cookies are baked into BlackBerry 10. His other main issue that he claims on BlackBerry 10 is that any user can “copy binaries to the device and execute them.” In other words apps can be sideloaded…
I was expecting more from a BlackHat session… Just compare this session to the one covering how a majority of Android devices in the world are vulnerable to applications that can be modified with malicious code yet still pretend to be the genuine thing with legitimate signatures.
Kudos to Threatpost for the details