This document summarizes security issues and vulnerabilities in BlackBerry mobile operating systems. It discusses how earlier BlackBerry devices had more native security solutions compared to the PlayBook tablet, which had a simplified security model. The document outlines several types of malware that could affect BlackBerry devices, including user-mode rootkits and spyware. It also describes potential issues like unauthorized access to files, clipboard data, messages, and device passwords. The conclusion is that BlackBerry's security vision does not match reality and has been aggravated by oversimplification of permissions and controls.
1. VULNERABILITY ELIMINATION BY
FORCE OF NEW MOBILE OS
YURY CHEMERKIN
THE 7TH INTERNATIONAL CONFERENCE FOR INTERNET TECHNOLOGY AND SECURED TRANSACTIONS 2012
2. THE SECURITY IS THE CORNERSTONE
A POWERFUL HIGH LEVEL INTEGRATION
IMs, SOCIAL NETWORKS
FINANCIAL DATA AND ETC.
THE BLACKBERRY WAS BUILT
FREE OF MALWARE & HARMFUL ACTIONS
WITH NATIVE SECURITY SOLUTIONS
MAINLY FOCUSED ON ENTERPRISE
WIDE RANGE IT POLICY SET
UP TO 500 UNITS
A FEW THIRD PARTY SECURITY SOLUTIONS
A SIMPLIFICATION OF THE SECURITY VISION
POOR INTERGRATION (ONLY BLACKBERRY BRIDGE)
NO BUILT IMs, HTML5 & WEB-LAUNCHER
NO WALLETS OR ELSE BUILT APPLICATIONS
PLAYBOOK MIGHT
PRODUCE FEW VALUE DATA DUE APIs
NOT MORE THAN LARGE PHONE’S SCREEN
TOTALLY FOCUSED ON ENTERPRISE
IT POLICY EXTRA REDUCED
UP TO 10 UNITS
ENTERTAINMENT APPLICATIONS ONLY
BLACKBERRY SECURITY ENVIRONMENT
BLACKBERRYSMARTPHONEWASSECURE… PLAYBOOKHASCOMEWITHAPOORENVIROMENT
3. A LOT OF TYPES
BOOTKITS
FIRMWARE
USER-MODE
KERNEL
HYPERVISOR
SIMILAR TO THE SPYWARE
BUNDLING WITH DESIRABLE SOFTWARE
WIDESPREADING, EASY DITRIBUTION AND QUITE
RELEVANT FOR HACKERS
BASED ON:
VENDOR-SUPPLIED EXTENSIONS
THIRD PARTY PLUGINS
PUBLIC INTERFACES
INTERCEPTION OF SYSTEMS MESSAGES
EXPLOITATION OF SECURITY
VULNERABILITIES
HOOKING AND PATCHING OF APIs
METHODS
USER MODE ROOTKIT AND SPYWARE
MALWAREBOUNDSBECOMEUNCLEAR… HACKERSAREINTERESTEDINCHEAPERCOSTING
4. VIA THE BUILT (INTERNAL) EXPLORER
AFTER ENTERING THE PASSWORD BUT STILL
THE INTERNAL EXPLORER
FOR EXECUTING MALWARE FROM THE DEVICE
BY CLICKING FILE (.JAR/.JAD + .COD)
TO ALLOW COPYING THE MALWARE TO THE
DEVICE AS AN EXTERNAL DRIVE (LIKE A WORM)
AFTER MOUNTING AS AN EXTERNAL DRIVE(-S)
AFTER ENTERING THE PASSWORD BUT IT IS
NOT NECESSARY TO USE INTERNAL EXPLORER
TO PREVENT FROM EXECUTING ANYTHING
OUTSIDE APPWORLD (.BAR)
MALWARE IS A PERSONAL APPLICATION
SUBTYPE IN TERMS OF RIM’s SECURITY
THE FILE SYSTEM ISSUES
BBOSv4–5WASACCESSIBLE BBOSV6–7PLUSPLAYBOOKAREACCESSIBLE
5.
6.
7. THE “UPGRADE” FEATURE MEANS
THE INSTALL & REMOVE ACTIONS AT LEAST
AN APPLICATION ID REQUIREMENT
AN ACCESSIBLE RUNNING APPLICATION LIST
HANDLING ANOTHER APPs SILENTLY VIA API
HANDLING ANOTHER APPLICATION SILENTLY VIA
PC TOOLS
MAY NEED A PASSWORD
DEBUG MODE IS FOR TRACING &
DEBUGING ONLY
EASY TRACKING THE NEWCOMING .COD
MODULES FOR THE MALWARE PAYLOAD
THE “UPGRADE” MEANS AN USER INTERACTION
WITH APPWORLD
WITH HOME SCREEN
THERE ARE SOME APIs BUT DISABLED
THERE IS NO API FOR SUCH ACTIONS YET
HANDLING ANOTHER APPLICATION SILENTLY VIA
PC TOOLS
MAY NEED A PASSWORD
STRONGLY NEED ACTIVATED A DEBUG
MODE
LOOKS LIKE MORE SECURE THAN BLACKBERRY BUT
DIFFICULT TO REMOVE DISTRIBUTED MALWARE
THE APPLICATION MANAGEMENT ISSUES
BLACKBERRYSMARTPHONE(LESSTHANBB10) BLACKBERRYPLAYBOOK(PROBABLYBLACKBERRY10)
8.
9. HOW TO REVEAL THE DATA IN REAL TIME
GETCLIPBOARD()
ANY PROTECTION
NATIVE WALLETS RESTRICT THE CLIPBOARD
ACCESS BY RETURNING “NULL”
WHILE THE APPLICATION IS ACTIVE (ON
TOP OF SCREEN STACK) ONLY
DOES NOT WORK IN MINIMIZED STATE
HOW TO REVEAL THE DATA IN REAL TIME
GETDATA()
ANY PROTECTION
NO NATIVE WALLET APPLICATION
MANAGING THE LAST CLIPBOARD DATA VIA
SHARED FOLDER
PLAIN TEXT
HTML
ETC.
THE CLIPBOARD ISSUES
BLACKBERRYSMARTPHONE BLACKBERRYPLAYBOOK
10.
11.
12.
13. SCREEN PROTECTION VIA SWITCHING
PERMIT
RESTRICT
ADDITIONALLY PER APPLICATION….
BUT DOES NOT HANDLE WINDOWs
HANDLE WITH THE KEY PREVIEW DUE THE
VIRTUAL KEYBOARD
MAY BE IMPROVED BY XOR’ing TWO
PHOTOSCREENS TO GET THE DIFFERENCE
MASKING THE ASTERISKS TAKES A DELAY
ENOUGH TO STEAL THE TEXT
MAY BE PART OF OCR ENGINES
ONLINE OR DESKTOP
RECOGNIZE TYPED DATA VERY QUICKLY
WAS TESTED ON ABBYY ONLINE OCR
SUBSTITUTE FOR HARDWARE KEYLLOGER
RUNNING DOWN THE BATTERRY MORE SLOWLY
THAN PHOTO/VIDEO CAMERA
EASY ACCESS TO ANY APPLICATION…WALLET EVEN
NO RESTRICTION LIKE THE CLIPBOARD “NULL”
SCREENSHOTS OFTEN STORE IN CAMERA FOLDER
THE SAME A FILE ACCESS
THE PHOTOSCREEN ISSUES
AREAVAILABLEFORALLBLACKBERRYDEVICESBUTDISABLEDFORPLAYBOOKANDBLACKBERRY10YET
14.
15. USING AUTHORIZED API TO INTERCEPT
MESSAGES (BBM, EMAIL, PIN-TO-PIN)
CREATE THE MESSAGE
READ THE MESSAGE
DELETE THE MESSAGE
SET THE MESSAGE STATUS (UNREAD,
SENT, ANY ERROR STATE, ETC.)
THE BUTTON EVENTS (THE SAME TYPES)
OPENING THE MESSAGE
FORWARDING THE MESSAGE
SENDING THE MESSAGE
INTERCEPTING THE SMS (BASICALLY)
RECEIVING AND SENDING EVENTS
DELETING THE SENT & RECEIVED SMS
ENOUGH TO HANDLE SOCIAL C&C SMS
OUTCOMING SMS (ADVANCED)
BLOCKING (DROPPING) THE SMS
A NOTIFICATION IN THE MESSAGE THREAD
SPOOFING
THE RECEPIENT
THE BODY
TRANSMISSION REFUSED BY … IF
SUCH MESSAGE WAS NOT REMOVED
THE MESSAGES ISSUES
AVAILABLEONTHEBBDEVICES PROBABLYONTHEBLACKBERRY10 NO3G,NOAPIFORPLAYBOOK
16.
17. THE PASSWORD PROTECTION COVERS
DEVICE LOCKING & ENCRYPTION FEATURE
APPWORLD REQUEST
LIMITED BY 5/10 ATTEMPTS & WIPE THEN
WIPING THE INTERNAL STORAGE ONLY
EXTRACTING THE PASSWORD TRHOUGHT
ELCOMSOFT PRODUCT (CUSTOM CASE)
GUI VULNERABILITY
CREATING THE FAKE WINDOW ON
DESKTOP SYNCHRONIZATION
BREAKING INTO BB DESKTOP SOFTWARE
HANDLING MS WINDOWS VULNERABILITY
UNMASKING THE FIELD
GRABBING THE PASSWORD
MASKING THE FIELD
THIS DELAY TAKES 10-20 MSEC
AFFECTED PASSWORD TYPES
THE DEVICE PASSWORD
THE BACKUP PASSWORD
AFFECTED DEVICES
BLACKBERRY 4-7 (BB 10 HIGHLY PROBABLY)
BLACKBERRY PLAYBOOK
THE DEVICE PASSWORD ISSUES
FORTHEBLACKBERRY4–7DUETHEINTERNALCASE FORALLDEVICESDUEINTHEDESKTOPACCESSCASE
18.
19.
20. INITIALLY BASED ON AUTHORIZED API COVERED
ALL PHYSICAL & NAVIGATION BUTTONS
TYPING THE TEXTUAL DATA
AFFECT ALL NATIVE & THIRD PARTY APPs
SECONDARY BASED ON ADDING THE MENU ITEMS
INTO THE GLOBAL MENU
INTO THE “SEND VIA” MENU
AFFECT ALL NATIVE APPLICATIONS
NATIVE APPLICATIONS ARE DEVELOPED BY RIM
BLACKBERRY WALLETS, MESSAGES,
SETTINGS, FACEBOOK, TWITTER,…
BBM/GTALK/YAHOO/WINDOWS IMs,…
GUI EXPLOITATION HANDLES WITH
REDRAWING THE SCREENS
ADDING NEW GUI OBJECTS
CHANGING THEIR PROPERTIES
GRABBING THE TEXT FROM THE
ANY FIELDs (INCL. PASSWORD FIELD)
UNLOCK THE DEVICE’s FIELD
SETTING UP THE PASSWORD’s FIELD
ADDING, REMOVING THE FIELD DATA
ORIGINAL DATA IS INACCESSIBLE BUT NOT
AFFECTED
GUI OBJECTS SHUFFLING IS NOT POSSIBLE
THE GUI EXPLOITATION
CONSEQUENCEOFWIDEINTERGRATIONFEATURESOFFEREDFORDEVELOPERS(BLACKBERRY4–7 ONLY)
21.
22.
23.
24.
25. KASPERSKY MOBILE SECURITY PROVIDES
FIREWALL, WIPE, BLOCK, INFO FEATURES
NO PROTECTION FROM REMOVING.CODs
NO PROTECTION UNDER SIMULATOR
EXAMING THE TRAFFIC, BEHAVIOUR
SHOULD CHECK API “IS SIMULATOR”
SMS MANAGEMENT (“QUITE” SECRET SMS)
PASSWORD IS FOUR– SIXTEEN DIGITS SET
…AND CAN BE MODIFIED IN REAL-TIME
SMS IS A HALF A HASH VALUE OF GOST R
34.11-94
IMPLEMENTATION USES TEST CRYPTO
VALUES AND NO SALT
TABLES (VALUEHASH) ARE EASY BUILT
OUTCOMING SMS CAN BE SPOOFED
WITHOUT ANY NOTIFICATION
OUTCOMING SMS CAN BLOCK OR WIPE
THE SAME DEVICE OR ANOTHER DEVICE
McAfee MOBILE SECURITY PROVIDES
FIREWALL, WIPE, BLOCK, INFO FEATURES
NO PROTECTION FROM REMOVING.CODs
NO PROTECTION UNDER SIMULATOR
EXAMING THE TRAFFIC, BEHAVIOUR
SHOULD CHECK API “IS SIMULATOR”
WEB MANAGEMENT CONSOLE
DIFFICULT TO BREAK SMS C&C
THE THIRD PARTY EXPLOITATION
THEREAREAFEWOFTHEM THEYMIGHTHAVEANEXPLOIT BUTRUINNATIVEASECURITY
26. DENIAL OF SERVICE
REPLACING/REMOVING EXEC FILES
DOS’ing EVENTs, NOISING FIELDS
GUI INTERCEPT
INFORMATION DISCLOSURE
CLIPBOARD, SCREEN CAPTURE
GUI INTERCEPT
DUMPING .COD FILES, SHARED FILES
MITM (INTERCEPTION / SPOOFING)
MESSAGES
GUI INTERCEPT, THIRD PARTY APPs
FAKE WINDOW/CLICKJACKING
GENERAL PERMISSIONS
INSTEAD OF SPECIFIC SUB-PERMISSIONS
A FEW NOTIFICATION/EVENT LOGs FOR USER
BUILT PER APPLICATION INSTEAD OF APP SCREENs
CONCRETE PERMISSIONS
BUT COMBINED INTO GENERAL PERMISSION
A SCREENSHOT PERMISSION IS PART OF THE
CAMERA
GENERAL PERMISSIONS
INSTEAD OF SPECIFIC SUB-PERMISSIONS
A FEW NOTIFICATION/EVENT LOGs FOR USER
BUILT PER APPLICATION INSTEAD OF APP SCREENs
THE PERMISSIONS
PRIVILEGEDGENERALPERMISSIONS OWNAPPs,NATIVE&3RD PARTYAPPs FEATURES
27. SIMPLIFICATION AND REDUCING SECURITY CONTROLS
MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER
NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY
ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL
A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS
THE SANDBOX PROTECT ONLY APPLICATION DATA
USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE
APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY
MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY
THE NATIVE SPOOFING AND INTERCEPTION FEATURES
BLACKBERRY ENTERPRISE SOLUTION / BLACKBERRY MOBILE FUSION IS NOT EFFECTIVE MUCH
THE BEST SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES
PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST
CONCLUSION
THEVENDORSECURITYVISION HASNOTHINGWITHREALITY AGGRAVATEDBYSIMPLICITY