Slashdot Mirror
Security Holes Found In RIM BlackBerry Service
An anonymous reader writes "Researchers have found several security holes in Blackberry handheld devices and the servers that power them, according to a story at Washingtonpost.com. The research points out serious flaws in the BlackBerry server, which could be exploited by convincing Blackberry handheld users to click on an image file attachment. From the article: 'Lindner's slides from his presentation -- which he agreed not to release until RIM has fully fixed this problem -- show that the Blackberry server which manages all of the encryption keys needed to unscramble e-mail traffic to and from all Blackberry devices registered on the network stores them on a Microsoft SQL database server in plain, unencrypted text. Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server, which could then be taken over and used to intercept e-mails or as a staging point for other attacks within the network.'"
It's a corrupt PNG (a common image file type), that may pass code to the server to be run there (as administrator), with complete access to the corporate network, including all the plain-text, non-passphrase-protected private keys of all blackberry users on the same corporate network.
If true, this is a gaping hole, and a very big deal.
What gets me is they're using a natoriously insecure OS, with clear text values in the database... Thats just asking for more trouble than you can get in.
I used to work at RIM, and if you honestly think that it is mostly staffed by 23 year olds, you are mistaken. The vast majority of folks at RIM are not fresh out of undergrad and the technical genius that does exist there is indeed very impressive (I worked on the business side, not the tech side.. and the tech guys really know what they're doing). And further, if you honestly think that Lazaridis and Balsillie run the type of place where major design decisions are made by junior people, I'm not surprised that you don't have the qualifications to get a job there.
The fact that they made a small design mistake isn't really that surprising. These things happen all the time. Their response is what's important going forward, and I (as a current BB user) have faith that they will quickly patch this up and move on.
They obviously don't know what they're doing if ANYONE using a BlackBerry can use an SQL Injection Attack on their own server. This is extremely easy to check for. Just like buffer overflow attacks. There is no reason why either should exist except for either laziness or pure stupidity.
They made two big mistakes with their design. This kind of thing should be surprising. If they're selling a product used in millions of businesses, it has to be secure. Storing important information in unencrypted text and not taking the time to add a few more lines of code to do some verification before submitting anything to the database is inexcusable.
I would like to try and convince most people with a Blackberry to see if they could use it as a suppository, but I digress...
From the Washington Post: RIM didn't mention anything about the flaw allowing attackers to download and execute programs on the targeted device, but I'm left wondering whether they escalated this because of just such a threat.
I really don't think RIM is going to shout this from the rooftops. If the exploit is as bad as is disclosed, there's some serious trouble brewing that makes the brouhaha with NTP look like a cakewalk.From the Washington Post: Lindner said he started looking into Blackberry's proprietary communications protocols because the Blackberry server requires an unusual level of access inside of a corporate network: the server must be run inside a company's network firewall and on a Windows machine that is granted full and direct administrative access to the customer's internal e-mail server.
And RIM thought this was a good idea because...? It's like building a 50-ft high wall around the castle, then creating a hole for an 8-lane superhighway to pass through. Imagine the enterprising and inventive hacker that can plant a zombie process on that machine. Talk about spam! Imagine if a Fortune 500 company starts getting nipped because their email servers are dumping spam on the unsuspecting public. Lawsuits for everyone!!
GetOuttaMySpace - The Anti-Social Network
With the scant details provided, it sounds almost like an SQL Injection vulnerability. It doesn't sound like a problem with SQL Server directly, or else it wouldn't be a RIM specific problem.
Anyway, can't administrators just filter all image attachments out through their AV or other software for the time being?