Critical security warning for Blackberry z10

A vulnerability in the BlackBerry Protect software built into Z10 smart phones could allow hackers to gain access to the passwords of some devices, according to a security advisory issued by BlackBerry (TSE: BB).

By taking advantage of “weak permissions,” malicious applications will be able to:

  • Gain the device password if a remote password reset command had been issued through the BlackBerry Web site
  • Intercept and prevent the phone from acting on BlackBerry Protect commands, such as remote wipe
BlackBerry said the issue is with the BlackBerry Protect software and not the Z10’s operating system.

RELATED CONTENT

Ottawa aware of BlackBerry security flaw since 2011
In-depth review of BlackBerry Z10

“The most severe potential impact of this vulnerability requires a BlackBerry Z10 smart phone user to install a specially crafted malicious app, enable BlackBerry Protect and reset the device password through BlackBerry Protect,” the advisory said.

With the device password and physical access to the phone, an attacker can:

• Access the functionality of the smartphone (including the BlackBerry Hub, apps, data, and the phone) by unlocking the smartphone.
• Unlock the work perimeter on a BlackBerry Z10 smartphone that has BlackBerry Balance technology enabled if the work perimeter password is the same as the device password.
• Access the smartphone over a USB tether with either BlackBerry Link or the computer’s file viewer, allowing access to the smartphone’s personal files, contacts, PIM data, and so on. The attacker could also access work perimeter content on BlackBerry Balance smartphones if the work perimeter is unlocked and access over a USB tether is allowed by a policy that the IT administrator sets.
• Enable development mode after accessing the smartphone over a USB tether, allowing remote access as a low privilege development user.
• Change the current device password, allowing the attacker to deny access to the legitimate user of the smartphone.
• Access any other local and enterprise services for which the legitimate user has used the same password as the smartphone’s password.

An attacker can also gain Wi-Fi access to the phone if the owner enables Wi-Fi storage access on the Z10 and sets a storage access password that is the same as the device password.

Wi-Fi is disabled by default on BlackBerry Z10.

BlackBerry recommends that all users apply the available BlackBerry 10 OS version 10.0.10.648 software update to fully protect their BlackBerry Z10 smartphone.
The attacker cannot exploit this vulnerability without user interaction. To prevent exploitation of the vulnerability, do the following:
• The user must have downloaded and installed a malicious app that specifically targets this vulnerability. A BlackBerry smartphone prompts a user for permission to install any third-party software or to grant certain permissions to a third-party application.
• The user must enable BlackBerry Protect, which is not enabled by default.
• The user must have issued a password reset command through BlackBerry Protect website.

For more risk mitigation advice, click here

 



Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now