BlackBerry PlayBook Lets Hackers View Emails


BlackBerry PlayBook Lets Hackers View Emails - Researchers have exposed a security hole in the BlackBerry PlayBook tablet. The vulnerability has to do with the BlackBerry Bridge software that links the device with a user's phone. This software could be used to get unauthorised access to corporate email messages.

When Research In Motion (RIM) launched the PlayBook last year, it didn't have a built-in way to access email or calendars. Instead, users were expected to link the PlayBook with a BlackBerry phone via bridging software that connects the two devices wirelessly. Although less convenient than native functions, the set-up was thought to be inherently more secure since the information was never actually stored on the tablet.

That may have been a tad optimistic. A pair of researchers now say they've successfully hacked into a PlayBook using the supposedly secure BlackBery Bridge Bluetooth connection. Although the hack requires some special conditions, it hits RIM on its biggest strength compared to other devices: security.


http://stat.k.kidsklik.com/data/photo/2012/01/18/1423023620X310.jpg
The RIM PlayBook.


Zach Lanier and Ben Nell of Intrepidus Group were the ones who found the Bridge's weak spot. They included it in their Blade Runner-themed presentation at the Infiltrate security conference last week in Miami Beach, FL, first reported by ThreatPost. The problem, as they describe it, is a bug that exposes the Bridge's authorisation token, which is normally in a protected file, to anyone who knows where to look.

"Think of it like this," Lanier told Mashable, "the Bridge apps on the PlayBook are glorified web browsers. They use a session token, much like a browser talking to a web application would, to assert their authorisation with the BlackBerry Bridge service. Due to a bug in TabletOS, this session token is accessible in a file that is readable by any user, including unprivileged applications and processes."

While that sounds bad (and it is), the danger is limited in two key ways:

The user must be using BlackBerry Bridge to expose the token (unless the phone has no password set — then it can be used anytime).There must be some kind of malicious app already on the PlayBook to exploit it.

The hypothetical hacker doesn't actually have to be physically close to the PlayBook in question. Lanier confirmed to that the only thing necessary is malware on the tablet designed to exploit the token. If that's the case, once the bridge is engaged and the bad app is running, every email and calendar appointment is potentially in the hands of hackers.

The good news is that the security hole will be patched in PlayBook 2.0, RIM's software update that will also finally bring native email to the tablet. RIM knew about the flaw through Intrepidus Group and issued the statement: "There are no known exploits and risk is mitigated by the fact that a user would need to install and run a malicious application after initiating a BlackBerry Bridge connection."

Nonetheless, the news is yet another stumble for the PlayBook which launched to tepid reviews, experienced sluggish sales and was recently discounted to US$299 for the 16GB model (it originally sold for US$499). To add insult to injury, studies show many businesses plan to go with the iPad for their tablet needs, even at the enterprise level. ( mashable.com/ )


No comments:

Post a Comment