[ISN] Security Hole Claimed for BlackBerrys

[InfoSec News]

http://blogs.washingtonpost.com/securityfix/2006/01/security_hole_e.html

By Brian Krebs
January 3, 2006

Security Hole Claimed for BlackBerrys

New research released over the weekend indicated that BlackBerrys -- 
the ubiquitous handheld devices favored by on-the-go types -- are 
vulnerable to a security hole that could let attackers break in to the 
gadgets by convincing users to open a specially crafted image file 
attached to an e-mail. 

The information was released at the 22nd Chaos Communication Congress 
hacker convention in Berlin by this guy -- "FX" of the security 
research group Phenoelit.

Research in Motion Ltd., the Canadian company that makes the devices, 
said it is a previously reported issue "that has been escalated 
internally to our development team. No resolution time frame is 
currently available." RIM's advisory downplays the threat, saying that 
"a corrupt Tagged Image File Format (TIFF) file sent to a user may 
stop a user's ability to view attachments. There is no impact on any 
other services (for example, sending and receiving messages, making 
phone calls, browsing the Internet, and running handheld applications 
to access a corporate network)."

RIM didn't mention anything about the flaw allowing attackers to 
download and execute programs on the targeted device, but I'm left 
wondering whether they escalated this because of just such a threat. I 
obviously didn't hear FX's talk, but an alert released over the 
weekend by  US-CERT says remote code execution is possible. 

RIM doesn't say when it plans to have a fix available, but for now it 
is urging companies who use the service to reconfigure any machine 
serving as an internal BlackBerry Internet Server to filter TIFF 
images or disable the file-attachment capability altogether.

Update, 10:27 a.m. ET: Having just spoken with FX (a.k.a Felix 
Lindner), I definitely feel like I understand the threat here a bit 
better, and it is a little more serious than I first thought. Lindner 
said the real problem -- a vulnerability in the way Blackberry servers 
handle portable network graphics (PNG) images, was not disclosed by 
either RIM or the US-CERT advisory. Lindner said he suspects that's 
because this PNG flaw is present not in the newest version of 
Blackberry server but in all versions from 4.0 to 4.0.1.9 (the latter 
was released roughly a month ago, and no doubt many companies still 
run that version). 

Lindner said he started looking into Blackberry's proprietary 
communications protocols because the Blackberry server requires an 
unusual level of access inside of a corporate network: the server must 
be run inside a company's network firewall and on a Windows machine 
that is granted full and direct administrative access to the 
customer's internal e-mail server. 

"We started looking at all of the privileges this server needs while 
sitting right in the middle of the network and realized we didn't know 
anything about it," Lindner said. "In a lot of companies, corporate 
managers want to install it because they want their Blackberrys, but 
we wanted to find out what risks are there connected to running this 
thing." 

Lindner's slides from his presentation -- which he agreed not to 
release until RIM has fully fixed this problem -- show that the 
Blackberry server which manages all of the encryption keys needed to 
unscramble e-mail traffic to and from all Blackberry devices 
registered on the network stores them on a Micorosft SQL database 
server in plain, unencrypted text.

Lindner found that by convincing a Blackberry user to click on a 
special image attachment, that handheld device could be made to pass 
on malicious code to the Blackberry server, which could then be taken 
over and used to intercept e-mails or as a staging point for other 
attacks within the network.

I put in a call to the RIM folks: Will update the post if I get a 
response from them directly.