Pwn2Own 2011: BlackBerry falls to WebKit browser attack

Pwn2Own 2011: BlackBerry falls to WebKit browser attack

Summary: A trio of security researchers used the spotlight of the CanSecWest Pwn2Own contest here to exploit multiple WebKit vulnerabilities in an impressive browser attack against a BlackBerry Torch 9800 smart phone.

SHARE:
13

Vincenzo Iozzo (left), Pwn2Own official Aaron Portnoy and Willem Pinckaers exploiting the BlackBerry.

VANCOUVER --  Research in Motion's recent decision to add a WebKit browser to BlackBerry has immediately backfired.

A trio of security researchers used the spotlight of the CanSecWest Pwn2Own contest here to exploit multiple WebKit vulnerabilities in an impressive browser attack against a BlackBerry Torch 9800 smart phone.

[ SEE: Safari/MacBook first to fall at Pwn2Own 2011 ]

The team -- Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann -- chained an information disclosure bug to a separate integer overflow flaw in the open-source WebKit to hack the BlackBerry device and steal the contact list and image database. (Ed's note: Iozzo and Weinmann won last year's Pwn2Own by hacking into the iPhone).

follow Ryan Naraine on twitter

The attack was particularly impressive because there is no public documentation on the inner workings of the BlackBerry operating system and the team had to run several trial-and-error techniques to create a reliable code execution exploit.

During the attack, the team set up a specially rigged web page that fired the exploit at the BlackBerry browser.  In addition to hijacking the contact list and copying images from the device, Iozzo and Pinckaers also wrote a file to the device to demonstrate full code execution.

[ SEE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities ]

Iozzo explained that the exploit was created without using a debugger, the utility used by programmers to locate and correct programming errors.  "The BlackBerry is a system no one knows anything about.  We know there's a browser and a Java virtual machine.  We had to assume that once we take over the browser, we can get further into the system," Iozzo said.

While planning the attack scenario, the researchers used a small information leakage bug to see small parts of the device memory and used that information to plot the way the exploit was laid out.

The team did not have to jump through any anti-exploit mitigation hoops (the Blackberry does not have ASLR or DEP) but Iozzo said multiple bugs had to be chained together to see how the attack code was communicating with the rest of the system.

[ SEE: Google Chrome gets last-minute bandaid before Pwn2Own ]

The attack was successful against BlackBerry firmware version 6.0.0.246.    Pinckaers said RIM recently shipped a firmware update but he has since confirmed that the WebKit flaw remains unpatched.

RIM's security response team was on hand to witness the attack.  Immediately after, director of security response Adrian Stone said he would work with the contest organizers to verify that the vulnerabilities work against the most recent firmware version.

"It happens.  It's not what you want but there's no such thing as zero code defects," Stone said in response to the BlackBerry hack.

He said RIM's security incident response team will analyze the issue, determine whether it's a true zero-day flaw and immediately start work on engineering a fix. Once the fix is created, RIM works with carrier partners to release patches to end users.

Stone confirmed that the BlackBerry does not contain ASLR or DEP but said the company is looking at adding these security enhancements to future BlackBerry versions.

While the research team acknowledged that the BlackBerry benefits from obscurity, Iozzo said the absence of ASLR, DEP and code signing has put the device "way behind the iPhone" from a security perspective.

"The advantage for BlackBerry is the obscurity.  It makes it a bit harder to attack a system if you don't have documentation and information," Iozzo said.

Topics: Security, Browser, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

    Okay, what about Android, has it fallen yet?
    slickjim
    • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

      @Peter Perry

      Android is already "owned" by Google. And that is bad enough.
      jorjitop
      • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

        @jorjitop
        Troll ? go home
        eric_s@...
    • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

      @Peter Perry

      Android & Chrome were unhackable while many exploits found in the iPhone 4 ibtimes.com/articles/121517/20110311/google-chrome-android-hack-attacks-contest-pwn2own-iphone-blackberry-safari-internet-explorer.htm
      Michael_Martin
      • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

        @Michael_Martin I am surprise, no in fact I am shock that Android survive.
        Give the problems it face over the last week.
        Knowles2
      • why HACK android when you load Malware apps into the Google app Market?

        @Michael_Martin

        why bother hacking android when you can just load apps loaded with malware that get root access into the Google market?
        Davewrite
    • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

      @Peter Perry nope
      Jimster480
  • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

    One major factor not being discussed here. Corporate users of BlackBerry's run through a BES server which resides behind the firewall. In order for an exploit to attack the BlackBerry WebKit Browser, the poisoned website and attached remote exploit code would have to pass unobstructed through the organizations firewalls & virus scanners. This provides a massive additional layer of protection not found on other direct access devices such as iphones.

    I would also be curious to know if IT policies applied to the BlackBerry in a corporate environment would prevent this hack from occurring (for example, in our organization no program can install without the user bring prompted to confirm with device password).

    Well done to the hackers for isolating a webkit bug on a non-corporate configured BlackBerry - but I would be very curious to know if a hacker can manage to compromise a BES secured device?
    higherdestiny
    • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

      @higherdestiny no it has to do with visiting an infected site. and traditional virus scanners don't typically pick up non windows malware, or for that matter malware for a different CPU architecture.
      Jimster480
  • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

    P.S.

    Curious to know if the hackers could actually access email records on the device, or just contact lists?

    And was device memory encryption enabled on the device?
    higherdestiny
  • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

    blackberry forever, forget android or iphone
    Semakula
  • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com" title="seslichat">sesli chat</a> <a href="http://www.yuregininsesi.com" title="seslisohbet">sesli sohbet</a>
    talih
  • RE: Pwn2Own 2011: BlackBerry falls to WebKit browser attack

    Yeah, blackberry is really unbreakable phone. It was made for business, so it should be powerful gadget.
    <a href="http://www.apothekeonlineohnerezept.com">apotheke online</a>
    davecordale