Pwn2Own 2011: BlackBerry falls to WebKit browser attack

A trio of security researchers used the spotlight of the CanSecWest Pwn2Own contest here to exploit multiple WebKit vulnerabilities in an impressive browser attack against a BlackBerry Torch 9800 smart phone.
Written by Ryan Naraine, Contributor

Vincenzo Iozzo (left), Pwn2Own official Aaron Portnoy and Willem Pinckaers exploiting the BlackBerry.

VANCOUVER --  Research in Motion's recent decision to add a WebKit browser to BlackBerry has immediately backfired.

A trio of security researchers used the spotlight of the CanSecWest Pwn2Own contest here to exploit multiple WebKit vulnerabilities in an impressive browser attack against a BlackBerry Torch 9800 smart phone.

[ SEE: Safari/MacBook first to fall at Pwn2Own 2011 ]

The team -- Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann -- chained an information disclosure bug to a separate integer overflow flaw in the open-source WebKit to hack the BlackBerry device and steal the contact list and image database. (Ed's note: Iozzo and Weinmann won last year's Pwn2Own by hacking into the iPhone).

The attack was particularly impressive because there is no public documentation on the inner workings of the BlackBerry operating system and the team had to run several trial-and-error techniques to create a reliable code execution exploit.

During the attack, the team set up a specially rigged web page that fired the exploit at the BlackBerry browser.  In addition to hijacking the contact list and copying images from the device, Iozzo and Pinckaers also wrote a file to the device to demonstrate full code execution.

[ SEE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities ]

Iozzo explained that the exploit was created without using a debugger, the utility used by programmers to locate and correct programming errors.  "The BlackBerry is a system no one knows anything about.  We know there's a browser and a Java virtual machine.  We had to assume that once we take over the browser, we can get further into the system," Iozzo said.

While planning the attack scenario, the researchers used a small information leakage bug to see small parts of the device memory and used that information to plot the way the exploit was laid out.

The team did not have to jump through any anti-exploit mitigation hoops (the Blackberry does not have ASLR or DEP) but Iozzo said multiple bugs had to be chained together to see how the attack code was communicating with the rest of the system.

[ SEE: Google Chrome gets last-minute bandaid before Pwn2Own ]

The attack was successful against BlackBerry firmware version    Pinckaers said RIM recently shipped a firmware update but he has since confirmed that the WebKit flaw remains unpatched.

RIM's security response team was on hand to witness the attack.  Immediately after, director of security response Adrian Stone said he would work with the contest organizers to verify that the vulnerabilities work against the most recent firmware version.

"It happens.  It's not what you want but there's no such thing as zero code defects," Stone said in response to the BlackBerry hack.

He said RIM's security incident response team will analyze the issue, determine whether it's a true zero-day flaw and immediately start work on engineering a fix. Once the fix is created, RIM works with carrier partners to release patches to end users.

Stone confirmed that the BlackBerry does not contain ASLR or DEP but said the company is looking at adding these security enhancements to future BlackBerry versions.

While the research team acknowledged that the BlackBerry benefits from obscurity, Iozzo said the absence of ASLR, DEP and code signing has put the device "way behind the iPhone" from a security perspective.

"The advantage for BlackBerry is the obscurity.  It makes it a bit harder to attack a system if you don't have documentation and information," Iozzo said.

Editorial standards