Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Wireless Networking Hardware

Security Holes Found In RIM BlackBerry Service 89

An anonymous reader writes "Researchers have found several security holes in Blackberry handheld devices and the servers that power them, according to a story at Washingtonpost.com. The research points out serious flaws in the BlackBerry server, which could be exploited by convincing Blackberry handheld users to click on an image file attachment. From the article: 'Lindner's slides from his presentation -- which he agreed not to release until RIM has fully fixed this problem -- show that the Blackberry server which manages all of the encryption keys needed to unscramble e-mail traffic to and from all Blackberry devices registered on the network stores them on a Microsoft SQL database server in plain, unencrypted text. Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server, which could then be taken over and used to intercept e-mails or as a staging point for other attacks within the network.'"
This discussion has been archived. No new comments can be posted.

Security Holes Found In RIM BlackBerry Service

Comments Filter:
  • Ha! (Score:5, Funny)

    by JonN ( 895435 ) * on Tuesday January 03, 2006 @02:23PM (#14386218) Homepage
    That will teach them no good thiefs to use patented technology! Never know what you're gonna get

    *watches the karma drop* btw I'm a RIM supporter

  • I'm no SQL guru, but even I know how to avoid these kinds of attacks. Plus, storing information like that in plain text is just... dumb.
    • by WebCrapper ( 667046 ) on Tuesday January 03, 2006 @02:45PM (#14386380)
      What gets me is they're using a natoriously insecure OS, with clear text values in the database... Thats just asking for more trouble than you can get in.
      • by Anonymous Coward
        I'm not really sure when the change happened, but the SQL server upgrade happened at version 4.0...previously the enterprise server did not use SQL. This is probably the only reason it took so long to find the flaw.

        BTW version 4 is causing duplicate calendar and address book entries for lotus notes users (all 800 of our blackberries are showing this bug yah!). We are debating going back to 3.6 as 4.0 only added wireless synch for address and memo dbs for the user. Not that big of a deal to plug it into a
  • ...is that it took so long to find this. Blackberries are in such wide use around government agencies, I would have hoped they would have found something like this long ago. I always have to wonder about the idiot designers and coders who create bugs like this.
  • I think that publishing an exploit where the user has to receive a corrupt tagged TIFF file is just making the problem into a bigger issue.
    The article says it only affects certain versions of the servers, and than only a certain, corrupt image file. THAN it only prevents you from getting other attachments.
    Not exactly a big deal in my book (of course we use palms anyway, haha)
    • READ! (Score:4, Interesting)

      by temojen ( 678985 ) on Tuesday January 03, 2006 @02:39PM (#14386341) Journal
      It's a corrupt PNG (a common image file type), that may pass code to the server to be run there (as administrator), with complete access to the corporate network, including all the plain-text, non-passphrase-protected private keys of all blackberry users on the same corporate network.

      If true, this is a gaping hole, and a very big deal.
      • Re:READ! (Score:3, Informative)

        by garylian ( 870843 )
        Yeah, my wife works for Mercedes, and they are telling ALL users to not open any email with any type of graphics attachment on it, not just the .tiff and .png stuff.

        It is a pretty darn huge security hole, and one that shouldn't impact the home user (at least not yet) in any major fashion.

        Then again, it is probably wishful thinking that Blackberry users are more technically knowledgeable than the average home user, and wouldn't open dumb emails from unsolicited sources.
      • No, it's a specially crafted TIFF attachment. If you read either the knowledge base article that is linked in the /. story or the US-CERT advisory (VU#570768) you can see that it's a TIFF attachment.

        Second, it will not allow remote code execution or to take over the server, it stops the attachment service (Again, from reading the US-CERT advisory). It is classed as a DoS attack...as in Denial of Service....as in stopping the ability to use that service. This is not a remote code execution CERT advisory.

        F
        • Re:READ! (Score:2, Informative)

          by ejhuff ( 734708 )
          From TFA [washingtonpost.com]:

          Lindner said the real problem -- a vulnerability in the way Blackberry servers handle portable network graphics (PNG) images, was not disclosed by either RIM or the US-CERT advisory.

          From the top of the CERT advisory [cert.org]:

          By causing the service to render a specially crafted TIFF file, an attacker could execute arbitrary code or cause a denial of service.

          Should an exploit be developed, this arbitrary code would run inside the corporate firewall on a windows system, possibly with administrator priv

          • I do apologize, I did miss that part in the CERT about running arbitrary code.

            However, in the advisory they said to disable all images because someone could possibly rename a TIFF to use another file extension.

            And in TFA (as you put it) that is still paraphrasing Lindner. That article is the only place that mentions PNG files. Everything else only mentions TIFF files. It could be possible that the author misheard or mistakenly mentioned PNG's, and it could be that all PNG files will cause this but no one
  • Job at rim? (Score:5, Funny)

    by The_Rippa ( 181699 ) on Tuesday January 03, 2006 @02:47PM (#14386390)
    Who in their right mind would store that info unencrypted? It must be pretty easy these days to get a rim job.
  • Will I be able to flash between 1.5 and 2.0 as much as I want?

    Does Norton see this as Brick.Trojan?

    Oops, that was the OTHER MegaCorp's product... Sorry, carry on.
  • Black-and-blue-berry (Score:5, Interesting)

    by Billosaur ( 927319 ) * <wgrother@optonline . n et> on Tuesday January 03, 2006 @03:03PM (#14386523) Journal
    Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server...

    I would like to try and convince most people with a Blackberry to see if they could use it as a suppository, but I digress...

    From the Washington Post: RIM didn't mention anything about the flaw allowing attackers to download and execute programs on the targeted device, but I'm left wondering whether they escalated this because of just such a threat.

    I really don't think RIM is going to shout this from the rooftops. If the exploit is as bad as is disclosed, there's some serious trouble brewing that makes the brouhaha with NTP look like a cakewalk.

    From the Washington Post: Lindner said he started looking into Blackberry's proprietary communications protocols because the Blackberry server requires an unusual level of access inside of a corporate network: the server must be run inside a company's network firewall and on a Windows machine that is granted full and direct administrative access to the customer's internal e-mail server.

    And RIM thought this was a good idea because...? It's like building a 50-ft high wall around the castle, then creating a hole for an 8-lane superhighway to pass through. Imagine the enterprising and inventive hacker that can plant a zombie process on that machine. Talk about spam! Imagine if a Fortune 500 company starts getting nipped because their email servers are dumping spam on the unsuspecting public. Lawsuits for everyone!!

  • by SmurfButcher Bob ( 313810 ) on Tuesday January 03, 2006 @03:07PM (#14386557) Journal
    Yep, sorry guys... this flaw is patented. Pay up!

    Heh, I wasn't actually going to post that, but I had a thought... if we patented the dumbest mistakes out there (buffer overflows, etc)... what company would want to prove "prior art" ?
  • How would someone exploit the password issues on a GroupWise or LotusNotes- based BES install? Maybe I should be glad that RIM hasn't actually managed to come up with a backend-independent version (say, something that speaks IMAP or POP3), which would result in more servers being vulnerable.

    Also- given some of the other flaws that I've discovered with BlackBerries (which is not to say that I'm not an addict), something like this is not wholly unexpected. I mean, they haven't yet managed to make the times
    • when you upgrade to 4.0 it forces you to use sql2000! there is no nsf option anymore!
    • Umm -- Our Blackberrys speak to a backend independent POP3 server. While in our case it happens to be 3rd party back end POP3 servers and not our own, this already exists.

      However that is built into the Blackberry itself and requires no backend interface.

      Their sales guy told management POP3 was HIPAA compliant and that all communications to the POP3 servers was SSL encrypted. When I was tasked with making this work and asked them where I configure POP3s such as port number and SSL certificate, they said t
  • by WoTG ( 610710 ) on Tuesday January 03, 2006 @03:24PM (#14386705) Homepage Journal
    With the scant details provided, it sounds almost like an SQL Injection vulnerability. It doesn't sound like a problem with SQL Server directly, or else it wouldn't be a RIM specific problem.

    Anyway, can't administrators just filter all image attachments out through their AV or other software for the time being?
    • It doesn't sound like a problem with SQL Server directly, or else it wouldn't be a RIM specific problem.

      Then why is it that in 99% of the cases, whenever SQL injection is involved, SQL server is too? Must be really bad luck on Microsoft's part, I guess :-)

      • by cduffy ( 652 ) <charles+slashdot@dyfis.net> on Tuesday January 03, 2006 @04:22PM (#14387220)
        SQL injection flaws are related to how well the application using the database is written, not the database itself. Any database-backed application can have SQL injection flaws, no matter what the underlying database, so long as the application is written by an idiot.

        Listen, kids: NEVER, NEVER, NEVER pass user-provided values into your SQL queries as strings. There's a reason every database access API in existance allows positional or named parameters to be passed outside the parser, and it's not just performance.

        And if I sound a little grumpy on this topic -- like maybe I'd recently worked with a developer lacking just this sort of clue... well, maybe you'd be interpreting my tone correctly.
  • I wonder when they'll getting around to fixing that pesky security flaw in users which causes them compulsively to click on things.
  • Without excusing the security hole, is it really that surprising that the emails are stored as "plain, unencrypted text"? I would think that encrypting e-mails on a mail server of that size would be the exception rather than the norm. Anyone know if Exchange is encrypted?
    • sendmail and exim do not encrypt the mail storage neither, they were talking about unencrypted passwords in the database.
  • I had an article here about it, looking for anyone who has a blackberry to discuss:

    Blackberry handhelds/servers vulnerable to attack [fak3r.com]

    I had no idea the server backend was so...crummy. Why do geeks running FreeBSD at home have their passwords encrypted within MySQL, but big companies with million dollar products don't?
    • Re:More info here... (Score:3, Informative)

      by blincoln ( 592401 )
      I had no idea the server backend was so...crummy. Why do geeks running FreeBSD at home have their passwords encrypted within MySQL, but big companies with million dollar products don't?

      The entire server backend is like that. Some of the more amusing examples:

      - When it starts, it has a fixed number of threads it can use to talk to the Exchange server. Let's say it's 1000. If a thread is killed off, e.g. because it timed out, it is not returned to the pool. So over the course of a week or so, you run out of t
      • Amazing, thanks for the info, again, I have friends that use Blackberrys for work and love them, but damnit I can't believe the backend is that crappy! Another company trying to pry more money via handicapped proprietary software. Wonder if there are any open source projects working on a version of the blackberry server?
        • Wonder if there are any open source projects working on a version of the blackberry server?

          I would think a better open source-type option would be to either use a handheld that has some kind of X Window client for mail on a remote server (if you want it in realtime), or a regular mail client that syncs up its local copy of the inbox every once in awhile.

          Honestly, there's no legitimate reason I can think of for the Blackberries to work the way they do, with mail passing through RIM between your mail server a
  • What does he mean by convince a user to click on a special image. What if _I_ wanted to attach a RIM server and I had access to a Blackberry?! WTF? Why not describe a butterfly sneezing in China as a part of the attack?

"Our vision is to speed up time, eventually eliminating it." -- Alex Schure

Working...