There’s a remotely exploitable authentication bypass vulnerability in the BlackBerry Z10 phone that affects the service that lets users share files with machines on a wireless network. The bug could allow an attacker to steal users’ personal data or hit them with targeted malware.

The Z10 is one of BlackBerry’s top tier devices and includes a feature that separates personal and corporate data and also supports encryption. The device also includes a service that enables users to do ad-hoc file sharing with devices on nearby wireless networks. Researchers at Modzero in Switzerland discovered a vulnerability that allows an attacker to bypass the authentication mechanism that protects that service.

“The mobile phone offers a  network service (‘Storage and Access’) for adhoc file-exchange between the phone and a network client. To achieve these goals, the mobile device deploys a Samba fileserver, which  can  be used  to  upload  or download  files  to  or from  the Blackberry phone. To enable fileserver access from wireless networks, the user has to explicitly enable  ‘Access using Wi-Fi’ on the phone. Afterwards, the Z10 asks the  user to  enter a password that  is required to get access to  the   fileserver,” the Modzero advisory says.

“The fileserver implementation or the password handling that is used on the Z10 is affected by an authentication by-pass vulnerability.”

“The fileserver implementation or the password handling that is used on the  Z10 is affected by an authentication by-pass vulnerability:  The fileserver fails to ask  for a password  and allows unauthenticated users  to obtain read and write access to the offered shares. The severity is considered medium to  high, as an attacker may be  able to distribute targeted malware or access confidential data.”

The researchers discovered two methods for exploiting the vulnerability, but they said that the condition is not always reproducible and may take several attempts to show up.

“The problem occurs, when “Sharing via  Wi-Fi” has been enabled on the Z10. The “Storage and  Access” dialog of the Z10 asks  the user for a password that shall  be used to access data on  the fileserver. Under certain circumstances, the fileserver fails to ask for a password and allows  access even without specifying  credentials. This behaviour does not always  occur but is reproducible within at  most one of ten different tries via Wi-Fi,” the advisory says.

“The  first   approach  let  users  access  the fileserver via the wireless LAN interface without using the developer mode, which  is the most  common scenario. The second  approach gives access via USB cable. In this  second approach, the developer mode is activated to enable  TCP/IP communication via USB.  The second method is more reliable for reproducing the effect and for tracking down the root cause.”

BlackBerry has produced a patch for the vulnerability and pushed it to carriers.

Categories: Mobile Security, Vulnerabilities

Comments (3)

  1. Kem

    BlackBerry should stop relying on Carriers to update the phones. We know that US Carriers take 2-4 months of “testing” before (if ever) releasing the update. BlackBerry should push every update directly to the phone without the intrusion of a carrier.

    • MMDubya

      You’re exactly right Kem. Great they fixed it, though I’ve had no problem with this via USB or Wi-Fi. But the carriers take way too long to push anything out. Maybe we’ll get it in December.

  2. Raj

    The Wifi file server is disabled by default. Malware would not be a concern in the case you were able to connect to a feature that is disabled by default. Actually most users don’t use it because BlackBerry Link allows you to map network drives without the feature enabled. The fix for now is to disable wifi file sharing until the update is released. Kinda seems unusual for BlackBerry to have this type of issue. I guess no one is perfect

Comments are closed.