BlackBerry has released a security update resolving an escalation of privilege vulnerability that existed in “BlackBerry Protect” enabled devices running version 10.0.10.261 and earlier operating systems. The company says that version 10.0.9.2743 is not affected and that they have found no evidence of attackers exploiting this vulnerability in the wild.
BlackBerry’s flagship Z10 device is among those impacted by this vulnerability, which is identified as BSRT-2013-006 (CVE-2013-3692). Users running the updated BlackBerry 10 OS version 10.0.10.648 and later are not affected. Other unaffected versions include: BlackBerry 10 OS version 10.1, BlackBerry 7 OS and earlier, and BlackBerry PlayBook tablet software.
Customer risk is relatively low, the advisory explains, because a successful exploitation of this vulnerability would only be possible on devices with Blackberry Protect enabled and on which the BlackBerry Protect feature has been used to reset the user’s password. Furthermore, the more severe exploitation requires that an attacker has physical access to the device after its user has downloaded a maliciously crafted application.
If the lesser of these conditions are met on an affected device, an attacker could potentially reset device passwords remotely and prevent BlackBerry Protect commands, such as a remote smartphone wipe.
If an attacker compels a user to download a maliciously crafted application and has physical access to the device in addition to the other criteria, then he or she could perform any of the actions listed below.
- Access the functionality of the smartphone (including the BlackBerry Hub, apps, data, and the phone) by unlocking the smartphone.
- Unlock the work perimeter on a BlackBerry Z10 smartphone that has BlackBerry Balance technology enabled if the work perimeter password is the same as the device password.
- Access the smartphone over a USB tether with either BlackBerry Link or the computer’s file viewer, allowing access to the smartphone’s personal files, contacts, PIM data, and so on.
- The attacker could also access work perimeter content on BlackBerry Balance smartphones if the work perimeter is unlocked and access over a USB tether is allowed by a policy that the IT administrator sets.
- Enable development mode after accessing the smartphone over a USB tether, allowing remote access as a low privilege development user.
- Change the current device password, allowing the attacker to deny access to the legitimate user of the smartphone.
- Access any other local and enterprise services for which the legitimate user has used the same password as the smartphone’s password.
A third category of exploitation exists for attackers that know a device’s password but do not have physical access to it. Under this condition, the attacker could access a devices Wi-Fi files, but only if the rightful owner has enabled Wi-Fi storage access and uses the same password for that as he or she does to lock the device.
BlackBerry Protect is a security feature in BlackBerry 10 – similar to Apple’s “Find My iPhone” – that is designed to help users track down lost devices and to protect smartphone data on lost and stolen BlackBerries.
z10 smartphone users and IT administrators that deploy these devices on their networks are urged to apply available fixes as soon as possible.