backtop


Print 12 comment(s) - last by Mitch101.. on Dec 8 at 2:48 PM

Much like Apple, RIM was quickly outwitted by hackers

When an Apple, Inc. (AAPL) iPhone gets hacked, it's no big surprise.  When a Google Inc. (GOOG) Android smartphone gets turned into a slave in a massive botnet, it's an average day on the market.  But when Canadian smartphone maker Research In Motion, Ltd. (TSE:RIM) gets hacked, it's major news, as the devicemaker has built a reputation on underlying rock-solid security.

Questions about the security of the company's recent acquired QNX operating system were raised when a trio of hackers released a tool called Dingleberry, which gave root access to RIM's first QNX tablet, the PlayBook.  The tool allowed users to jailbreak their device -- a process of granting yourself administrative rights on legally purchased devices through atraditional means, as authorized by the Library of Congress's Summer 2010 amendments to the Digital Millennium Copyright Act [PDF] (DMCA).

RIM yesterday confirmed the vulnerability in a Knowledge Base (KB) post, which revealed its origin to be a weakness in QNX's file sharing system.  When the OS interacts with the company's BlackBerry Desktop Software users can manipulate it to achieve an escalation of privileges.

The company quickly pushed a fix down the pipe to users.

But as Apple has unpleasantly experienced in the past, the hackers were one step ahead.  They had already updated the jailbreak tool to still work post-patch.  Hacker "Chris Wade" writes on Twitter:

all firmware are currently jailbreakable

While that claim has not been confirmed definitively, if it's true it looks like it's back to the drawing board for RIM, and more embarrassment from the company who was traditionally a leader in security.

Sources: RIM [Patch Press Release], RIM [KB Security Advisory], Twitter-Chris Wade



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Dumbasses
By Trisagion on 12/7/2011 11:14:20 AM , Rating: 3
Ha ha ha ha ha ha... Why don't these stupid execs grow a brain? They just want full control over their product. Guess what? You don't have it.




RE: Dumbasses
By Mitch101 on 12/7/2011 11:48:41 AM , Rating: 2
These execs should learn that Jailbreak is not the end of the world but generally spurs sales of the product. Im not saying rim should turn a blind eye but should take a hard look at how many devices sold before and after the jailbreak then decide how soon they want to fix the issue. I know the Playbook has been one of the worst selling devices and a jailbreak might just get the device out there. I know a lot of people who wont buy the device until its jailbroken. Just saying.


RE: Dumbasses
By phantom505 on 12/7/2011 12:03:11 PM , Rating: 2
You misunderstand the problem. If they find a vulnerability then it can be used for malicious software. If it was just about permitting other OS's it wouldn't be a problem.


RE: Dumbasses
By JasonMick (blog) on 12/7/2011 12:19:34 PM , Rating: 4
quote:
You misunderstand the problem. If they find a vulnerability then it can be used for malicious software. If it was just about permitting other OS's it wouldn't be a problem.

Not just that. Even if the jailbreak authors behave responsibly and decline public disclosure to prevent malicious activity, IT departments will still be adversely impacted as jailbreaking could soon allows users to escape administrative controls on their BlackBerries (which will soon have a QNX variant).

In some cases they could simply uses threats to prevent employee jailbreaking, but if a manager or boss jailbreaks his/her BlackBerry, it will be hard for an IT department to try to force him/her to stop.

That's one reason why many businesses have preferred BlackBerries -- IT administrators have greater control over them than they would a more rootable device, e.g. an Android or iPhone.


RE: Dumbasses
By Mitch101 on 12/7/2011 12:47:46 PM , Rating: 2
In our system we have the ability to deny mobile devices that have been jailbroken. Once your on the environment if the user jail breaks the device its then blocked from all communication. Not sure how the system is able to determine it but its in there for both iPhone and Android devices.


RE: Dumbasses
By JasonMick (blog) on 12/7/2011 5:27:20 PM , Rating: 2
quote:
In our system we have the ability to deny mobile devices that have been jailbroken. Once your on the environment if the user jail breaks the device its then blocked from all communication. Not sure how the system is able to determine it but its in there for both iPhone and Android devices.

Sure, but try explaining to your boss why you rejected his phone for jailbreaking. ;)


RE: Dumbasses
By Bostlabs on 12/8/2011 11:55:48 AM , Rating: 2
Easy enough to do. Just let the Information Security department deal with it.


RE: Dumbasses
By Mitch101 on 12/8/2011 2:48:46 PM , Rating: 2
Call me lucky I have a smart boss who may not know how to do everything we do but knows the limitations and available options. He is also great at mobile devices features and functions. He gets a lot of test devices from carriers and if anything is worth looking at he passes it around. I nicknamed him batman once because he had 5 phones on him one day in a meeting like batman's utility belt.


RE: Dumbasses
By JasonMick (blog) on 12/7/2011 12:14:06 PM , Rating: 2
quote:
These execs should learn that Jailbreak is not the end of the world but generally spurs sales of the product. Im not saying rim should turn a blind eye but should take a hard look at how many devices sold before and after the jailbreak then decide how soon they want to fix the issue. I know the Playbook has been one of the worst selling devices and a jailbreak might just get the device out there. I know a lot of people who wont buy the device until its jailbroken. Just saying.

Allow an easy jailbreak is definitely a good thing for home users and a selling point for intelligent DIY home user. (Just ask Google!)

That said for corporate IT departments, they represent the risk of losing what little administrative control they had over their device. Ultimately, in this case the device in question is more of a consumer toy and likely not going to see much serious business traction.

Where RIM has to worry is with the upcoming BBX OS for its smartphones. If QNX has these kinds of vulnerabilities, the QNX-derived BBX will likely have them as well. Given the high levels of corporate use of Blackberries, this is a serious issue, and could impact sales.

Currently businesses buy BlackBerries not just for their functionality, but for their security OS and services. If the security advantage starts to erode, RIM may see itself losing the core corporate business that has sustained it in the face of struggling sales in the fickle consumer market.

For that reason it's very important to RIM's bottom line to keep jailbreaks/rooting OFF QNX/BBX, even if that is unwelcome news for DIY non-corporate users.


RE: Dumbasses
By NellyFromMA on 12/7/2011 12:46:48 PM , Rating: 1
lol, who would call their own work 'dingleberry'. It's a great laugh for me, but I surely wouldn't trust something that is labelled such from its own creator(s). thanks for the laugh though!


RE: Dumbasses
By Mitch101 on 12/7/2011 12:51:40 PM , Rating: 2
They have a good sense of humor and play on the blackberry name

Every time I see the title of the thread I think of this commercial
http://www.youtube.com/watch?v=IPTfwW89UIY


RE: Dumbasses
By NellyFromMA on 12/8/2011 9:39:21 AM , Rating: 2
Suit yourself. I got a laugh out of it also, but I wouldn't be caught dead installing 'dingleberry' on any device regardless of platform. It wouldn't even be cool to brag about outloud...

Sense of humor, sure. Great way to get people interested in your work, no.


"DailyTech is the best kept secret on the Internet." -- Larry Barber














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki