BlackBerry Playbook and BlackBerry Handset connection not secure

0
131

A group of researchers have found a way to tap into your BlackBerry PlayBook tablet and BlackBerry handset. The connection between your two devices has a weakness that lets hackers tap into your corporate e-mail.

Zach Lanier and Ben Nell of Intrepidus Group revealed the PlayBook deficiencies at the Infiltrate Conference last week.

Dennis Fisher of Threatposts explain that weakness would enable the attacker to rap into your connection between your tablet and BlackBerry smartphone. The Bluetooth connection between the two in BlackBerry’s bridge application, enables them to access their corporate email, calendar entries and other data on the PlayBook.

The researchers found a way to find and use the authentication token that is being shared by the two gadget during the Bridge connections as a user, connect to the PlayBook and enable them to access the user’s email and other information. They said that the PlayBook’s OS places the authentication token for the Bridge sessions in a terrible spot that can be read by anybody who know how to find it.

Lanier said, “while the bridge is active, the token is in a place that is essentially world readable. The .all file being in a place that is world readable is the thing that causes the problem with the Bridge sessions.”

Fisher also reported that the team was also able to find that the file names in the BlackBerry app store can be predicted. This allows the user to simply increment the file name to a number and download an app he/she wants.

In a statement released by RIM, “the BlackBerry PlayBook issue described at the Infiltrate security conference has been resolved with BlackBerry PlayBook OS 2.0, which is scheduled to be available as a free download to customers in February 2012. there are no known exploits, and risk is mitigated by the fact that a user would need to install and run a malicious application after initiating a BlackBerry Bridge connection with their BlackBerry smartphone.”

Image source: unitedgadget.com