BlackBerry PlayBook e-mail app exposed to hackers: security researchers

Research in Motion may have improved its overall experience on the PlayBook with its recent update, but security researchers recently revealed that the device leaves corporate email and user information open to potential hackers.

Researchers Zach Lenier and Ben Nell of Intrepidus Group uncovered avulnerability in the PlayBook’s Bridge application that leaves theauthentication token for the Bridge application somewhere anyone coulddig it up.

Vulnerability lies in PlayBookBridge application
The Bridge application lets you connect the PlayBook to a BlackBerrysmartphone via Bluetooth. It is currently necessary to connect to yourBlackBerry with Bridge if you want to access your corporate email andcalendars using the PlayBook. While the connection itself remainssecure, the .ALL file contains access to the BlackBerry Bridge token,your BBM user name and information, your bookmarks, and otherinformation specific to the device and its user.

Who can access this data?
Any nativeapplication for the PlayBook can access the .ALL file. Ahacker could release a malicious application for the PlayBook thatcould gather private information about each user and device.

How can hackers access corporateemail?
If a hacker obtains a your BBM user name and password, they can accessyour secure corporate email.

RIM immediately announcesnon-immediate fix
When the research team announced the Bridge exploit at a computersecurity conference on January 12, Researchin Motion released a statement that included a promise to fixthe exploit in the PlayBook 2.0 update coming in February. From thestatement: “The BlackBerry PlayBook issue described at the Infiltratesecurity conference has been resolved with BlackBerry PlayBook OS 2.0,which is scheduled to be available as a free download to customers inFebruary 2012. There are no known exploits, and risk is mitigated bythe fact that a user would need to install and run a maliciousapplication after initiating a BlackBerry Bridge connection with theirBlackBerry smartphone.”

How should this change my use of thePlayBook?
If you have any applications on your Playbook that do not come from atrusted source, uninstall them immediately. Do not download any furtherapplications unless they come from a trusted source until the PlayBook 2.0 update is released.

What does this mean for RIM?
RIM should be fixing this vulnerability immediately rather than leavingit until February if it wants to bolster the PlayBook’s reputation asthe tablet for corporate business. With Samsung nipping at RIM’s heelswith its recently acquired FIPS security clearance for Galaxy Tab 10.1devices, RIM needs to be seen as the secure choice for enterprise,government and small business. Simply rolling the fix into the nextupdate just doesn’t fit the bill for business users who are immediatelyconcerned about the security of their devices, however marginal thethreat may be.

Share on LinkedIn Share with Google+