BlackBerry OS fell during the second day of the Pwn2Own hacking competition as a result of a drive-by download attack that chained together several exploits.
The trio that managed to hack RIM's mobile operating system, Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann, exploited two vulnerabilities in the open-source WebKit layout engine in order to do it.
The attack was launched from a specially crafted web page that stole information like contacts and images from the device and also wrote a file to the storage system.
The hackers chained together an exploit for an information disclosure bug and one for an integer overflow vulnerability, but what's most impressive is that they did it without any documentation.
They didn't have access to any debugging tool, like the ones available for other systems, that could have helped them determine how the attack code interacts with the system. Instead, they had to rely on exploiting a separate bug to read the device's memory.
"The BlackBerry is a system no one knows anything about. We know there's a browser and a Java virtual machine. We had to assume that once we take over the browser, we can get further into the system," Vincenzo Iozzo told ZDNet.
The hackers' job was easier because BlackBerry OS doesn't have ASLR or DEP, two security mechanisms that would have made vulnerability exploitation of a lot harder.
RIM's director of security response, Adrian Stone, who was at the CanSecWest security conference where Pwn2Own is taking place, confirmed that the company is looking to add these technologies in future versions.
Apple, for example, has already implemented native ASLR in the new iOS 4.3 released two days ago. That update did not make to the contest though, because all configurations were frozen two weeks in advance.
The trio that managed to hack RIM's mobile operating system, Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann, exploited two vulnerabilities in the open-source WebKit layout engine in order to do it.
The attack was launched from a specially crafted web page that stole information like contacts and images from the device and also wrote a file to the storage system.
The hackers chained together an exploit for an information disclosure bug and one for an integer overflow vulnerability, but what's most impressive is that they did it without any documentation.
They didn't have access to any debugging tool, like the ones available for other systems, that could have helped them determine how the attack code interacts with the system. Instead, they had to rely on exploiting a separate bug to read the device's memory.
"The BlackBerry is a system no one knows anything about. We know there's a browser and a Java virtual machine. We had to assume that once we take over the browser, we can get further into the system," Vincenzo Iozzo told ZDNet.
The hackers' job was easier because BlackBerry OS doesn't have ASLR or DEP, two security mechanisms that would have made vulnerability exploitation of a lot harder.
RIM's director of security response, Adrian Stone, who was at the CanSecWest security conference where Pwn2Own is taking place, confirmed that the company is looking to add these technologies in future versions.
Apple, for example, has already implemented native ASLR in the new iOS 4.3 released two days ago. That update did not make to the contest though, because all configurations were frozen two weeks in advance.