Flaw in BlackBerry Protect app addressed, impacts Z10 smartphone users

Share this article:
Flaw in BlackBerry Protect app addressed, impacts Z10 smartphone users
Flaw in BlackBerry Protect app addressed, impacts Z10 smartphone users

A bug has been fixed in the BlackBerry Protect application – which was designed to help users find their lost mobile devices – lowering the chance that a skilled attacker could access data belonging to Z10 smartphone users.

In a worst-case scenario, a hacker could unlock the victim's phone and access a host of data on the device, including information in the work perimeter (specifically designed to separate work and personal data on BlackBerry devices).

The intruder would need to have physical access to the phone, however, and be skilled enough to install their own malicious app on a Z10 BlackBerry phone, start the vulnerable BlackBerry Protect app, and reset the device password using the app, according to a security advisory from BlackBerry published last Tuesday.

After exploiting the device, an attacker could access personal files, contacts, work perimeter content (if the perimeter is unlocked) and other data on the phone. In addition, a crafty saboteur could reset users' passwords, locking the smartphone owner out of their own device.

As well, with a victim's password, but no physical access to the phone, an attacker could remotely gain access by using Wi-Fi. However, this is only possible if the user has enabled Wi-Fi storage access on their phone and used the same password for storage access.

BlackBerry's security advisory called the bug an “escalation of privilege vulnerability,” which could allow a “malicious app to take advantage of weak permissions on a BlackBerry Protect object.”

Users can mitigate the threat by downloading version 10.0.10.648 of the BlackBerry 10 operating system.

News of the vulnerability comes not long after the U.S. Department of Defense cleared the use of BlackBerry's latest device, the Z10 model, to be sold to the Pentagon.

In May, the Defense Information Systems Agency (DISA) said it approved BlackBerry Enterprise Service (BES) 10 on BlackBerry's Z10 and Q10 smartphones and PlayBook tablets, as well as Knox (based on the Android operating system) on Samsung's just-released Galaxy S4, to run on its internal networks.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.