Flaw in BlackBerry Protect app addressed, impacts Z10 smartphone users

Share this article:
Flaw in BlackBerry Protect app addressed, impacts Z10 smartphone users
Flaw in BlackBerry Protect app addressed, impacts Z10 smartphone users

A bug has been fixed in the BlackBerry Protect application – which was designed to help users find their lost mobile devices – lowering the chance that a skilled attacker could access data belonging to Z10 smartphone users.

In a worst-case scenario, a hacker could unlock the victim's phone and access a host of data on the device, including information in the work perimeter (specifically designed to separate work and personal data on BlackBerry devices).

The intruder would need to have physical access to the phone, however, and be skilled enough to install their own malicious app on a Z10 BlackBerry phone, start the vulnerable BlackBerry Protect app, and reset the device password using the app, according to a security advisory from BlackBerry published last Tuesday.

After exploiting the device, an attacker could access personal files, contacts, work perimeter content (if the perimeter is unlocked) and other data on the phone. In addition, a crafty saboteur could reset users' passwords, locking the smartphone owner out of their own device.

As well, with a victim's password, but no physical access to the phone, an attacker could remotely gain access by using Wi-Fi. However, this is only possible if the user has enabled Wi-Fi storage access on their phone and used the same password for storage access.

BlackBerry's security advisory called the bug an “escalation of privilege vulnerability,” which could allow a “malicious app to take advantage of weak permissions on a BlackBerry Protect object.”

Users can mitigate the threat by downloading version 10.0.10.648 of the BlackBerry 10 operating system.

News of the vulnerability comes not long after the U.S. Department of Defense cleared the use of BlackBerry's latest device, the Z10 model, to be sold to the Pentagon.

In May, the Defense Information Systems Agency (DISA) said it approved BlackBerry Enterprise Service (BES) 10 on BlackBerry's Z10 and Q10 smartphones and PlayBook tablets, as well as Knox (based on the Android operating system) on Samsung's just-released Galaxy S4, to run on its internal networks.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.