A bug has been fixed in the BlackBerry Protect application – which was designed to help users find their lost mobile devices – lowering the chance that a skilled attacker could access data belonging to Z10 smartphone users.
In a worst-case scenario, a hacker could unlock the victim's phone and access a host of data on the device, including information in the work perimeter (specifically designed to separate work and personal data on BlackBerry devices).
The intruder would need to have physical access to the phone, however, and be skilled enough to install their own malicious app on a Z10 BlackBerry phone, start the vulnerable BlackBerry Protect app, and reset the device password using the app, according to a security advisory from BlackBerry published last Tuesday.
After exploiting the device, an attacker could access personal files, contacts, work perimeter content (if the perimeter is unlocked) and other data on the phone. In addition, a crafty saboteur could reset users' passwords, locking the smartphone owner out of their own device.
As well, with a victim's password, but no physical access to the phone, an attacker could remotely gain access by using Wi-Fi. However, this is only possible if the user has enabled Wi-Fi storage access on their phone and used the same password for storage access.
BlackBerry's security advisory called the bug an “escalation of privilege vulnerability,” which could allow a “malicious app to take advantage of weak permissions on a BlackBerry Protect object.”
Users can mitigate the threat by downloading version 10.0.10.648 of the BlackBerry 10 operating system.
News of the vulnerability comes not long after the U.S. Department of Defense cleared the use of BlackBerry's latest device, the Z10 model, to be sold to the Pentagon.
In May, the Defense Information Systems Agency (DISA) said it approved BlackBerry Enterprise Service (BES) 10 on BlackBerry's Z10 and Q10 smartphones and PlayBook tablets, as well as Knox (based on the Android operating system) on Samsung's just-released Galaxy S4, to run on its internal networks.