It seems like despite all that concern surrounding security, BlackBerry might just yet be vulnerable to another critical security bug. The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
Update: BlackBerry responded with the following statement: BlackBerry is investigating the issue, and if our products are affected, we will take any action needed to ensure customers are protected.
What versions are vulnerable?
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
How serious could this get?
The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems. A major contributing factor has been that TLS versions 1.1 and 1.2 came available with the first vulnerable OpenSSL version (1.0.1) and security community has been pushing the TLS 1.2 due to earlier attacks against TLS (such as the BEAST).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
This also means that if BlackBerry has not updated their servers recently, the chances of the encryption keys being stolen is very high. As far as we understand, BlackBerry still uses 1.0.1e which is clearly vulnerable.
Finally, exploitation of this bug leaves no traces of anything abnormal happening to the logs.
So what gets stolen?
Without using any privileged information or credentials, researchers were able steal from ourselves the secret keys used for their own X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. The leaked or stolen secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption.
Has BlackBerry patched the servers yet? Will the OpenSSL support on BlackBerry 10 be updated to 1.0.1g? We have already reached out to BlackBerry and are waiting for their response.
Note: We also understand that BES would probably not be vulnerable, so anything in that transit should be safe.
Pingback/Trackback
Updated: 2/3 Of The Internet Is Vulnerable To This Attack! BlackBerry Included? - BerryReview
Pingback/Trackback
BlackBerry Has Planned Patches For The Remaining Services That Are Vulnerable From The HeartBleed Bug