BlackBerry Z10 security flaw too fiddly to exploit

News 19 Jun, 2013

BlackBerry claims hackers would need significant access to device and user to exploit BB10 software vulnerability.

A flaw in the BlackBerry Z10 smartphone, which could potentially allow hackers to gain root-level access to the device has been played down by a security expert who deems it too fiddly to exploit.

BlackBerry alerted Z10 users several days ago to the security flaw on its Knowledge Base blog, and explained that Q10 users and people running the latest version of the software should not be affected.

The vulnerability could potentially allow hackers to gain access to resources that are usually reserved for senior management, or to permit applications to carry out unauthorised actions.

However, the blog post said the steps needed to exploit the vulnerability require a high degree of user interaction and physical access to the device.

“Successful exploitation requires not only that a customer enable Blackberry Protect, use the feature to reset the device password, and download a specifically crafted malicious app, but an attacker [would also need to] gain physical access to the device,” the blog post explained.

“If all of the requirements are met for exploitation, an attacker could potentially access or modify data on the device,” it added.

BlackBerry Protect is an optional feature in BB10 that allows Q10 and Z10 users to remotely track, lock, wipe and display a message on the device by logging into an online portal.

At the moment, the smartphone maker said it is not aware of any examples where the vulnerability had been exploited.

Given the number of steps and proximity to the device hackers would need to have, Michael Sutton, vice president of security research at vendor Zscaler, said exploitation is unlikely.

“BlackBerry has historically had a strong reputation for building a secure operating system, making it a popular choice for security conscious enterprises, even as Apple and Google have dramatically eaten away at their overall market share,” said Sutton.

“Fortunately, the vulnerability affects a relatively narrow scope of devices and would require a fairly specific chain of events to achieve successful exploitation.”