BlackBerry Z10 security flaw too fiddly to exploit

BB10 Z10 smartphones

A flaw in the BlackBerry Z10 smartphone, which could potentially allow hackers to gain root-level access to the device has been played down by a security expert who deems it too fiddly to exploit.

BlackBerry alerted Z10 users several days ago to the security flaw on its Knowledge Base blog, and explained that Q10 users and people running the latest version of the software should not be affected.

The vulnerability could potentially allow hackers to gain access to resources that are usually reserved for senior management, or to permit applications to carry out unauthorised actions.

However, the blog post said the steps needed to exploit the vulnerability require a high degree of user interaction and physical access to the device.

"Successful exploitation requires not only that a customer enable Blackberry Protect, use the feature to reset the device password, and download a specifically crafted malicious app, but an attacker [would also need to] gain physical access to the device," the blog post explained.

"If all of the requirements are met for exploitation, an attacker could potentially access or modify data on the device," it added.

BlackBerry Protect is an optional feature in BB10 that allows Q10 and Z10 users to remotely track, lock, wipe and display a message on the device by logging into an online portal.

At the moment, the smartphone maker said it is not aware of any examples where the vulnerability had been exploited.

Given the number of steps and proximity to the device hackers would need to have, Michael Sutton, vice president of security research at vendor Zscaler, said exploitation is unlikely.

"BlackBerry has historically had a strong reputation for building a secure operating system, making it a popular choice for security conscious enterprises, even as Apple and Google have dramatically eaten away at their overall market share," said Sutton.

"Fortunately, the vulnerability affects a relatively narrow scope of devices and would require a fairly specific chain of events to achieve successful exploitation."

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.