14 DAY TRIAL // Researchers have found a vulnerability in RIM’s BlackBerry PlayBook that could allow someone to intercept sensitive data while being transferred from the tablet to a BlackBerry handset via Bluetooth connection.
Zach Lanier and Ben Nell of the Intrepidus Group presented their findings at the Infiltrate Conference that has been taking place these days in Miami Beach at the Gansevoort Hotel, Threat Post reports.
The problem seems to exist in the Bridge application which permits users to access their email, calendars and other data found on their PlayBook from their BlackBerry handset through Bluetooth.
It turns out that the authentication token sent between the devices during Bridge connections is stored in a location that’s accessible to anyone who knows where to look for it.
“While the bridge is active, the token is in a place that is essentially world readable. The .all file being in a place that is world readable is the thing that causes the problem with the Bridge sessions,” Lanier revealed.
Of course, certain conditions have to be met in order for an attack to be successful. First of all, a way to access the token from the tablet must be present.
This could be a malicious app that seamlessly offers the capability to access the token, or the task could be performed by exploiting another weakness that exists in the PlayBook’s software.
The issue could present an interest for a hacker because, currently, the device doesn’t have a native email client, which means that most consumers would have to rely on webmail clients or the use of the Bridge application to read their emails.
“Now, instead of it just being an unprivileged user who can get to this, now it becomes a high-value target to look for any other bugs in the PlayBook. They're protecting these really valuable assets with client-side controls,” Nell said.
And this flaw is not the only one the researchers found. They also discovered that due to the fact that the file names in the BlackBerry AppWorld store are sequential and predictable, a user could simply increment the file’s name to download whatever app he desires.