[Security Advisory] Circumvent Device Lock in Blackberry Connect for Windows Mobile

Description:

BBC features a security module that, if configured and activated,
locks the device after a specific amount of time.
In a corporate environment this is usually set up by a security
policy which is pushed to the device via Blackberry Enterprise Server (BES).
If the device is locked the user has to enter a password to unlock the device again.
There are two ways a user can compromise the security implied with the BBC security service.

1) Using a task manager a user can deactivate the BB security
service (bbsecurity.dll) which is responsible for enforcing the security policy.
The BB service itself is not affected by stopping the security service as
long as the device is not rebooted. Thus the security policy is no longer
enforced but the user is still able to use all other BB features.

2) The BB security service does not block all user actions during device lock.
Only the screen overlay is enforced but applications might still be started
using hardware keys. There are several ways to misuse this flaw.
One for example is if a voice command software is installed, the user can
still send voice commands to the device. If Microsoft Voice Vommand is
installed and bound to a hardware key and the device gets lost or stolen
a malicious person can press the voice command hardware key and ask for
upcoming appointments, dial numbers etc. which leads to information leakage.

Affected:

Blackberry Connect (BBC) for Windows Mobile PocketPC 4.0.0.97 and 4.0.0.100
(only versions tested, but suspectable all currently available 4.x versions)

Not Affected:

Blackberry Connect (BBC) for Windows Mobile PocketPC 2.x

Workaround / Fixes:

None

Vendor Contacted:

14.05.2008

Vendor Response:

None

Leave a Reply