MOUNTAIN VIEW, Calif.--Last week, security researchers posted a video showing a successful BlackBerry PlayBook hack, exploiting a security hole in Research in Motion’s enterprise level security encryption and granting users root access to the system.
RIM responded to the jailbreaking of its tablet by claiming it was just the PlayBook and not the firm’s phones which had been compromised, promising to investigate the issue.
The BlackBerry PlayBook’s operating system is based on software from QNX, which upcoming BlackBerry smartphones will also be running on.
The researchers, led by main hacker “Neuralic” decided to take the experiment a step further, releasing the jailbreak tool –known as Dingleberry-- to the public, via Twitter.
RIM quickly released an OTA update to fix the security breach, but within hours of the patch, Neuralic’s hack squad had jailbroken it again, releasing an updated version of Dingleberry to the public for download. On Wednesday (Dec. 7) morning, hacker Chris Wade posted that there had been 14581 downloads of the PlayBook jailbreak thus far.
RIM had previously stated that all of its mobile devices were rigorously tested by third-party security researchers every day. Indeed, some feel it is only on the strength of RIM’s strong security credentials that BlackBerry products continue to be popular with enterprises and governments, with even the U.S. president owning one.
It’s one thing to hack Android, an open operating system, however, but being able to jailbreak a BlackBerry device and circumvent a patch meant to fix the flaw within hours, is certainly embarrassing news for RIM, which has always prided itself on its strong encryption.
You can see the original rooting video below (watch in Firefox/Chrome):
This is an important point, often overlooked: if you have physical access to a system, there are a lot more attacks that you can try than if you're trying to do it remotely. I'd really love for the writer to have followed up that aspect of the story. Does the security flaw they exploited even imply that it could be forcibly done to your device? now THAT would be newsworthy and relevant to RIM security in a way that this exploit really isn't.
"RIM had previously stated that all of its mobile devices were rigorously tested by third-party security researchers every day"
It'll be interesting to know who the third-party are. It appears the third-party did a lousy job.
In fairness to RIM, recent FORTUNE article clearly chronicles their arduous decisions to stick with their enterprise knitting at the expense of the hip smartphone market.
Yet, if RIM loses the faith of the IT dudes (as Frank Eory points out, above), they are yesterday's toast. Even though my corporate-issued Curve works pretty darn well. (I know: this hack is about a tablet, not a phone, yet guilt by association...or credibility lost...)
RIM is certainly going downhill. They couldn't even secure the name of their next generation operating system, being force to change it from BBX to BlackBerry 10. This is a real bad oversight from the management team. RIM needs a huge overhaul of their management team if they want to stay in the game with Apple and Google.
For the business user, RIM's security is one of its big selling points. I doubt that many of those customers will think that the ability to exploit a security hole in the crypto is a bug fix!
Ask any corporate IT manager how he/she feels about users getting root access to company-owned IT assets and let us know what kind of replies you get.
Sorry, why is it embarassing, or even a concern for RIM how Playbook owners use their devices?
A jailbreak tool is a bugfix: correcting the manufacturer's failure to provide the owner with full access.
Honestly, RIM is hanging on by a thread. Once they lose their security trust/cache in the corporate space, no one is going to lay their device next to an Apple device and say, "Yup, RIM wins this battle." Do you know anyone who chooses RIM for a personal device?
Join our online Radio Show on Friday 11th July starting at 2:00pm Eastern, when EETimes editor of all things fun and interesting, Max Maxfield, and embedded systems expert, Jack Ganssle, will debate as to just what is, and is not, and embedded system.