I’m Adrian Stone, and I am the Director of the BlackBerry Security Incident Response Team (BBSIRT) here at Research In Motion. The BBSIRT is responsible for responding to potential security issues and investigating vulnerability claims that may impact RIM’s products. Security is a priority for our customers, and that’s why I’ll be contributing regularly to this blog. For my first post, I want to provide some insight into how we investigate and respond to jailbreak-related reports.
“Jailbreaking”, or gaining root access to a device, has become common place in both the mobile and gaming industries. Essentially, gaining this deeper level of access to the core functions of the device allows the user to do things not originally intended by a manufacturer, such as install software outside of “official” channels. Unfortunately, gaining this level of root access may increase the security risk. For this reason, most device manufacturers, including RIM, strongly discourage jailbreaking while understanding that whole communities exist for just that purpose. At RIM, we take these issues very seriously. Let’s walk through how we assess and respond to jailbreaking reports.
From a user perspective, there are two primary ways to jailbreak a device. First, there is the method where the user voluntarily makes changes that require: a) the device to be tethered to a computer; b) access to an authorized user account on the device; and c) may even require the user to make changes to the device’s default settings by putting it into developer mode (which can also compromise security). This method cannot be used by remote attackers to compromise user data or the integrity of the device as it requires both possession of the device and valid user credentials for the device. The second method involves less interaction on the user’s part. For example, a software bug may be exploited from a web page to gain root access to any mobile device and not require any interaction from the user except visiting the page.
On hearing reports of a jailbreak for a BlackBerry® product, the BBSIRT will quickly triage the underlying issue and method used to perform the jailbreak. If it falls into the first category, where extensive user interaction is required, we will seek to address it in a future software update. If it falls into the second category (where a vulnerability is exposed with little to no user interaction), that is an indication of a more serious underlying issue and will most likely result in the release of a security update to address it as soon as possible. When this happens, my team publishes a security advisory or notice. These notifications typically offer an assessment of the issue and the required steps customers should take to resolve the vulnerability.
To be clear, RIM recommends against installing any jailbreaking tool. Customers who use a jailbreaking tool on BlackBerry products void the manufacturer warranty and also increase the long-term risk of negatively impacting the stability and user experience of their BlackBerry products. Use of a jailbreaking tool could also amplify the impact and severity of a future security issue, making your personal data more vulnerable to theft and more difficult to protect. If new jailbreaks for BlackBerry products are reported, rest assured that we will evaluate them and take appropriate action to help protect customers.
But the best actions you can take to protect your BlackBerry products are also pretty simple to follow: 1) keep your BlackBerry software up to date; 2) don’t install jailbreaking tools; and 3) don’t install software from unauthorized or unverified sources.
I look forward to your questions and feedback, so please submit a comment below. The BBSIRT and I promise to read each one and comment back where possible.