In July, we continued to show our support for the security research community by sponsoring the annual Black Hat conference in Las Vegas. We support dozens of conferences every year, but Black Hat is one of the largest gatherings of the research community in the world. This year, there was definitely an increased focus on mobile security and a lot of great presentations highlighting the need for the industry to continuously improve our understanding and monitoring of the threat landscape.

As the mobile threat landscape continues to evolve, it is imperative that we remain committed to advancing research and technology that will help bolster the security of not only our customers, but also the entire industry.

To further demonstrate our support for mobile security research and our passion for helping to fortify the industry, RIM® is sponsoring the Mobile Pwn2Own competition at EUSecWest in Amsterdam on September 19th and 20th. Due to the prizes available (including BlackBerry® PlayBook™ tablets), we expect to see some cutting edge research as contestants focus on finding weaknesses in mobile web browsers, Near Field Communication (NFC), Short Message Service (SMS), and cellular baseband.

We are looking forward to the contest because it offers a safe environment for direct collaboration, and the details of the research are only discussed with the affected vendors. This means that customers are not put at risk while vendors work with researchers to address any issues that are uncovered. Sponsoring this contest is another logical step toward BBSIRT advancing the technologies that continue to help us deliver the unique level of security that our customers depend upon.

In addition to our collaboration with the security community, we are also focused on how RIM can help influence and support security throughout IT infrastructures. As a result, we are pleased to announce that we became a member of the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI fosters an open dialogue between industry leaders in information technology (IT) to address multi-product security challenges and to better protect the IT infrastructures that support the world’s enterprises, governments and citizens.

Our industry is no longer facing threats that are isolated to a single platform or technology. The focus areas for Mobile Pwn2Own highlight that the vulnerabilities discovered will likely cross platforms, and therefore, these emerging threats emphasize the need for associations like ICASI to help bridge the gap for the common good of everyone on the Internet.

As September approaches, we are eagerly awaiting the kickoff of the Mobile Pwn2Own competition. In the meantime, our collaboration efforts are ongoing. If you have security research you would like to discuss with us, we would love to hear from you at secure@rim.com.

Compounding these challenges is the fact that many don’t realize that their smartphone is susceptible to the same kinds of attacks that target desktop computers. As a result, mobile vendors must be able to adapt and develop a tailored approach to ensuring security in a way that’s seamless to customers. But RIM also goes beyond that. Maintaining a leadership position in mobile security certainly requires deep integration of security at the product development stage, but it also requires listening to the needs of customers, and working collaboratively across the industry. At RIM, these are some of the core tenets that have led to the unique level of security the BlackBerry® solution delivers and that our customers depend upon.

As the director of the BlackBerry® Security Incident Response Team (BBSIRT), I am responsible to help ensure that RIM can respond to emerging threats. It is our mission to identify and address security risks to our customers, and as part of that mission, we work to build collaborative relationships across the industry.

One segment that is extremely important to us is the independent security researcher community. This community includes some of the brightest minds conducting new and exciting research on the frontier of technology. We are committed to further developing our relationships with security researchers, and we’re excited to have some of the industry’s elite researchers visiting our Waterloo campus for the first BlackBerry Security Summit to discuss their research with our product engineers, exchange ideas and have open discussions.

Why is this collaboration valuable? When leading security researchers get together with the leader in mobile security, it is customers that will benefit from the results. We’ve built a solid security development lifecycle (SDL) into the BlackBerry platform, and security is at our core. However, helping to protect customers against shifting threats requires layers of defense, which includes working with others to identify and plan for new, emerging issues.

As already experienced in the traditional computing space, products released today with the latest security advancements may be effective against current threats and even against some we know are coming. However, shifting user behaviors and rapidly emerging technologies often breed new unforeseen attack scenarios. This can occur even if the vendor works through solid security engineering practices developed by the best developers and security engineers. A great example of this was the early generation of web browsers that primarily focused on the safe transfer and encryption of information over the Internet. Over time, they faced new and emerging threats from script injection and compromised certificate infrastructures. Independent security researchers are at the forefront of discovering new ways to use the convergence of new technologies along with user expectations and behaviors, to uncover those unforeseen security issues. In many cases, this happens before criminals and those with malicious intent can use them against unsuspecting users.

Collaboration with the research community is not new for RIM. In the last year alone, BBISRT participated in over 50 security conferences around the world. These events provide us the opportunity to foster relationships with members of the security community and also to support the research that comes out of it. While RIM invests heavily in internal security engineering, we also support and recognize that independent security research is crucial for the industry and our customers. In addition, we regularly collaborate with researchers who cooperatively disclose vulnerabilities they find to us in order to address them as quickly as possible.

Given how important our relationships are with the security community, we want to go beyond sponsoring and attending conferences to further develop our relationships with researchers and protect customers. The BlackBerry Security Summit offers an effective way to exchange information and ideas between our own talented engineers and external security researchers. We plan to share and listen on several important topics including the future of mobile malware, baseband security and advanced “fuzzing” techniques. These are all topics we are eager to collaborate on with the security community, as well as putting focus on areas where RIM continues to make investments as a leader in mobile security.
Ultimately, security researchers and RIM have the same goal: protect mobile customers from threats. Working collaboratively on the remediation of newly discovered vulnerabilities in a coordinated fashion, along with having an open dialogue and exchange of innovative attack and defensive techniques, is the most effective way to reach our common goal.

These types of summits are a common occurrence for technology companies that place a high priority on security, and hosting the BlackBerry Security Summit is another step in our ongoing collaboration with the security researcher community. Together, RIM and security researchers are working to address the mobile security challenges of today, and to protect customers against the mobile threats of tomorrow.

I’m Adrian Stone, and I am the Director of the BlackBerry Security Incident Response Team (BBSIRT) here at Research In Motion. The BBSIRT is responsible for responding to potential security issues and investigating vulnerability claims that may impact RIM’s products. Security is a priority for our customers, and that’s why I’ll be contributing regularly to this blog. For my first post, I want to provide some insight into how we investigate and respond to jailbreak-related reports.

“Jailbreaking”, or gaining root access to a device, has become common place in both the mobile and gaming industries. Essentially, gaining this deeper level of access to the core functions of the device allows the user to do things not originally intended by a manufacturer, such as install software outside of “official” channels. Unfortunately, gaining this level of root access may increase the security risk. For this reason, most device manufacturers, including RIM, strongly discourage jailbreaking while understanding that whole communities exist for just that purpose. At RIM, we take these issues very seriously. Let’s walk through how we assess and respond to jailbreaking reports.

From a user perspective, there are two primary ways to jailbreak a device. First, there is the method where the user voluntarily makes changes that require: a) the device to be tethered to a computer; b) access to an authorized user account on the device; and c) may even require the user to make changes to the device’s default settings by putting it into developer mode (which can also compromise security). This method cannot be used by remote attackers to compromise user data or the integrity of the device as it requires both possession of the device and valid user credentials for the device. The second method involves less interaction on the user’s part. For example, a software bug may be exploited from a web page to gain root access to any mobile device and not require any interaction from the user except visiting the page.

On hearing reports of a jailbreak for a BlackBerry® product, the BBSIRT will quickly triage the underlying issue and method used to perform the jailbreak. If it falls into the first category, where extensive user interaction is required, we will seek to address it in a future software update. If it falls into the second category (where a vulnerability is exposed with little to no user interaction), that is an indication of a more serious underlying issue and will most likely result in the release of a security update to address it as soon as possible. When this happens, my team publishes a security advisory or notice. These notifications typically offer an assessment of the issue and the required steps customers should take to resolve the vulnerability.

To be clear, RIM recommends against installing any jailbreaking tool. Customers who use a jailbreaking tool on BlackBerry products void the manufacturer warranty and also increase the long-term risk of negatively impacting the stability and user experience of their BlackBerry products. Use of a jailbreaking tool could also amplify the impact and severity of a future security issue, making your personal data more vulnerable to theft and more difficult to protect. If new jailbreaks for BlackBerry products are reported, rest assured that we will evaluate them and take appropriate action to help protect customers.

But the best actions you can take to protect your BlackBerry products are also pretty simple to follow: 1) keep your BlackBerry software up to date; 2) don’t install jailbreaking tools; and 3) don’t install software from unauthorized or unverified sources.

I look forward to your questions and feedback, so please submit a comment below. The BBSIRT and I promise to read each one and comment back where possible.