BlackBerry’s ongoing collaboration with external security researchers continues to play an essential role in our strategy to protect customers. As part of this collaboration, BlackBerry invited six elite security researchers to the Waterloo campus for the second annual BlackBerry Security Summit. The event was very successful with strong attendance, thought-provoking presentations and lively discussions.
This internal event provided BlackBerry employees with the unique opportunity to engage in candid discussions on mobile hacking, software vulnerabilities, malware and privacy issues that could impact customers. Additionally, summit speakers also met with specific BlackBerry teams to further discuss the information they presented in their talks. The discussions gave BlackBerry employees the chance to have deeper technical and theoretical exchanges with the researchers on their findings, as well as conversations on ways to leverage their research to advance security on the BlackBerry platform.
Internal feedback from this year’s summit speakers highlighted the quality and industry relevance of the presentations. A brief summary of each speaker’s presentation is below:
Miaubiz – Finding and Exploiting WebKit Vulns
Miaubiz provided an extremely deep technical review of the different types of fuzzing techniques he uses to find WebKit vulnerabilities as well as examples of his associated results. In addition, he briefly discussed the volume and backlog of WebKit vulnerabilities. He shared that the trends indicate that these bugs are slowly being addressed, but that the remaining backlog is still significant.
Justin W. Clarke, Cylance – An Introduction to Reverse Engineering QNX on Embedded Systems
Justin presented on the enormity of the number of devices (targets) represented by embedded systems (10 billion plus clients). He highlighted a few case studies on vulnerabilities he has discovered and reported. In addition, he discussed the value of a secure development lifecycle, which can help protect a platform from these types of attacks.
Jason Shirk, Microsoft – Social Networking, Mobile Phones, The Cloud and Privacy – The New Reality of Digital, Physical and Social Persona
Jason presented on the unique position the industry is in given that technology and privacy are at an inflection point. He highlighted that cloud services present an interesting challenge due to the confluence of a wide range of data streams. He also discussed that mobile devices provide an additional layer of richness for data given issues, such as user location and instant communications (SMS, IM, BBM, etc.). Additionally, Jason stressed the increased utilization of new technologies by Gen Y, and he also highlighted that users commonly accept EULA’s, Privacy Terms and Terms of Notice with little consideration.
Dan Guido, Trail of Bits – The Mobile Exploit Intelligence Project
Dan presented analysis identifying the means by which exploits are developed and distributed in attacks. He also reviewed what defenses work well, as well as some of the most effective tools for objectively evaluating the exploitability of mobile platforms. Interestingly, Dan suggested there is a fair amount of sensationalism in the landscape about what is truly plausible for mobile attacks, and he indicated that several claims really fall into the stunt hack and FUD category rather than actual attacks. He also suggested that malware development and distribution faces similar challenges as legitimate product based businesses.
Kurt Baumgartner, Kaspersky – Mobile Malware Festival 2013
Kurt presented a talk focused on how mobile malware continues to develop as part of a more intricate cybercrime operation worldwide. He highlighted that mobile devices are rife with information about users and their communications data. He reviewed two primary malware types (cyber espionage and financial) and potential malware targets of opportunity, including WebKit, spearfishing on mobile, Bluetooth and even NFC vulnerabilities. He also briefly discussed that mobile botnets could present a future threat for users.
Adam Meyers, Crowdstrike – Mobile Threat Landscape
Adam discussed Crowdstrike’s exploit methodology leading up to RSA 2012, which provided the second (partial) public exploit of a BlackBerry device, and he also presented an overview of how to create and weaponize a malware project from the ground up, including the process of purchasing a vulnerability. Additionally, he provided a real world view of mobile exploits in the wild as well as the types of threats customers face, including WebKit issues and malware/spyware like Nickispy. Adam also discussed countermeasures to protect customers, which included patching and alerting users to unusual device behaviors such as battery drain, GPS polling and unexpected SMS messages.
In addition to the six external researchers who presented at the BlackBerry Security Summit, we also invited Trend Micro to attend and participate in the mobile malware panel discussion. Simon Ko, director of engineering at Trend Micro joined the panel, and given our application scanning collaboration with Trend Micro, offered a unique perspective on both the mobile malware landscape and potential threats to the BlackBerry platform.
As we close the book on the second annual BlackBerry Security Summit, I want to take a moment to thank our speakers and panel participants for coming to BlackBerry’s headquarters and for providing their advanced research and threat landscape insights. This valuable information exchange continues to support the ongoing proactive efforts to improve BlackBerry’s platforms security and to protect users. These efforts include securing WebKit technologies, safeguarding user privacy, and defending the growing BlackBerry application ecosystem from malware. We look forward to next year’s summit, as we continue to focus on collaborating with both internal and external security experts in order to improve the security of the overall mobile landscape.