Blackberry Pwnage - the Bluejay Strikes

Blackberry Pwnage - the Bluejay Strikes

Thursday, February 28, 2013
Federico Muttis
RSA 2013

In this talk we analyze vulnerabilities in Blackberries and reveal a tool, BlueJay, that allows you to analyze the mobile's memory and siphon some information from the device.

The brilliant attack executed by Iozzo, Pinckaers and Weinmann at Pwn2Own 2011, -2 of 3 vulns not-patched- provided a big incentive to look for Blackberry vulnerabilitie. Since neither a PoC nor full details were published, it is still interesting for the community to learn how to dissect these devices and pwn them. Building on these hints and our prior investigations we set to reconstruct the attack. We first developed a tool to inspect the device's memory and some helper tools, including BlackBerry applications and some external tools.

BlueJay, our toolkit, which is being released together with this talk, uses a wide variety of techniques, such as HTTP push and profits from some of the nifty additions to HTML5. Furthermore, we'll show how we reconstructed some secret BlackBerry internals and give a detailed description of the exploits involved on the attack.