This document provides an overview and agenda for dissecting the security of the Blackberry Z10 mobile device. It begins with a review of the Blackberry OS which is built on QNX. It then discusses gaining shell access, various approaches for analyzing the device such as fuzzing and exploiting system utilities, examining the firmware, analyzing the browser and application-level security. It also covers interacting with APIs and MDM capabilities. Metrics are provided on the efficiency of security features compared to other mobile platforms. The document aims to serve as a guide for further researching the Blackberry Z10.

1. Dissecting Blackberry Z10:
2-in-1
By Alexander Antukh &
Yury Chemerkin
Jun 30, 2013

2. Alexander Antukh
 Security Consultant
 Offensive Security Certified Expert
 Interests: kittens and stuff
/whoami

3. Yury Chemerkin





Experienced in :
Mobile Security and MDM
Cyber Security & Cloud Security
Compliance & Transparency
and Security Writing
/whoami

4. Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
4
Dissecting Blackberry Z10

5. Blackberry OS review
Built on QNX!
 Tiny
 Micro-kernel architecture
 Virtual memory alloc for each process
 POSIX-compilant
QNX = MK + PM + processes
5
Dissecting Blackberry Z10

6. Blackberry OS review
That’s how the system looks like:
6
Dissecting Blackberry Z10

7. Blackberry OS review
That’s how the microkernel looks like:
7
Dissecting Blackberry Z10

8. Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
8
Dissecting Blackberry Z10

9. Shell Access
Extremely easy!
 development mode  on
 generate a 4096-bit RSA key (ssh-keygen/putty)
 blackberry-connect <t> -password <p> -sshPublicKey <k>
 ssh 169.254.0.1  nuts
Even easier:
 Dingleberry  nuts
/accounts/devuser/
9
Dissecting Blackberry Z10

10. Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
10
Dissecting Blackberry Z10

11. The Approaches
1. General permissions
 SUID/SGID
-rwxrwsrwx 1 root root
 Writable files and folders
"find all suid files" => "find / -type f -perm -04000 –ls”
"find all sgid files" => "find / -type f -perm -02000 –ls”
"find config* files" => "find / -type f -name "config*””
"find all writable folders and files" => "find / -perm -2 –ls”
"find all writable folders and files in current dir" => "find . -perm -2 -ls"
11
Dissecting Blackberry Z10

12. The Approaches
2. Fuzzers
 IOCTL fuzzing
• no params
• overlong strings
• pre-determined DWORDs
Process 1924486014 (python3.2) terminated SIGSEGV code=1 fltno=11
ip=011c90c4(/usr/lib/ldqnx.so.2@ioctl+0x113c) mapaddr=000790c4. ref=00000000
 Binary bit-/byteflipping (EDB-ID #7823)
12
Dissecting Blackberry Z10

13. The Approaches
3.1. System utilities. BOFs
Many missing: setuidgid, id, dumpifs…
Many interesting:
• confstr – current configuration including path, architecture and network
info
• dmc – digital media controller
• fsmon – file system monitor
• jsc – JavaScript engine for Webkit used on a device
• ldo-msm – LDO Driver
• mkdosfs – format a DOS filesystem (FAT-12/16/32)
• mkqnx6fs – format a filesystem (for QNX6, however, is presented in
Blackberry OS)
• and also tools such as mount, on, nfcservice, nvs_write_bin and displayctl.
13
Dissecting Blackberry Z10

14. The Approaches
3.1. System utilities. BOFs
Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11
ip=788293d2(/base/usr/lib/graphics/msm8960/displayHALr086.so@dsi_get_pclk_freq+0x121) mapaddr=000093d2. ref=00000008
Process 249935086 (nowplaying) terminated SIGSEGV code=1 fltno=11
ip=78102cce(/usr/sbin/nowplaying@main+0x19d) ref=00000000
Process 1545237780 (charge_monitor) terminated SIGSEGV code=1 fltno=11
ip=010b998c(/usr/lib/ldqnx.so.2@message_detach+0x8) mapaddr=0003998c.
ref=00000028
Process 1543295477 (shutdown) terminated SIGSEGV code=1 fltno=11
ip=78117c3e(/proc/boot/shutdown-msm8960.so@pmic_ssbi_read+0x15)
mapaddr=00001c3e. ref=ffffffff
14
Dissecting Blackberry Z10

15. The Approaches
3.2. System utilities. Vulnerable syscalls. displayctl.
15
Dissecting Blackberry Z10

16. The Approaches
3.2. System utilities. Vulnerable syscalls. nvs_write_bin.
Nonvolatile (sometimes written as "non-volatile")
storage (NVS) - also known as nonvolatile memory or
nonvolatile random access memory (NVRAM) - is a
form of static random access memory whose
contents are saved when a computer is turned off or
loses its external power source. NVS is implemented
by providing static RAM with backup battery power
or by saving its contents and restoring them from an
electrically erasable programmable ROM (EPROM)
16
Dissecting Blackberry Z10

17. Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
17
Dissecting Blackberry Z10

18. Firmware from the inside
Firmware update? Yes, please!
MFCQ  QNX image
18
Dissecting Blackberry Z10

19. Firmware from the inside
Tools to deal with:
qfcm_parser.py  partitions!
chkqnx6fs  info about the images
dumpifs  IFS dump 
https://github.com/intrepidusgroup/pbtools
19
Dissecting Blackberry Z10

20. Firmware from the inside
Pearls inside:
ALL the scripts and configs can be read now!
 .script (starting up)
 ifs_variables.sh (sysvars)
 os_device_image_check
Microkernel itself
20
Dissecting Blackberry Z10

21. Firmware from the inside
Pearls inside:
Protected tools can be launched now!
persist-tool:
insecure syscalls
can be reproduced
(read/dump data)
21
Bootrom Version: 0x0523001D (5.35.0.29)
DeviceString: RIM BlackBerry Device
BuildUserName: ec_agent
BuildDate: Nov 3 2012
…
IsInsecureDevice: false
HWVersionOffset: 0x000000D4
NumberHWVEntries: 0x00000014
MemCfgTableOffset: 0x000000FC
MemCfgTableSize: 0x00000100
Drivers: 0x00000010 [ MMC ]
LDRBlockAddr: 0x2E02FE00
BootromSize: 0x00080000
BRPersistAddr: 0x2E0AFC00
Dissecting Blackberry Z10

22. Firmware from the inside
Pearls inside:
Funny comments (code reviewers will like it)
function setScreenScaling (width, height) { ...
//ZOOM TO POINT IS FULL OF BUGS - Docs state that coordinates should only ever be in center
of screen
… and more
// TODO: Once the QML bug about not being to access the page values that are provided as a
parameter to this slot is fixed ...
// The zipfile.ZipFile.write() method has a bug where it raises struct.error: ushort format requires 0
<= number <= USHRT_MAX
// Too many bytes for PNG signature. Potential overflow in png_zalloc()
22
Dissecting Blackberry Z10

23. Firmware from the inside
Pearls inside:
Facebook – too much;)





23
IDs
Emails
Mobile phones
Secrets
Passwords
Plaintext!
Dissecting Blackberry Z10

24. Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
24
Dissecting Blackberry Z10

25. Playing with the browser
 Webkit rendering engine
 Vulnerabilities are just the same (i.e. as for Google
Chrome)
25
Dissecting Blackberry Z10

26. Playing with the browser
Local file access from the browser
HTML page as an email
attachment
file://  nuts
Currently the vulnerability is removed
26
Dissecting Blackberry Z10

27. Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
27
Dissecting Blackberry Z10

28. Security on the Application Level
BlackBerry Z10 – Vulnerability in BlackBerry Protect
Limited:
by the inability of a potential attacker to force
exploitation of the vulnerability without significant
customer interaction and physical access to the device
Affected Software
 BlackBerry 10 OS version 10.0.10.261 and earlier,
except version 10.0.9.2743
 BlackBerry Z10 smartphone only
Currently the vulnerability is removed
28
Dissecting Blackberry Z10

29. Security on the Application Level
Special artifacts “.all” as a kind of logs
 PATH : /pps/system/<name>/.all
 Browsers : history
 Networking : ID, flags, MACs
 Device IDs : Hardware, PIN, Name, Serials, etc.
 Video Chats : params, call details:
 BlackBerry Bridge
 SapphireProxy
 Status, name, address, auth token, key
 Autostart param
 Routes: BB, BIS, BER: 127.0.0.2:188/189/187
 Results : access to internal network, internal storage, media
files, the rest (contacts, cal, .etc) in case of non-QNX device
Currently there is no details if it is solved
Author’s opinion : can’t be solved or cracked in similar ways
29
Dissecting Blackberry Z10

30. Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
30
Dissecting Blackberry Z10

31. Funny with APIs
 Useful ideas that make no enough sense
 Merging permissions into one group
 No way to emulate hardware inputs but results of
pressing are strongly restricted if there are
 Sandbox
 Malware is a personal application subtype in terms
of blackberry’s security
 Sandbox protects only app data, while user data
stored in shared folders
31
Dissecting Blackberry Z10

32. Funny with APIs
 Non-controlled activity by any permission
 Accessing to data passed through the clipboard
 Access to ‘Accounts’ leads to a ‘read’ access to
contacts,messages, notebooks, calendar by default
 MediaPlayer is a great way to access to the FS
 Access to file system in many ways and most cases
managing device’s resources
 Camera activity,
 Contact photos
 Calendar event attachments
 Message attachments (Email, BBM)
 Saving records (camera photos, video, audios)
32
Dissecting Blackberry Z10

33. Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
33
Dissecting Blackberry Z10

34. BlackBerry MDM
Agenda
100
1100
90
80
1200
1000
80,00
70
800
60
55
50
600
38,46
31,82
10,26
40
30
34
5
7
7
4
4
200
80
10
Quantity of Groups
Average perm per group
Efficiency
Totall permissions
400
49
20
20
0
16
16
BlackBerry Old
55
20
80,00
1100
Quantity of Groups
iOS
16
5
38,46
80
BlackBerry QNX
7
7
31,82
49
Dissecting per group
Average perm Blackberry Z10
Efficiency
Android
4
4
10,26
16
Totall permissions
0

35. Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
35
Dissecting Blackberry Z10

36. Efficiency of security features
 Activity
 Common Min/Average/Max quantity :: 2 / 8 / 34
 Additional Min/Average/Max quantity :: 0 / 2 / 7
 Derived Min/Average/Max quantity :: 3 / 31 / 116
 Permission
 Common Min/Average/Max quantity :: 0 – 1 – 3
 Additional Min/Average/Max quantity :: 1 – 0 – 1
 Derived Min/Average/Max quantity :: 4 – 4 – 8
 APIs
 Common / Significant quantity :: 100 – 61
 The most security unit is LED activity
36
Dissecting Blackberry Z10

37. Efficiency of security features
Ratio of common activities to permissions
34
35
30
25
21
20
18
17
14
15
10
6
6
5
5
0
8
7
4
1
3
3
2
1
1
1
2
Q. of m.+a. activity
37
4
3
2
2
4
4
2
1
1
Q. of m.+a. permission
Dissecting Blackberry Z10
1
4
4 3
1
1
2
2
5
1

38. Efficiency of security features
Ratio of derived activities to permissions
116
120
100
89
80
59
60
47
46
40
24
23
11
7
6
0
19
16
20
1
4
3
3
1
3
3
1
2
Q. of derived activities
38
2
9
3
2
1
2
Q. of derived perm
Dissecting Blackberry Z10
27
25
24
8
1
1
1
2
25
1

39. Efficiency of security features
250,00
250,00
250,00
200,00
150,00
12,50
3,37
3,45
100,00
16,67
16,67
60,00
8,70
14,29
5,08
66,67
66,67
9,09
88,89
66,67 66,67
50,00
50,00
5,56
19,05
5,88
14,29
6,25
16,67
4,26
11,76
25,00
5,26
25,00
0,00
% m+a activity vs perm
39
% m+a derived activity vs perm
Dissecting Blackberry Z10
50,00
50,00
33,33
25,00
2,17
4,17 8,00
3,70
7,14

40. Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
40
Dissecting Blackberry Z10

41. Future research
Image parser fuzzing
Jailbreak
IOCTL / syscalls further research
Play more with SSH
Blackberry Balance is not available yet
Permission collision
Overpemissioning by system applications and
services
Bypassing MDM features by both of previous
41
Dissecting Blackberry Z10

42. Full articles
… are available here (no SMS to send is required! Free for
a very limited time!)
Blackberry Z10 research
Blackberry and more
42
http://goo.gl/dP9iR
http://goo.gl/PpXxg
Dissecting Blackberry Z10