Besides presenting a paper this year, I had members of my team sit in on a talk by a security researcher who claimed that multiple issues in BlackBerry Good Work’s software would allow attackers to bypass BlackBerry’s security measures.
I want to thank the researcher, Vincent Tan, for freely sharing his presentation with us beforehand. However, we do feel it left out a number of relevant things. First, in all recent versions of software from Good powered by BlackBerry, these issues have long been addressed and patched. Any current Good customer should be able to update to a fully-secure version of our software.
Further, the researcher’s claims only apply in an extraordinarily-narrow set of circumstances: an attacker must obtain physical access and control of a targeted iPhone or iPad. The hacker must then bypass Good Jailbreak detection, install a malicious application, then activate the malicious application. This final step would require the hacker to trick the user to activate or to obtain the user’s username and password, most likely by executing a social engineering attack.
In other words, the attacker must steal an employee’s unlocked device, modify it, and return it to the employee without his or her knowledge. Tan presents this as simple, but it is far from easy to accomplish in practice. How inattentive would a worker have to be not to notice their phone has been stolen, and not to question where it’s been after it’s returned?
Unsurprisingly, the BlackBerry Security Incident Response Team (BBSIRT) has found no indication that any new or previously unknown vulnerabilities or issues in Good products were discovered by the researcher, nor any proof that any customers were actually attacked using these methods. Again, all vulnerabilities he referenced have already been patched in newer releases of Good software.
BlackBerry remains committed to improving all products and increasing the protection and control offered by our enterprise mobility management (EMM) solutions. With more than 80 certifications and approvals around the world, security is in BlackBerry’s DNA, and we’re the proven gold standard for mobility. Our BBSIRT is unique in the industry, and the front line in ensuring that public and private reports of vulnerabilities are rapidly addressed.
However, like all container software, Good can only do so much to secure data on a compromised system. And if an enterprise uses outdated software and neglects to train its users in proper security practices, there’s little any solution can do. You cannot protect an organization that does not care about security.
The public reporting of software vulnerabilities is a vital process that helps ensure security backdoors and holes are patched quickly. This exploit, fortunately, would’ve affected a tiny number of actual customers, and ONLY if they neglected security in the worst way possible. For everyone else, BlackBerry ensures that your software will always be as secure and threat-resistant as possible.
If you’re interested in learning more about BlackBerry’s approach to security, I will be re-presenting my Black Hat talk, “OSS Security Maturity: Time To Put On Your Big Boy Pants!”, this Tuesday with Risk Based Security CISO, Jake Kouns.
Open-source software, while improving efficiency, interoperability, and business innovation, is not without its risks – vulnerabilities such as Heartbleed and Stagefright, insecure third-party libraries, and a lack of liability for software developers all represent significant concerns. You could find yourself using bug-riddled, vulnerable tools and working with vendors that don’t take your security seriously.
We’ll use this Future of Open Source Survey as a jump-off point to our webinar. By the end, the audience will come to understand not just the open source threat landscape, but also how best to apply the principles of OSS security in defense of their organization.
Register here to take ownership of your security – and to learn how BlackBerry can help you do so.