SMS attacks against BlackBerry certificate flaw possible
By SearchSecurity.com Staff
30 Sep 2009 | searchSecurity.in
Research In Motion (RIM) has issued an advisory about a certificate handling flaw that could allow an attacker to easily trick users into visiting a malicious website.
The certificate handling vulnerability enables an attacker to deceive BlackBerry users into clicking on a malicious link via a SMS text or email message. RIM said users can be easily tricked into believing they are browsing on a legitimate website, but instead are visiting a site controlled by an attacker. A dialog box, which informs users of a mismatch between a site domain name and the associated certificate, may fail to properly illustrate a mismatch.
Attackers could use null characters in the certificate name to trick the BlackBerry software into trusting the malicious website. The dialog box does not display null characters, so users will not be given a warning to close the connection, RIM said.
The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8. RIM issued a software update resolving the issue in BlackBerry Device Software version 4.5 and later.
|
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By joining searchSecurity.in you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
TechTarget cares about your privacy. Read our Privacy Policy
 |
Researchers have been finding ways to bypass website certificates and trick users into believing they are on a legitimate website. In February, security researcher Moxie Marlinspike unveiled a hacking technique and new tool called SSLstrip, which tricks users into visiting an insecure look-alike page.
The latest extended validation (EV-SSL) certificates are also coming under increased scrutiny by researchers. In July, researchers Alexander Sotirov and Mike Zusman demonstrated man-in-the-middle attacks against EV-SSL protected websites. The attack enables a victim to continue to see a green address bar, but being in a compromised EV session.