Article

SMS attacks against BlackBerry certificate flaw possible

SearchSecurity.com Staff

Research In Motion (RIM) has issued an advisory about a certificate handling flaw that could allow an attacker to easily trick users into visiting a malicious website. 

SearchSecurity.com:

To get security news and tips delivered to your inbox, 

    Requires Free Membership to View

click here to sign up for our free newsletter.

The certificate handling vulnerability enables an attacker to deceive BlackBerry users into clicking on a malicious link via a SMS text or email message. RIM said users can be easily tricked into believing they are browsing on a legitimate website, but instead are visiting a site controlled by an attacker. A dialog box, which informs users of a mismatch between a site domain name and the associated certificate, may fail to properly illustrate a mismatch.

Attackers could use null characters in the certificate name to trick the BlackBerry software into trusting the malicious website. The dialog box does not display null characters, so users will not be given a warning to close the connection, RIM said.

The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8. RIM issued a software update resolving the issue in BlackBerry Device Software version 4.5 and later. 

Researchers have been finding ways to bypass website certificates and trick users into believing they are on a legitimate website. In February, security researcher Moxie Marlinspike unveiled a hacking technique and new tool called SSLstrip, which tricks users into visiting an insecure look-alike page.

The latest extended validation (EV-SSL) certificates are also coming under increased scrutiny by researchers. In July, researchers Alexander Sotirov and Mike Zusman demonstrated man-in-the-middle attacks against EV-SSL protected websites. The attack enables a victim to continue to see a green address bar, but being in a compromised EV session.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: