BlackBerry prides itself with being a strong contender in the field of secure mobile platforms. While traditionally BlackBerryOS was based on a proprietary RTOS with a JVM propped on top, the architecture was completely overhauled with BlackBerryOS 10. Now the base operating system is the formerly off-the-shelf RTOS QNX, which doesn't exactly have an excellent security track record. Moreover, for the first time in BBOS history, native code applications are allowed on the platform.
This talk will present an analysis of the attack surface of BBOS 10, considering both ways to escalate privileges locally and routes for remote entry. Moreover, since exploitation is only half the work of offense, we'll show ways for rootkits to persist on the device. Last but not least we will settle whether BlackBerry Balance really holds what it promises: are mobile devices really ready to securely separate crucial business data from Angry Birds?
Ralf-Philipp Weinmann is a research associate at the Interdisciplinary Centre for Security, Reliability and Trust (SnT) of the University of Luxembourg. His research interests lie in the intersection of cryptography, privacy, mobile security and reverse-engineering. In the past years he was involved in speeding up attacks against WEP, the deDECTed.org team that broke the proprietary crypto of DECT, PWN2OWN wins and the first demonstrated remote vulnerabilities in cellular baseband stacks. He is one of the authors of the iOS Hacker's Handbook.