SMS attacks against BlackBerry certificate bug possible


SMS attacks against BlackBerry certificate bug possible Staff

Research In Motion (RIM) has issued an advisory about a certificate handling flaw that could allow an attacker to easily trick users into visiting a malicious website.

The certificate handling vulnerability enables an attacker to deceive BlackBerry users into clicking on a malicious link via a SMS text or email message. RIM said users can be easily tricked into believing they are browsing on a legitimate website, but instead are visiting a site controlled by an attacker. A dialog box, which informs users of a mismatch between a site domain name and the associated certificate, may fail to properly illustrate a mismatch.

Attackers could use null characters in the certificate name to trick the BlackBerry software into trusting the malicious website. The dialog box does not display null characters, so users will not be given a warning to close the connection, RIM said.

The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8. RIM issued a software update resolving the issue in BlackBerry Device Software version 4.5 and later.

Researchers have been finding ways to bypass website certificates and trick users into believing they are on a legitimate website. In February, security researcher Moxie

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

Marlinspike unveiled a hacking technique and new tool called SSLstrip, which tricks users into visiting an insecure look-alike page.

The latest extended validation (EV-SSL) certificates are also coming under increased scrutiny by researchers. In July, researchers Alexander Sotirov and Mike Zusman demonstrated man-in-the-middle attacks against EV-SSL protected websites. The attack enables a victim to continue to see a green address bar, but being in a compromised EV session.