I just came across this story on my BlackBerry. John O'Connor who is a researcher on Symantec's security response team claims hackers can pay $100 for an API developer key. With this he says a hacker can gain access to information on a BlackBerry.Apparently the information was posted on a blog and then pulled off, but not before eWEEK Security Watch got a peek. Ultimately it sounds like O'Connor thinks RIM has made it too easy to get a code-signing key without having to reveal who you really are.
He cautions about text messaging weaknesses as well as malicious applications being able to access email and contact information. Then these programs would be able to send out the stolen information via email or data.
What do you think?
1. you can now buy prepaid creditcards for cash in the us to allow you to purchase goods online, unfortunately these creditcards work for buying the rim signing keys. this means a virus writer could anonymously create malicious software.
a simple way to close this hole is for rim to be able to distinguish between traditional credit card numbers and the newer prepaid ones - whether or not this is possible i don't know (there may be a formula that distinguishes them similar to the luhns algorithm: http://meshsystem.net/default.asp?Display=14 )
this security gap means that someone could write a simple game which uploads scores to an online server - at the same time it could upload all your personal details stored on your blackberry and you'd never know about it, this is discussed briefly in the original pdf about the exploit: http://www.praetoriang.net/presentations/blackjack.html
Posted at 9:02AM on Dec 1st 2006 by Jonathan Fisher