BlackBerry browser dialog box does not clearly indicate mismatches between web site domain names and associated certificates

Article ID: KB19552

Type:   Security Advisory

First Published: 09-28-2009

Last Modified: 06-04-2012

 

Product(s) Affected:

  • BlackBerry Internet Service
  • BlackBerry Enterprise Server
Collapse Products
ExpandAffected Software

  • BlackBerry® Device Software (versions earlier than 5.0.0), certificate handling functionality

 

ExpandNon Affected Software
  • BlackBerry Device Software version 5.0.0 and later

  • BlackBerry® Desktop Software

  • BlackBerry® Enterprise Server software  

ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
Yes.

This issue affects all built-in browsers on affected BlackBerry devices (BlackBerry Browser, Internet Browser, WAP Browser, and Wi-Fi (Hotspot) Browser).

CollapseIssue Severity

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8.

CollapseOverview

This advisory relates to a BlackBerry browser dialog box that provides information about web site domain names and their associated certificates. The BlackBerry browser dialog box informs the BlackBerry device user when there is a mismatch between the site domain name and the domain name indicated in the associated certificate, but does not properly illustrate that the mismatch is due to the presence of some hidden characters (for example, null characters) in the site domain name.

Issue Status: Vulnerability confirmed. Check for software containing the security update based on your wireless service provider. For more information, see the Resolution section.

ExpandWho should read this advisory?
  • BlackBerry device users
  • BlackBerry Solution administrators
ExpandRecommendation

Complete the resolution actions documented in this advisory.

RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages. If a user visits a site that causes a BlackBerry browser dialog box to warn the user about continuing the connection, the user should select Close connection.

CollapseProblem

A malicious user could create a web site that includes a certificate that is purposely altered using null (hidden) characters in the certificate's Common Name (CN) field or otherwise manipulated to deceive a BlackBerry device user into believing they have connected to a trusted web site.

 

If the malicious user then performs a phishing-style attack by sending the BlackBerry device user a link to the web site in an SMS or email message that appears to be from a trusted source, and the BlackBerry device user chooses to access that site, the BlackBerry browser will correctly detect the mismatch between the certificate and the domain name and display a dialog box that prompts the user to close the connection. However, the dialog box does not display null characters, so the user may believe they are connecting to a trusted site and disregard the recommended action to close the connection.

ExpandImpact

A malicious user may be able to deceive a BlackBerry device user into connecting to a web site that is controlled by the malicious user.

CollapseResolution

RIM has issued a software update that resolves this issue in BlackBerry Device Software version 4.5 and later. Versions earlier than 4.5 are unsupported, and versions 5.0.0 and later are unaffected.

To check for available updates for your BlackBerry Device Software, visit http://www.blackberry.com/updates/ .

Update to the BlackBerry Device Software applications version for your BlackBerry device model as indicated in the table below to resolve this issue. If the updated applications version indicated is not available, contact your wireless service provider (carrier).

Current applications  version

Applications  version to update to

Version 4.5.0.x

Version 4.5.0.173 or later

Version 4.6.0.x

Version 4.6.0.303 or later

Version 4.6.1.x

Version 4.6.1.309 or later

Version 4.7.0.x

Version 4.7.0.179 or later

Version 4.7.1.x

Version 4.7.1.57 or later

 

 

 

 

 

 

The updated BlackBerry Device Software is designed to depict null (hidden) characters in the BlackBerry browser dialog box that appears when the user visits a web site with a certificate that does not match the site domain name. In the updated BlackBerry Device Software, the BlackBerry device represents previously hidden null characters with a block, and highlights the non-matching portion of the domain name in bold.

CollapseWorkaround
RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages. If a user visits a site that causes a BlackBerry browser dialog box to warn the user about continuing the connection, the user should select Close connection.
CollapseAcknowledgements

RIM thanks both  Mobile Security Lab and CESG for separately reporting this issue to RIM, and working with RIM to protect its customers.

CollapseChange Log

06-04-2012

Updates to article formatting. No technical content changed.

09-02-10

Updates to article formatting. No technical content changed.

12-21-09

Article updated to clarify which versions of the BlackBerry Device Software are affected by the issue.

09-30-09

Article updated to reflect that the issue affects all built-in browsers on affected BlackBerry devices (BlackBerry® Browser, Internet Browser, WAP browser, and Wi-Fi® (Hotspot) browser).

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.