Research in Motion may have improved its overall experience on the PlayBook with its recent update, but security researchers recently revealed that the device leaves corporate email and user information open to potential hackers. Researchers Zach Lenier and Ben Nell of Intrepidus Group uncovered a vulnerability in the PlayBook's Bridge application that leaves the authentication token for the Bridge application somewhere anyone could dig it up.
Vulnerability lies in PlayBook Bridge application
The Bridge application lets you connect the PlayBook to a BlackBerry smartphone via Bluetooth. It is currently necessary to connect to your BlackBerry with Bridge if you want to access your corporate email and calendars using the PlayBook. While the connection itself remains secure, the .ALL file contains access to the BlackBerry Bridge token, your BBM user name and information, your bookmarks, and other information specific to the device and its user.
Any native application for the PlayBook can access the .ALL file. A hacker could release a malicious application for the PlayBook that could gather private information about each user and device. If a hacker obtains a your BBM user name and password, they can access your secure corporate email.
Research in Motion immediately announces non-immediate fix
When the research team announced the Bridge exploit at a computer security conference on January 12, Research in Motion released a statement that included a promise to fix the exploit in the PlayBook 2.0 update coming in February. From the statement: “The BlackBerry PlayBook issue described at the Infiltrate security conference has been resolved with BlackBerry PlayBook OS 2.0, which is scheduled to be available as a free download to customers in February 2012. There are no known exploits, and risk is mitigated by the fact that a user would need to install and run a malicious application after initiating a BlackBerry Bridge connection with their BlackBerry smartphone.”
If you have any applications on your Playbook that do not come from a trusted source, uninstall them immediately. Do not download any further applications unless they come from a trusted source until the PlayBook 2.0 update is released.
What does this mean for RIM?
RIM should be fixing this vulnerability immediately rather than leaving it until February if it wants to bolster the PlayBook's reputation as the tablet for corporate business. With Samsung nipping at RIM's heels with its recently acquired FIPS security clearance for Galaxy Tab 10.1 devices, RIM needs to be seen as the secure choice for enterprise, government and small business. Simply rolling the fix into the next update just doesn't fit the bill for business users who are immediately concerned about the security of their devices, however marginal the threat may be.