According to an advisory published by Research In Motion (RIM), BlackBerry mobile devices are open to attack due to a certificate notification flaw in the smartphone’s software. The problem lies in the BlackBerry Browser dialog box that alerts users if the URL they have clicked on does not match the domain they are being sent to.
RIM published an advisory related to a BlackBerry browser dialog box that provides information about web site domain names and their associated certificates. The BlackBerry browser dialog box informs the BlackBerry device user when there is a mismatch between the site domain name and the domain name indicated in the associated certificate, but does not properly illustrate that the mismatch is due to the presence of some hidden characters (for example, null characters) in the site domain name.This issue affects all built-in browsers on affected BlackBerry devices (BlackBerry Browser, Internet Browser, WAP Browser, and Wi-Fi (Hotspot) Browser.
Using this security flaw, a malicious user could create a web site that includes a certificate that is purposely altered using null (hidden) characters in the certificate’s Common Name (CN) field or otherwise manipulated to deceive a BlackBerry device user into believing they have connected to a trusted web site.
RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages. If a user visits a site that causes a BlackBerry browser dialog box to warn the user about continuing the connection, the user should select Close connection.
A malicious user may be able to deceive a BlackBerry device user into connecting to a web site that is controlled by the malicious user.
If the malicious user then performs a phishing-style attack by sending the BlackBerry device user a link to the web site in an SMS or email message that appears to be from a trusted source, and the BlackBerry device user chooses to access that site, the BlackBerry browser will correctly detect the mismatch between the certificate and the domain name and display a dialog box that prompts the user to close the connection. However, the dialog box does not display null characters, so the user may believe they are connecting to a trusted site and disregard the recommended action to close the connection.
RIM has issued a software update that resolves this issue in BlackBerry Device Software version 4.5 and later. To check for available updates for your BlackBerry Device Software, visit http://www.blackberry.com/updates/.
The updated BlackBerry Device Software is designed to depict null (hidden) characters in the BlackBerry browser dialog box that appears when the user visits a web site with a certificate that does not match the site domain name. In the updated BlackBerry Device Software, the BlackBerry device represents previously hidden null characters with a block, and highlights the non-matching portion of the domain name in bold.