Blackberry Pwnage - the Bluejay Strikes
Federico Muttis
RSA 2013
Date published
blackberry mobile exploitation


In this talk we analyze vulnerabilities in Blackberries and reveal a tool, BlueJay,
that allows you to analyze the mobile's memory and siphon some information from the device.
The brilliant attack executed by Iozzo, Pinckaers and Weinmann at Pwn2Own 2011, -2 of 3 vulns not-patched-
provided a big incentive to look for Blackberry vulnerabilitie. Since neither a PoC nor full
details were published, it is still interesting for the community to learn how to dissect these
devices and pwn them. Building on these hints and our prior investigations we set to reconstruct
the attack. We first developed a tool to inspect the device's memory and some helper tools, including
BlackBerry applications and some external tools. BlueJay, our toolkit, which is being released together
with this talk, uses a wide variety of techniques, such as HTTP push and profits from some of the nifty
additions to HTML5. Furthermore, we'll show how we reconstructed some secret BlackBerry internals and
give a detailed description of the exploits involved on the attack.