[2006-11-30] Cracking the BlackBerry with a $100 Key
The security model of that BlackBerry on your hip isn't holding up very well to third-party scrutiny.
According to a white paper by John O'Connor, a researcher on Symantec's security response team, hackers can pay $100 for an API developer key that can open doors to the theft of data from Research in Motion's BlackBerry devices.
O'Connor's paper was briefly posted -- and quickly yanked -- from a blog entry discussing the future of the BlackBerry device. It is not yet clear why Symantec pulled the paper (the rumor mill says it's being saved for a conference presentation) but a quick peek at the findings suggests there might have been some external pressure involved.
Some highlights from O'Connor's paper, which was seen by eWEEK Security Watch:
*** The BlackBerry's "modest" security framework it is still susceptible to multiple attacks, including being used as a backdoor, allowing confidential data to be exported.
*** The BlackBerry can be used as a proxy for attackers. Some of these attacks require applications to be digitally signed, while others can be conducted without such a signature.
*** While code-signing provides a potential hurdle for malicious code writers, signatures can still be obtained with relative ease and anonymity. Code-signing keys can be bought for $100 -- completely anonymously via the use of prepaid credit-cards. This completely undermines the ability to determine the creators of a signed application, and perhaps track them down in the case of malicious code being signed.
*** Sending and receiving SMS (text messages) is very simple on the BlackBerry, and doesn't require the code to be signed. Users will receive a prompt the first time the program attempts to send a message, asking if they wish to allow network access, but there are no further warnings on subsequent runs of the application. The same warning is used for an application making a HTTP connection or trying to send an SMS, meaning that a user could be easily fooled into sending very expensive premium SMS messages by an application that purports to connect to the Internet for legitimate purposes.
*** Premium rate "dialer" scams can be extended from the PC to BlackBerry devices, running up huge bills in the process. The application would work as follows:
User downloads and runs an application (e.g. a game with "post my high-score online" option).
If the code is unsigned, the user receives a prompt "Allow Network Access?"
User agrees (thinking he or she is posting high scores on a Web site)
The application proceeds to send a premium-rate SMS message in the background unbeknownst to the users until they receive their phone bills.
*** BlackBerry devices are susceptible to SMS interception attacks that allow hackers to send SMS via the infected device and receive the access code giving them free Wi-Fi access, while the victim is billed instead. Other SMS billable services include voting polls, parking and even using vending machines. Note that if the application is signed, the user will not even be prompted.
*** Signed applications can send e-mail and read incoming e-mail. A malicious application could be used to allow third parties to send messages from the infected BlackBerry and also read all received messages. A malicious application could also use e-mail as a command and control channel to receive instructions to send and receive e-mails; send and receive SMS messages; add, delete and modify contacts and PIM data; read dialed phone numbers; initiate phone calls; and open TCP/IP connections.
*** A malicious signed application can launch an e-mail worm by sending a message containing a link to a JAD (Java Application Descriptor) file. When the user opens this link, he or she will be prompted to install the worm code from a remote Web site maintained by the attacker.
*** An attacker could use a malicious signed application to read all the PIM data (contacts, events, to-do lists). This data can be transmitted to the attacker via e-mail, TCP sockets, SMS or telephony.
*** Data integrity stored in the PIM can be compromised by a signed application. Attack scenarios include changing the number associated with a contact name; changing the name associated with a phone number; deleting a contact, event or to-do task; changing the timing of a scheduled event; or reading all the contact names and numbers, and randomly swapping them.
O'Connor's paper also outlines ways in which BlackBerry phones can be manipulated to launch TCP backdoors, TCP scans, HTTP backdoors and infostealers, and spyware-type call monitoring.
He warns that the available API (without code signing) provides "limited opportunities" to exploit the BlackBerry platform. This will require social engineering, where the target is tricked into approving the attacks.
However, because the key can be purchased by anyone for just $100, O'Connor believes that a motivated attacker could develop a range of deceptive or malicious software that could not only compromise the BlackBerry handheld device and its data, but the integrity of the corporate network to which it is attached.
"As the device continues to become more popular, the incentives for such [malicious] individuals to target the BlackBerry will only increase," said O'Connor, who is based in Symantec's Dublin office.
Source: Security Watch - Exploits and Attacks - Cracking the BlackBerry with a $100 Key
Great do you work for the beast of redmond in their FUD depatment?
Just turn on "dis-allow" 3rd party apps on the BES. Job done..
I'm not so sure how "anonymous" the purchase of keys is, even for Developer signing keys. They still only give you limited access to APIs... so while his "If A then B" statement may (*may*) be true, I don't know how likely "A" is in the first place.
The article is accurate though in that they comment on how BB's popularity will make them more of a target. Likely still waaaaaaaaay less vulnerable than your standard WinMo device, but whatevs.
If you're aggregating work email thru BIS then this can only be done by Pop or OWA (not that I've evet got that working) - and this is to the RIM server that powers the BB device not to the device itself.
I agree that i'd like to ensure the code signing process is tight for authenticating the veracity of the problem, but it does seem a whole world of noise about something thats not so much of an issue if you correctly lock down your BB fleet.
Watch this space.. let me gues in the new year symantec will roll out Norton AV/AntiSpam/Anti-Trojan for BB...
|All times are GMT -5. The time now is 11:26 PM.|
Powered by vBulletin® Version 3.6.12
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.