Cracking the BlackBerry with a $100 Key
According to a white paper by John O'Connor, a researcher on Symantec's security response team, hackers can pay $100 for an API developer key that can open doors to the theft of data from Research in Motion's BlackBerry devices. |
The security model of that BlackBerry on your hip isn't holding up very well to third-party scrutiny.O'Connor's paper was briefly posted -- and quickly yanked -- from a blog entry discussing the future of the BlackBerry device. It is not yet clear why Symantec pulled the paper (the rumor mill says it's being saved for a conference presentation) but a quick peek at the findings suggests there might have been some external pressure involved.
Some highlights from O'Connor's paper, which was seen by eWEEK Security Watch:
*** The BlackBerry's "modest" security framework it is still susceptible to multiple attacks, including being used as a backdoor, allowing confidential data to be exported.
*** The BlackBerry can be used as a proxy for attackers. Some of these attacks require applications to be digitally signed, while others can be conducted without such a signature.
*** While code-signing provides a potential hurdle for malicious code writers, signatures can still be obtained with relative ease and anonymity. Code-signing keys can be bought for $100 -- completely anonymously via the use of prepaid credit-cards. This completely undermines the ability to determine the creators of a signed application, and perhaps track them down in the case of malicious code being signed.
*** Sending and receiving SMS (text messages) is very simple on the BlackBerry, and doesn't require the code to be signed. Users will receive a prompt the first time the program attempts to send a message, asking if they wish to allow network access, but there are no further warnings on subsequent runs of the application. The same warning is used for an application making a HTTP connection or trying to send an SMS, meaning that a user could be easily fooled into sending very expensive premium SMS messages by an application that purports to connect to the Internet for legitimate purposes.
*** Premium rate "dialer" scams can be extended from the PC to BlackBerry devices, running up huge bills in the process. The application would work as follows:
User downloads and runs an application (e.g. a game with "post my high-score online" option). If the code is unsigned, the user receives a prompt "Allow Network Access?" User agrees (thinking he or she is posting high scores on a Web site) The application proceeds to send a premium-rate SMS message in the background unbeknownst to the users until they receive their phone bills.
*** BlackBerry devices are susceptible to SMS interception attacks that allow hackers to send SMS via the infected device and receive the access code giving them free Wi-Fi access, while the victim is billed instead. Other SMS billable services include voting polls, parking and even using vending machines. Note that if the application is signed, the user will not even be prompted.
*** Signed applications can send e-mail and read incoming e-mail. A malicious application could be used to allow third parties to send messages from the infected BlackBerry and also read all received messages. A malicious application could also use e-mail as a command and control channel to receive instructions to send and receive e-mails; send and receive SMS messages; add, delete and modify contacts and PIM data; read dialed phone numbers; initiate phone calls; and open TCP/IP connections.
*** A malicious signed application can launch an e-mail worm by sending a message containing a link to a JAD (Java Application Descriptor) file. When the user opens this link, he or she will be prompted to install the worm code from a remote Web site maintained by the attacker.
*** An attacker could use a malicious signed application to read all the PIM data (contacts, events, to-do lists). This data can be transmitted to the attacker via e-mail, TCP sockets, SMS or telephony.
*** Data integrity stored in the PIM can be compromised by a signed application. Attack scenarios include changing the number associated with a contact name; changing the name associated with a phone number; deleting a contact, event or to-do task; changing the timing of a scheduled event; or reading all the contact names and numbers, and randomly swapping them.
O'Connor's paper also outlines ways in which BlackBerry phones can be manipulated to launch TCP backdoors, TCP scans, HTTP backdoors and infostealers, and spyware-type call monitoring.
He warns that the available API (without code signing) provides "limited opportunities" to exploit the BlackBerry platform. This will require social engineering, where the target is tricked into approving the attacks.
However, because the key can be purchased by anyone for just $100, O'Connor believes that a motivated attacker could develop a range of deceptive or malicious software that could not only compromise the BlackBerry handheld device and its data, but the integrity of the corporate network to which it is attached.
"As the device continues to become more popular, the incentives for such [malicious] individuals to target the BlackBerry will only increase," said O'Connor, who is based in Symantec's Dublin office.
Comments (15)
Of course, if your BlackBerry device is on a Corporate BES, and their IT Admin has -DISABLED- 3rd party applications, you can't install them on your device.
You can't even get to read .JAD files if your BES is disabling things.
Big Corporations are on the BES.
Yes, you can do this to people who purchase BlackBerry devices on the street, but you cannot for the Corporate User.
Posted by Aaron | November 30, 2006 6:48 PM
First of all, this is all about the installing the untrusted applications. This does not compromise the security of the device in any way because you need to install the malicious application first.
Unlike the security model used in MIDP environment, RIM certificate system is "flat", i.e. there are no security domains and no certificate chains. The application either has one of 6 known signatures (only 4 are publicly available for purchase, you get only 3 signers for $100) or it does not. The granularity is not enough for a secure system dealing with 3rd party applications.
But, again, if you do not install any untrusted applications (i.e. the applications coming from the sources you trust) there is no obvious way to set up a "back door".
"Sending and receiving SMS (text messages) is very simple on the BlackBerry, and doesn't require the code to be signed" - this is not true. There is a security pop-up displayed when an unsigned application tries to work with SMSes or with the data network.
In general, I believe this device is adequately protected. Just like on your Windows PC, if you install untrusted software and open suspicious attachments, you will get into troubles. For the corporate use the enterprise server software allows to have better control on the security policy. Most of the administrators, for example, disable installing of 3rd party software.
In general, there are no secure environments, there are environments that are adequately protectred or not.
Posted by Nikolai Grigoriev | November 30, 2006 7:45 PM
Here, have some extra traffic.
Posted by Slashdot | November 30, 2006 9:15 PM
This is just a re-hash of the information that Jesse D'Aguanno already presented at DefCon earlier this year.
Nothing new and if you listen to this interview (see link below) you'll discover that RIM has more than adequate methods in place to combat this. The BlackBerry is far more protected than Windows Mobile, Palm OS, and Symbian mobile devices and this is why its so prevelant.
http://mca.libsyn.com/index.php?post_id=119240
Posted by Craig | December 1, 2006 9:01 AM
The comment about BES making things secure is baloney, because users can still load some applications using the blackberry desktop software. However, I do agree that this is less about the device's security, and more about the user being careless. I'd rather NOT have a stupid-proof device that warns me or double-checks every action with me, thanks.
If you have users incapable of being taught how to safely use their blackberry, buy them something that doesn't do wireless data.
Posted by Stefan | December 1, 2006 10:16 AM
As Nicolai said you must install first the untrusted app. Most corp vpn's will not allow installs from users.
Small users do and will fall for untrusted openings. The security software add-on needs to be active to pop-up the warning. Still, that's the individuals choice and has nothing to do with the product.
Can you create back-doors for any envrinmonent, you bet, some one will be interested; specially in the EU, where already you can transact money with your phone to buy most entertaiment tix and small transactions. Can you direct line charges, you bet, but it is easier said that done, and it is not a $100 deal.
Posted by Al Romn | December 1, 2006 10:17 AM
Stefan.
The BES can be setup in such a way that it prevents the user from installing apps via the DM, via the active X web component, and via web OTA.
I've done it.
The device rejects the app. The only apps that can be installed are via the BES wireless app push (i.e. a white list).
Users not on a BES however could be tricked into installing apps via social engineering, and those same users will ignore the popup that displays the first time the app tuns. However the impact of that trojan will at least not impact a large company.
Think about how insecure other platforms are. Windows Mobile, Palm OS, Symbian?
Posted by Craig | December 1, 2006 10:38 AM
Nikolai Grigoriev is correct on all accounts. And as mentioned in a comment above, users on the BES with the appropriate IT Policy can be locked down to the extreme if it is so desired.
Nikolai also hits on one thing that needs to be reiterated, "In general, there are no secure environments...".
These vulnerabilities are no different than any other device including a PC. On a PC a program can hunt down private/confidential/personal information, and attack in the same ways described above.
Let's make this clear: there is absolutely no need for anyone to be alarmed. If anything, the BlackBerry provides a more secure environment than the alternatives, while still enabling custom developed applications to meet the needs of consumers and corporate users.
Posted by Kevin Ross (Metova) | December 1, 2006 10:41 AM
The paper was probably pulled for being factually flawed or insignificant, scaremongering. Such is the Symantec way.
Posted by Chad Smith | December 1, 2006 12:52 PM
Good thing I only use the Blackberry for the "Brick Breaker" game.
Posted by Greg | December 1, 2006 1:23 PM
Having done development for both Blackberry and Windows Mobile 5, I can tell you that the Blackberry is NO MORE secure than Windows Mobile 5.. maybe less so depending on which API's one would vote as being most critical or likely to be exploited. Blackberry is certainly much more difficult to develop for.
Posted by Jeff Dorg | December 1, 2006 4:12 PM
say i have the key ........ 850 391 1455........
Posted by gene | December 2, 2006 1:39 PM
Jeff Dorg, you state that "Blackberry is NO MORE secure than Windows Mobile 5..". Did you take into account server middleware security as well? While Windows Mobile 5's security is purely device-based, Blackberry's security is structured around server and device.
Posted by J | December 4, 2006 11:01 AM
Jeff Dorg is correct in stating that BB is NO MORE secure than Win Mobile. A few things to note here:
1. Many of you mention the need for a BES to manage the security threat. I submit that that BES is more expensive and instrusive than loading 3rd party security software (i.e., Trust Digital or Bluefire) on a WM device. Keep in mind that technically, the ENTIRE BB solution is 3rd party s/w.
2. "J", you are wrong to state that WM is completely device-based. I can mandate policy from the Exchange Server to the WM devices. Your info is a bit dated there. I can also issue kill commands to WM devices from the server side.
3. You can not have a BB device authenticate to your Domain Controllers using a smart card. This is important if you want true two-factor authentication and the added security of certificate revocation checks.
So in short, I would argue that with adding some inexpensive, low-altitude security software to a WM platform, I can make it more secure than BB. Most of the pro-BB chatter I hear out there these days is tied to the love affair most executives have with BB. They are very reluctant/closed-minded to alternative mobile office solutions. For their part, RIM does a great job of snowing over any concerns users have to help ease any jitters that may arise and take away excuses to seek those alternative solutions. Last I checked, healthy competition between open-market companies is good. Encourage your folks to be open-minded.
Posted by Gary | December 5, 2006 8:23 PM
While Windows Mobile 5's security is purely device-based, Blackberry's security is structured around server and device.
Posted by ben 10 | April 20, 2009 2:49 PM