BlackBerry Security: Compromised Or Slightly Over Blown?

By Bla1ze on 9 Feb 2010 02:23 pm EST
BlackBerry Security: Comprimised Or Slightly Over Blown?

The internet is buzzing lately regarding the recent annoucement of a proof of concept spyware presentation that was delivered at ShmooCon2010 by the folks over at Veracode. The concept video and presentation shows how a BlackBerry device could basically be overtaken by simply installing an application, which allows for all sorts of nasty to happen. Emails forwarded, text messages forwarded even remote listening of conversations from a BlackBerry sitting on a close by table.

One thing thing the presentation neglects is the fact these things have been in the BlackBerry OS for quite some time now. The "listeners" are actually built direct into the APIs delivered by Research In Motion. Some trusted companies have even made great use of them, SmrtGuard being one of them by leveraging the remote listen option in their offerings. There really is nothing new here and just like a virus anywhere else, this proof of concept still needs the human element in order to work. You wouldn't go installing some unknown application on your PC these days would you? Not likely. So why would you do so on your BlackBerry? The logic is pretty much the same. If you are unsure of what something does don't install it. Especially if its not coming from a trusted source.

More and more these days, we're seeing articles pop up that claim whatever to be the next worst thing to happen to BlackBerry security. Everything from buggered versions of BlackBerry Messenger to people sending mass BBM messages about how files will erase your hard drive. Fact of the matter remains, BlackBerry is still as strong in the security realm as it always was.

As Al Sacco wrote, these sorts of actions are totally reliant upon a whole chain of events that must occur before your BlackBerry can even be considered "infiltrated" or for the 1337 among you, pwn3d. Als article not only outlines the ways to prevent such things from happening but also looks at the real world possibility of such things occuring to those who aren't out to prove something with a proof of concept. Now if you'll excuse me, I have to find my tinfoil hat ;)

Reader comments

BlackBerry Security: Compromised Or Slightly Over Blown?


...overblown. If one is dumb enough to allow sypyware trusted status then maybe they deserve what they get.

Spyware software is boy going to say "Spyware" its is going to be under the pretense of valueable software.

Almost every single software that I install askes the me if they can have more control over my device. Based on the company I accept or reject.

This is such an easy way for spyware/malware to circumvent security.

you can't blame RIM for something that comes down to user error. If you don't trust where the software is coming from, don't install it. Pretty simple.

Its like any tech related system. If you use it as intended and don't check your brain and common sense at the door, there is no realistic chance of "spyware and its ilk appearing on your phone.

but i think this is important to get some attention. phones are not immune to attacks, we spent good money and time to keep our computers secure but will click on any jar file that we can get our hands on because there is no awareness of what harm it can do.
it took N1H1 to get ppl to wash their hands but each flu season kills more ppl than N1H1 ever did.

this not really BB specific, i cringe at the thought that someone is running a JBed iphone on our network but do you think we can force a policy to forbid that. F-NO. But gawd forbid that you want to get a laptop without AV on the network, you are just about escorted out of the building.

this frustration is where i hope for these POC to become public and get attention.

at least on a bes i can see what attaches and prevent it but that should not give anyone a sense of security that just doesn;t exists.

This isn't stupid by any means. You're stupid for thinking it's stupid. With all the "free apps" and "beta test this" and "beta test that", one could think they're trying out an app, when in reality some "developer" could be an undercover hacker.

And here you are, thinking you're installing the "latest new thing" when in reality, you're installing spyware.

Think before you post, idiot.

BUT ...typical as RIM is...nothing will ever be done about it. so suck it up people. the chance of this ever changing is like us ever getting an official blackberry google reader app. HAH.

As mentioned earlier, it is more of an education tool that anything else. We all take security for granted just because it is a cell phone. This sort of apathy could lead to a serious breach in not only our personal security (think about all the personal info we keep on our Blackberrys) but also from a corporate perspective.

TBH I too am guilty of downloading and installing "free" apps and "beta" tests but you can never really be sure that there isn't some sort of malicious code embedded in these softwares.

Think of it as a cautionary tale of what could happen if we do not think before we install.

This is why RIM requires code to be signed before accessing sensitive API's If an issue comes up RIM can just block everything with that signature, and the malware is stopped.

This was also my first thought! There's a reason RIM requires code signing, and it's one of the best defenses against malware like this. Why does nobody get their facts straight before posting "articles" that blame the company...

The keys are 20$ and whoever sends them 20$ they will approve. Once you have the keys you can do what you want with the device pretty much, as long as the user allows permissions.

I agree though it's not RIM's fault it's more user error then anything.

People want security, but they also want apps that do everything. In order for use to develop these applications we need api's to access these api's. The more people complain the more RIM will pull these api's and not allow developers to do much of anything.

A simple way around this is to know how to use your phone, set permissions, remove applications etc before you go downloading a bunch of apps.

Also only allow permissions to api's that you know the app will need. For example if the app is a weather application you know it's going to need data and possibly gps. So go ahead and allow those, but it will not need to use things like email, phone etc. So I would go ahead and deny those for that application.

If you allow all permissions you're essentially telling the application you have full control to do anything you want on my device.

This was NOT an anti-blackberry presentation. In fact he stated in the talk (the video will be released soon) that Black Berry is the most secure mobile platform out there. The focus of the talk was *not* the fact he used Open API's to make spyware.. it was about the app store and it's model. How anyone with 20$ and an email can get a certificate to sign applications. How I can make a tic-tac-toe game that goes into the app store but is actually spyware.

The social engineering or tricking users into installing an app (that is signed by RIM!) is the focus here. The actual security of the phone is not in question he chose the Black berry due to it being the most secure. Doing this talk on Apple or Android would be stupid as everyone *knows* they're insecure.

The researcher and veracode worked with RIM and RIM supported this talk and research from the start.

It's not overblown, Crackberry and most people above have no idea what they're talking about and are judging and interpreting the research without having seen the talk or read it through. Sorry but it's true.

Anyways, it was a great talk.

HAHA - ok you know the "researcher." For starters, you cannot even spell BlackBerry right. Second, you do not know anyone so stop bragging about how you have the inside scoop on everything. No one cares about your so-called "contacts." Just keep your mouth shut and go back to your cubicle and tell your fake stories to your co-workers because I am sure they would all love to hear it. Just because you didn't think of CrackBerry yourself, doesn't mean you take out your jealousy and say that they have no idea.

If this is true, we could have open blackberries.

While oter peoples are thinking about stealing apps, I think this could force RIM to open their platform a little more and force them to make a bit more enjoyable for the social users.

There's nothing compromised here. They simply made a program that uses the API and if a person is stupid enough to install it, then the program is running correctly. It would be the same as SmrtGuard.

The person who installed it clicked "Allow" on the screen that gave the program access to this data. In fact if the BlackBerry did not allow the application to do this, I would call the BlackBerry flawed. It is operated as designed. What is the big deal here? SmrtGuard does the SAME thing. It remotely copies all your data off and stores it on their servers. So does this app.

The user is at fault, not the BlackBerry. BlackBerry has security features built in in their IT Policy to block people from doing such dumb things as well.

A virus is self replicating. At best this is a trojan horse. It is software that is supposed to do one thing that does another unintended action. The way the apps are distributed and signed though it would be easy to isolate and identify the cause of a spread. You need to work at this for it to be a problem including granting trusted status. This is old news that is not the threat people are making it to be.

RIM posted a great guide on malware a year or so ago and this is just a new spin on a known attack vertical.

Having to manage thousands of Blackberries this is why we block the installation of any applications and only remove it temporarily as needed or just package and push the app the user is requesting. RIM provides the ability to black list / white list apps and this is yet another item that would go into the block catagory.

Now it's not perfect but is a heck of alot more control then any other mobile management. I'd like RIM to manage known threats (be it malware or other) and push these to each BES which maybe something to occurs as mobile devices become and attractive target.

to quote from the above article..
"You wouldn't go installing some unknown application on your PC these days would you? Not likely."

um yeah, people do that everyday, all the time, i work on pc's and see it all the time.. and when asked.. "why did you install such and such program?" i usually get the "i dont know, i was told i needed to" (by the very same program itselfs pop ups... or my favorite "i didnt install that" when clearly their the only one in the house, let alone the only one using said computer...

never underestimate the depth of ignorance of computer users in general.


You mean that an application that I install on my phone can can add functions to it? Before you know it people everywhere are going to want apps on their phones so they can do more.

RIM will never "open their platform a little more and force them to make a bit more enjoyable for the social users". As it is the "social users" who are usually the more stupid people to start with. (going by the onslaught of retardedily dumb questions in forums) Besides, why would you want to make a secure phone less secure anyway? If you want something more user friendly get a sidekick or iphone...

You must be very intelligent and courageous to call other people "stupid" from behind your anonymous keyboard, and you must make so many friends with your stereotypes and intolerant insults of those with the "retardedily dumb questions."

I set permissions for each app before downloading based on what I expect that app to do.

Sometimes after I reboot it comes up and asks me for permissions I don't think it needs...guess what? I delete that app and it never runs on my device.

Read EULAs, there are several apps that come right out and tell you they are watching what you do- Skyfire is a good example. People are so used to clicking "OK" from being brain-washed by the endless unnecessary prompts from Windows that they don't pay attention. When I saw Skyfire's EULA I said to myself, "you can keep it."

Some of the barcode apps are just as bad. Pay attention, people!

As several posters have said, use common sense, know your device, and you should not find yourself in trouble.