| | 04-03-2009, 12:40 AM Thread Author #1
How secure is the Blackberry (a closer look)
After a long discovery process, I have some findings I thought I'd post here for users to think over.
Some of these are (whitepaper), and some are beyond proof of concept. Without further delay:
*** The BlackBerry's "modest" security framework is still susceptible to multiple attacks, including being used as a backdoor, allowing confidential data to be exported.
*** The BlackBerry can be used as a proxy for attackers. Some of these attacks require applications to be digitally signed, while others can be conducted without such a signature.
*** While code-signing provides a potential hurdle for malicious code writers, signatures can still be obtained with relative ease and anonymity. Code-signing keys can be bought for $100 completely anonymously via the use of prepaid credit-cards. This completely undermines the ability to determine the creators of a signed application, and perhaps track them down in the case of malicious code being signed.
*** Sending and receiving SMS (text messages) is very simple on the BlackBerry, and doesn't require the code to be signed. Users will receive a prompt the first time the program attempts to send a message, asking if they wish to allow network access, but there are no further warnings on subsequent runs of the application. The same warning is used for an application making a HTTP connection or trying to send an SMS, meaning that a user could be easily fooled into sending very expensive premium SMS messages by an application that purports to connect to the Internet for legitimate purposes.
*** Premium rate "dialer" scams can be extended from the PC to BlackBerry devices, running up huge bills in the process. The application would work as follows:
User downloads and runs an application (e.g. a game with "post my high-score online" option).*** BlackBerry devices are susceptible to SMS interception attacks that allow hackers to send SMS via the infected device and receive the access code giving them free Wi-Fi access, while the victim is billed instead. Other SMS billable services include voting polls, parking and even using vending machines. Note that if the application is signed, the user will not even be prompted.
If the code is unsigned, the user receives a prompt "Allow Network Access?"
User agrees (thinking he or she is posting high scores on a Web site)
The application proceeds to send a premium-rate SMS message in the background unknown to the users until they receive their phone bills.
*** Signed applications can send e-mail and read incoming e-mail. A malicious application could be used to allow third parties to send messages from the infected BlackBerry and also read all received messages. A malicious application could also use e-mail as a command and control channel to receive instructions to send and receive e-mails; send and receive SMS messages; add, delete and modify contacts and PIM data; read dialed phone numbers; initiate phone calls; and open TCP/IP connections.
*** A malicious signed application can launch an e-mail worm by sending a message containing a link to a JAD (Java Application Descriptor) file. When the user opens this link, he or she will be prompted to install the worm code from a remote Web site maintained by the attacker.
*** An attacker could use a malicious signed application to read all the PIM data (contacts, events, to-do lists). This data can be transmitted to the attacker via e-mail, TCP sockets, SMS or telephony.
*** Data integrity stored in the PIM can be compromised by a signed application. Attack scenarios include changing the number associated with a contact name; changing the name associated with a phone number; deleting a contact, event or to-do task; changing the timing of a scheduled event; or reading all the contact names and numbers, and randomly swapping them.
After disassembling a new Blackberry, a hacker could locate the flash where the memory dump is located. Once located, the HASH should be easy enough to find. One could either attempt to reverse-engineer the flash or Brute force it. This has been done and the finding are: encryption algo is SHA-1 and the pseudo random is ARC4.
This is a brief look into Blackberry security and integrity. The best defense is to password protect your device, choose strong encryption and do your best not to transmit sensitive data over a cell network.
Hope this helps some and thanks for reading.