[3CISSBB]

After a long discovery process, I have some findings I thought I'd post here for users to think over.

Some of these are (whitepaper), and some are beyond proof of concept. Without further delay:

*** The BlackBerry's "modest" security framework is still susceptible to multiple attacks, including being used as a backdoor, allowing confidential data to be exported.

*** The BlackBerry can be used as a proxy for attackers. Some of these attacks require applications to be digitally signed, while others can be conducted without such a signature.

*** While code-signing provides a potential hurdle for malicious code writers, signatures can still be obtained with relative ease and anonymity. Code-signing keys can be bought for $100 completely anonymously via the use of prepaid credit-cards. This completely undermines the ability to determine the creators of a signed application, and perhaps track them down in the case of malicious code being signed.

*** Sending and receiving SMS (text messages) is very simple on the BlackBerry, and doesn't require the code to be signed. Users will receive a prompt the first time the program attempts to send a message, asking if they wish to allow network access, but there are no further warnings on subsequent runs of the application. The same warning is used for an application making a HTTP connection or trying to send an SMS, meaning that a user could be easily fooled into sending very expensive premium SMS messages by an application that purports to connect to the Internet for legitimate purposes.

*** Premium rate "dialer" scams can be extended from the PC to BlackBerry devices, running up huge bills in the process. The application would work as follows:

User downloads and runs an application (e.g. a game with "post my high-score online" option).
If the code is unsigned, the user receives a prompt "Allow Network Access?"
User agrees (thinking he or she is posting high scores on a Web site)
The application proceeds to send a premium-rate SMS message in the background unknown to the users until they receive their phone bills.

*** BlackBerry devices are susceptible to SMS interception attacks that allow hackers to send SMS via the infected device and receive the access code giving them free Wi-Fi access, while the victim is billed instead. Other SMS billable services include voting polls, parking and even using vending machines. Note that if the application is signed, the user will not even be prompted.

*** Signed applications can send e-mail and read incoming e-mail. A malicious application could be used to allow third parties to send messages from the infected BlackBerry and also read all received messages. A malicious application could also use e-mail as a command and control channel to receive instructions to send and receive e-mails; send and receive SMS messages; add, delete and modify contacts and PIM data; read dialed phone numbers; initiate phone calls; and open TCP/IP connections.

*** A malicious signed application can launch an e-mail worm by sending a message containing a link to a JAD (Java Application Descriptor) file. When the user opens this link, he or she will be prompted to install the worm code from a remote Web site maintained by the attacker.

*** An attacker could use a malicious signed application to read all the PIM data (contacts, events, to-do lists). This data can be transmitted to the attacker via e-mail, TCP sockets, SMS or telephony.

*** Data integrity stored in the PIM can be compromised by a signed application. Attack scenarios include changing the number associated with a contact name; changing the name associated with a phone number; deleting a contact, event or to-do task; changing the timing of a scheduled event; or reading all the contact names and numbers, and randomly swapping them.

After disassembling a new Blackberry, a hacker could locate the flash where the memory dump is located. Once located, the HASH should be easy enough to find. One could either attempt to reverse-engineer the flash or Brute force it. This has been done and the finding are: encryption algo is SHA-1 and the pseudo random is ARC4.


This is a brief look into Blackberry security and integrity. The best defense is to password protect your device, choose strong encryption and do your best not to transmit sensitive data over a cell network.


Hope this helps some and thanks for reading.


Chris

[NIKSTORM]

whats the worst that can happen my info isnt exactly natnl security

[3CISSBB]

Well, with any kind of exploit, it all depends on what the creator has decided to design the exploit for. Same as a computer, it could steal information or simply spy on you.

[3CISSBB]

API developer keys can be bought for around $100.00 USD

[classc1]

Well....aren't you just a ray of sunshine?

Posted from my CrackBerry at wapforums.crackberry.com

[ekinnee]

It appears that most of this requires the user to install and run malicious code. As with any platform, if the user is going to install and run crap all willy nilly like, the game was over before it started.

There is a reason why corp/BES users at times have policies pushed to them that don't allow the change of app permissions or the install of software.

And yes, I am a Senior Information Security Engineer. You make valid points, but I think this type of stuff has been thought of already, or are the same issues you could list for almost any device, hand held or not.

[NIKSTORM]

if you want to spy on me then go ahead....to many people with to much time on there hands...at least you are covered for stolen funds thats all that matters

[3CISSBB]

True, most of this DOES require the user to be able to install apps and run them. However, even the BES environment has been looked over and there are several ways to (leapfrog) onto/into the corp network. Remember, even the tightest corp sec policy is at the mercy of social exploitation.

[zhelf]

whats the worst that can happen my info isnt exactly natnl security

could be bad for those who do mobile banking over their phone or use a credit card to make a purchase pending on the code installed to the phone they could steal your credit card info by keylogging and spying. so it could be bad

[3CISSBB]

if you want to spy on me then go ahead....to many people with to much time on there hands...at least you are covered for stolen funds thats all that matters

No-one here is trying to 'spy' on you. This information was posted to help Enlighten people on the security of their handheld devices. Information is power. If you're not learning and evolving, you're dying.

[ekinnee]

True, most of this DOES require the user to be able to install apps and run them. However, even the BES environment has been looked over and there are several ways to (leapfrog) onto/into the corp network. Remember, even the tightest corp sec policy is at the mercy of social exploitation.

Correct, there are always training issues and such to deal with. Being relatively new to the BB arena, I've not had a chance to pick apart a BES box. I do plan on doing so in the near future.

Yeah, that's me that just added you via BBM. Hit me up if you need anything or are in the Dallas/Fort Worth area.

3CISSBB is right, and I don't want to come off as diminishing his advice. Mobile phones harbor much more personal or sensitive info than most folks realize. Who here uses the new Wallet app, or Password Manager, or any number of other "wallet" type apps? Lord knows I do. This thing is my prosthetic brain.

Trying out that nifty tool somebody posted an OTA link in the forums? Oh snap son! You just downloaded unverified code that auto installed on your BB. It didn't appear to do anything so maybe you think it's busted? Nah, you now have a module running that only has to ask once for permission to your data.

We tend to trust people, most of were probably taught that people are by nature good. It's an evil world out there, 3CISS and I work in the same field. You'd be shocked at what we've seen.

[dmcgrady]

So are you guys saying that info in the safe on the BB is not secure?

Posted from my CrackBerry at wapforums.crackberry.com

[ride365]

apparently bb's are harder to wiretap then normal phones as the RCMP (canadian national police force) needs to ask to get special help from RIM to be able to get info from users.

[Branta]

So are you guys saying that info in the safe on the BB is not secure?

Posted from my CrackBerry at wapforums.crackberry.com

Any device is potentially insecure. BB is more secure than most mobile devices but the dominance of business use makes tham a very profitable target. Good security policies properly applied should keep them safe from most threats. However they will always be vulnerable to social engineering and greedy users who install from sources they should not trust. That's called "User Error" and no security scheme can ever hope to defeat it completely. There's always one who knows enough to be dangerous.

[Directional]

apparently bb's are harder to wiretap then normal phones as the RCMP (canadian national police force) needs to ask to get special help from RIM to be able to get info from users.

Yup..

Criminals love the BlackBerry's wiretap-proof ways: police

[LazyStarGazer]

You guys are making me nervous.

Could someone post some details or instructions to enhance security on my bis curve?

Maybe a good sticky, article or link?

[thinkamp]

well i just took lots of stuff out of my password keeper! boo that sucks!

[alleycat0124]

Thanks for the information!

[Branta]

apparently bb's are harder to wiretap then normal phones as the RCMP (canadian national police force) needs to ask to get special help from RIM to be able to get info from users.

It's quite easy. It only takes one judge to issue a search warrant, and a few cops to hold the suspect in the cells until the password is disclosed.

Of course RIM can't help anyway because any encryption keys are generated by the user (not RIM) so there's no central record. The Indian authorities took a long time to understand this recently.

If the user has taken security seriously and uses good quality public key encryption (like PGP) the communication is for all practical purposes completely secure even if the messages are delivered to the spooks on an unprotected floppy disk.

[Reed McLay]

Very informative, until now, I have felt safe....

[budfox]

If you have it, use common sense!!

[PNWBerryAddict]

Any device is potentially insecure. BB is more secure than most mobile devices but the dominance of business use makes tham a very profitable target. Good security policies properly applied should keep them safe from most threats. However they will always be vulnerable to social engineering and greedy users who install from sources they should not trust. That's called "User Error" and no security scheme can ever hope to defeat it completely. There's always one who knows enough to be dangerous.

When it comes to applications - never trust anyone

When it comes to your phone - never trust anyone

Posted from my CrackBerry at wapforums.crackberry.com

Very well put. No computer or smartphone is 100% secure, so it really comes down to using good judgment and security polices as stated above.

[bluz]

BB is by far the most secure mobile device.

[phonejunky]

People on this forum are so na�ve when it comes to bb security sometimes, for some reason BIS members still feel their phones are super protected or something lol. Blackberries are some of the most hacked devices, reason being is because important people use blackberries not just for work reasons but also have personal ones as well.

Posted from my CrackBerry at wapforums.crackberry.com

[beamolite]

People on this forum are so na�ve when it comes to bb security sometimes, for some reason BIS members still feel their phones are super protected or something lol. Blackberries are some of the most hacked devices, reason being is because important people use blackberries not just for work reasons but also have personal ones as well.

Posted from my CrackBerry at wapforums.crackberry.com

Can you provide a link to prove this?