Your BlackBerry's dirty little security secret
Tyler Shields, senior member of the Veracode Research Lab, spends a lot of time picking apart those BlackBerry devices that are ubiquitous across the enterprise. What he's found may disappoint those who thought they were secure.
At this week's SOURCE Boston conference, Shields will present his findings in a talk called "BlackBerry Mobile Spyware -- The Monkey Steals the Berries.
He'll explain how the bad guys can plant spyware on the device and make off with your sensitive data, and offer some advice on how users can defend themselves.
He'll talk about an application called FlexiSpy, which allows users to get copies of SMS, call logs, e-mails, locations and listen to conversations within minutes of purchase. He quotes the FlexiSpy website as saying, "Catch cheating wives or cheating husbands, stop employee espionage, protect children, make automatic backups, bug meetings rooms, etc." Then there's Mobile Spy, which will "allow you to see exactly what they do while you are away," according to the website. "Are your kids texting while driving or using the phone in all hours of the night? Are your employees sending company secrets? Do they erase their phone logs?"
To be fair, some could view these as security-enhancing programs, particularly the part about catching employees sending out data that's restricted. But spyware has always been a double-edged sword. IT administrators have long used variations of it to access remote company machines that need repair, for instance.
But Shields will focus on the dark side of smart phone spyware.
"Mobile spyware is trivial to write and the security model of mobile platforms is too loose," Shields said. "There's no easy or automated way to confirm for ourselves what the applications are actually doing and we're trusting the vendor application store provider for the majority of our mobile device security."
The talk will be similar to one Shields gave at the ShmooCon conference in February. Another talk at that gathering focused on the variety of ways attackers could exploit the iPhone.
In that presentation, Trevor Hawthorn, founder and managing principal at Stratum Security, discussed security holes (since fixed) found in AT&T's network, which Apple's iPhone uses, and how an epidemic of "jailbreaking" is disabling critical security controls on the device.
Jailbreaking is a process iPhone and iPod Touch users can exploit to run whatever code they want on the device, whether it's authorized by Apple or not. Jailbreaking the phone allows you to download a variety of apps you couldn't get in the Apple App Store.
For those who hate Apple's heavy hand and welcome any method to thumb a nose at the company's decrees, jailbreaking is very attractive. But there's a problem, Hawthorn said. A big one.
"Jailbreaking wipes away 80 percent of the iPhone's security controls," he said at the time. "Since nearly 7 percent of all iPhones are jailbroken," the bad guys have plenty of targets to choose from.