Click to View

During a presentation at the hacker convention Defcon in Las Vegas last week, security researcher Jesse D'Aguanno with the Praetorian Global consultant firm exposed a vulnerability for organizations that have installed their BlackBerry servers behind gateway security appliances. With it malicious code could conceivably take advantage of the secure tunnel created between the handheld and BlackBerry Enterprise Server (BES) to wreak havoc on the wider corporate network.

Before his talk D'Aguanno said he had already revealed his findings to Research In Motion (RIM), which posted documents ("Protecting the BlackBerry Device Platform Against Malware" & "Placing the BlackBerry Enterprise Solution in a Segmented Network") in anticipation of his talk.

The documents may be new to the RIM Web site, but they've been repurposed and pulled together from other sources to make them more relevant and manageable. For example, the malware piece is culled from the BES administrator guide and IT policy guide.

"It is information that existed. We just thought it would be important to collect it into a single document and put a little bit more focus on what's topical for our customers," explained Scott Totzke, RIM's Director Global Security Group, to PDAStreet. "But it is something that's been available to users for quite some time."

According to Secure Computing Corporation, a seller of security appliances and firewalls, the documentation may not go far enough.

The problem is especially urgent because D'Aguanno said he would release a hack he created on August 14th, called BBProxy, that takes advantage of the very same security breach he had warned against at Defcon.

A Trojan like BBProxy, the first of its type for RIM handhelds, could be downloaded by an unsuspecting BlackBerry just like any other mobile malware to another platform, placed on the handheld directly, or a user may be tricked into running it, D'Aguanno said in his presentation; perhaps in a game of Tic Tac Toe.

RIM's Totzke emphasized, however, the Trojan cannot be received through an e-mail attachment. This is not the way applications are loaded in the BlackBerry platform.

"I can't e-mail you an application and say, 'Here's the latest poker game for you to play.' And have you open it as an e-mail attachment." Totzke said to PDAStreet. "BlackBerry Enterprise Server does not allow the user to download attachments to the device, hence Trojan software cannot be delivered as an e-mail attachment to a BlackBerry user. The user would have to visit a Web site and consciously download the Trojan software."

Not only that, he must be given permission by the administrator to do so.

"The idea that this is a viral type program is something that is kind of flawed."

Here's how D'Aguanno's hack works:

Since the communications channel between the BlackBerry server and handheld device is encrypted and cannot be properly inspected by typical security products, a tunnel is usually opened by the administrator to allow the encrypted communications channel to the BlackBerry server inside the organization's network. When launched, BBProxy opens up its own hidden tunnel between the BlackBerry and the user's corporate network, as the hack runs in the background.

This is where BBProxy takes advantage and could cause harm, as it bypasses normal network security procedures. A malicious individual could use this back channel to move around inside an organization undetected, removing confidential data or installing malware on the network.

D'Aguanno highlighted the always-on nature of the BlackBerry service and the lack of awareness on the part of organizations on how to properly plug it up as the key ingredients to this vulnerability.

"Because it's a handheld device, most people don't think it's something that can actually harm the rest of your internal network," D'Aguanno said at Defcon, according to Wired News "But a Blackberry is not your average handheld. It's not just a PDA that's connected (to your network) only when you're in the office. It's a code-running machine that's always on and always connected to your internal network and has direct access to whatever you give it access to. And most company architectures allow it unfettered access to everything on the internal network."

Countermeasures
To counteract this potential threat Secure Computing recommends isolating servers that face the public internet, including a BlackBerry server and the mail server working with it, in their own DMZ zone, which would reduce the risk of a compromised server providing access to other critical servers.

The BlackBerry server and mail server should also not be permitted to open arbitrary connections to the internal network or Internet, and internal users should not be permitted to open arbitrary connections to either the BlackBerry server or mail server.

According to RIM's Totzke, what D'Aguanno demonstrated at Defcon—that malware can be download by user to a BlackBerry if the built-in security policies of the BlackBerry server aren't enabled—is possible with any type of mobile device, "including smartphones, PDAs and laptops."

However, "the IT policy settings for preventing malware exploits are built into the BlackBerry Enterprise Server software and can be set by the administrator. Additional measures can be taken by installing BlackBerry servers in a segmented network," Totzke said, as highlighted in the documents mentioned at the beginning of this article.

Totzke told PDAStreet RIM has always viewed BlackBerry as a corporate tool, with a level of control given to administrators not nearly available to other mobile platforms. It what the company refers to as IT Policy.

"There is something like 250 plus commands that allow the administrator to have full control over how the BlackBerry as a platform is used by the users with in the BlackBerry Enterprise Server community," Totzke said .

This gives administrators full control over what third party applications can be installed on employee handheld for example. Setting one policy can disable unwanted software altogether. So you never have to worry about malware or anything else that's not authorized explained Totzke.

Or you can setup a list of approved applications. And say these are the ones IT is corporately going to let to run on the network's BlackBerrys.

"You can get very granular in how applications are allowed to run with your BlackBerry and your network, according to Totzke. "The point with the new paper on malware was to reinforce that message. Here are the tools that you as an administrator can use if you really want to take fine grain control over your BlackBerry applications."

They can get right down to API and network access control. An admin can control whether an app can access a USB port, a telephony API, Bluetooth, etc. He can disallow one or all applications from being installed on users BlackBerrys.

"It could be as simple as setting one policy and it wirelessly and immediately gets distributed to all your users. And they now have to comply with the new policy," added Totzke.

To Totzke, the Trojan D'Aguanno created is simply another way the platform can be used, but not, he emphasized, a demonstration of hacking, cracking or circumventing anything on the BlackBerry.

He said to PDAStreet that RIM encourages anybody in the research community to contact and work with them when they find something they think needs particular attention.