Does anyone know of any security tests &/or evaluations that have been conducted and are available to the public?

A Security test or evaluation would cover the five (5) pillars (aka "objectives") of Info/IT security -- namely: Availability (performance, proximity, fault, etc.), Integrity (system, data, transaction etc.), Confidentiality (access, content filtering, encryption, etc.), Traceability/Accountability (audit logs, monitoring, etc.), and Assurance (of operational, technical & envrionmental durale & non-durable controls accross the other 4 objectives).

I have heard that the US Government has conducted some kind of tests/evaluations but they are not pulically available. I have heard some companies that have deployed the enterprise solutions (Lotus Notes or Exchange BES) -- vice the Internet version -- have conducted their own tests, but again... since these companies paid for them, their results are not publically available.

Furthermore, trying to get even a RIM contact (non sales) that can talk to me about my security questions (like this one) has been unfruitful to date (3 months talking to/requesting from their sales guy).

Any help from anyone on this question, or on getting a good info/IT security contact at RIM would be GREATLY appreciated! so of course TIA!!! to da max!!!

--Tom

http://www.blackberry.net/news/press/2001/pr-20_03_2001-02.shtml

BB security is good enough for the Office of the Secretary of Defense at the Pentagon (during wartime even...), is that not all you need to know?

amateur

Thanks for the reference, but it's not that helpful. how so?

It only applies the crypto module. In other words, only one piece of the Confidentiality aspect of the security test/evaluation puzzle.

I am looking for an end-to-end (ideal/ lab or real) implementation evaluation/test.

Thanks tho.

--tom

If you can offer some specific questions about how the process works I am sure that I can answer the questions for you. I have fairly extensive experience with the BlackBerry security model from how it stores data on the handheld, to how it is wireless transported via the BES or redirector.

First: let me reiterate that I most likely need to be in contact with a good security Point-of-Contact (POC) at RIM. Do you know of any?

As for the security evaluation...

What specifically someone understands an end-to-end security evaluation/"test" of the technology-process requires is something that a security professional may use some of his professional discretion on, within reason. Two typical approaches are: C&A (black box, white box, etc.), or "attack scenarios driven." However, let me say up front that I do not anticipate a crypto eval of the RIM DES implementation or the like to be at the level we are looking for. Rather, that is too low-level and reduplicates the FIPS 140-1 Level 1 eval they already have (I know that it is for other handhelds, NOT the 5810). A statement that the 5810 has not yet completed FIPS evaluation would be in order. So too would a "attack scenarios driven" test plan that addresses questions like:

1. Does a user have to login/authenticate to the device? (PIN, other mechanism) Can a user disable the login/authentication mechanism? (Can we disable the disable??) Can we/Providian "force" security policies to the Blackberry?

2. How can Providian filter which emails are forwarded to the enterprise blackberries? Can we do the same for ones employees have bought and attempt to deploy personally?

3. For other avenues of access (email, web browsing) is there authentication??

4. Is there built-in and frequently updated protection against virii/worms against either the email client and/or web browser? (Browser itself, Java applets also)

5. If infected, what are the possible risks to the Blackberry or the data therein? Data publication? Data loss? Spread to internal systems? (hybrid worm - but the possibility does exist) Remember there are web sites out there which are known to dial out-of-country when accessed in order to ring up excessive toll charges... Other websites can use Java or ActiveX to do way too much to unsecured client systems. Is the blackberry vulnerable to any of these avenues?

6. How does the device transmit data internally? (Does it?)

7. How does the device transmit data externally (non-Providian email addresses as well as between Blackberries -- like a personal ISP one)? (Does it?)

8. How does the device authenticate with support systems to provide the services it does? How does it maintain a secure connection while processing?

9. Verify the infrastructure for the device. Ensure that it is as secure as possible, with no points of possible compromise. (per known points of compromise & infrastructure vulnerabilities primarily, but not exclusively)

10. What is the risk/exposure of the loss of a device? Could confidential data be present that could be recovered via forensic examination? Could the device be used to access our internal systems or network?

11. How is device usage logged for audit purposes? How would we know if someone was using it for ill purposes?

12. What would happen if a non-authorized person brought in their own personal blackberry? What would they be able to access?? Could I spoof or impersonate a valid device? as can be done with the MS-Exchange/Outlook version.

These are questions that an attack scenario or a "C&A" (certification and accreditation) type of security test would attempt to address.

I decided to just answer your questions one by one. To start though I should say that in order to have ANY security you need to be running either desktop redirector or the BES, and if you want any user control at all you definitely need a BES.

1. Does a user have to login/authenticate to the device? (PIN, other mechanism) Can a user disable the login/authentication mechanism? (Can we disable the disable??) Can we/Providian "force" security policies to the Blackberry?
**You set security policies on the BES server which are pushed down to every BlackBerry during it's cradling process. If it does not have the policy on the device, it will not work on the network. One of the many policies is setting a manditory password, size, and complexity. This password, along with all information on the device is encrypted on the handheld ROM chip via a one way hash called SHA-1. It is for all intents and purposes uncrackable, if someone were to try to remove this chip and not have the password to access the device, the data would still be useless as every type is encrypted with this hash.

2. How can Providian filter which emails are forwarded to the enterprise blackberries? Can we do the same for ones employees have bought and attempt to deploy personally?
** I am not sure what Providian is, however thorough the policy editor for BES you can set global filters which will decide which messages are allowed to be sent to all users, or just some users. You could also just have the Exchange server redirect the messages you do not want sent to the BlackBerry to a different folder on the Exchange server (other then the inbox, or any subfolders which have been flagged for BlackBerry redirection)

3. For other avenues of access (email, web browsing) is there authentication?? The email and web browsing package for BlackBerry which is provided by RIM uses the same triple DES method of transport. The data is triple DES encrypted on the handheld and transmitted to your BES, which receives it on port 3101 (this is an outbound initiated port which only accepts data that is triple DES encrypted making an external hack "into" the port impossible) The reply data follows the same path, only in reverse. In other words any data sent from your network, or the handheld is ALL triple DES encrypted. Also any information which is received by either the BES or handheld is checked upon arrival as to whether or not it can be decrypted using the triple DES key on each, if it cannot it is immediately discarded before opening. HOWEVER, NO third party software currently offers encryption of this nature, only the BlackBerry software.


4. Is there built-in and frequently updated protection against virii/worms against either the email client and/or web browser? (Browser itself, Java applets also)
**You can only load programs/apps on the device through applicaton loader, which does not allow for such things, however it is not impossible for a user to download a 3rd party app which acts like a virus. If this is a worry, you can edit your BES policy to disable the application loader function for each user so that they cannot add any software to their devices.

5. If infected, what are the possible risks to the Blackberry or the data therein? Data publication? Data loss? Spread to internal systems? (hybrid worm - but the possibility does exist) Remember there are web sites out there which are known to dial out-of-country when accessed in order to ring up excessive toll charges... Other websites can use Java or ActiveX to do way too much to unsecured client systems. Is the blackberry vulnerable to any of these avenues?
**Yes, if the user were to load an application through application loader which somehow had a virus it would have access to everything, so DISABLE them from being able to do this.

6. How does the device transmit data internally? (Does it?)
**The internal data is encapsulated on a ROM and RAM chip. It is transmitted as a computer would, but all the data is hashed with the user's password.

7. How does the device transmit data externally (non-Providian email addresses as well as between Blackberries -- like a personal ISP one)? (Does it?)
**if you send data to an ISP account, it currently is just scrambled and easily decrypted, however a corporate email system uses the triple DES method. Basically any software RIM puts out which runs through the BES server follows the above mentioned authentication methods. 3rd party is excluded, and not reccomended.

8. How does the device authenticate with support systems to provide the services it does? How does it maintain a secure connection while processing?
**There is no contstant connection. All data is transmitted between the BES and handheld via 2k packets which are triple DES encrypted. The authentication is handheld as mentioned above.

9. Verify the infrastructure for the device. Ensure that it is as secure as possible, with no points of possible compromise. (per known points of compromise & infrastructure vulnerabilities primarily, but not exclusively)
**what do you want to know?

10. What is the risk/exposure of the loss of a device? Could confidential data be present that could be recovered via forensic examination? Could the device be used to access our internal systems or network?
**as long as the user has a password on the device, the data is 100% secure, if they do not have one it is open to the public. However, if someone were to lose their device you remove it from the BES and it loses its connection to the corporate network, also you can remotely kill the device causing all the data to be erased remotely.


11. How is device usage logged for audit purposes? How would we know if someone was using it for ill purposes?
**the BES just logs transactions, like email sent, calendar appt sent etc. If someone was using it for ill purposes you could check their messages, calendar entries etc on the Exchange server, or also check the web log if they were browsing the internet.

12. What would happen if a non-authorized person brought in their own personal blackberry? What would they be able to access?? Could I spoof or impersonate a valid device? as can be done with the MS-Exchange/Outlook version.
**A person would need to be added to the BES to have access. However they could install desktop redirector without you knowing. To counter this you would simply need to setup an Exchange rule which filters the desktop redirector transport messages from the user's inbox/outbox effectively shutting down the desktop redirector. It is not known that anyone could spoof a BlackBerry, however should someone figure it out in the highly unlikely scenerio, the network would detect that there are 2 devices with the same ID and disable both of them.

Tom,
Do you enforce encryption of all internal as well as external email currently?

Yes, but only if you use the BlackBerry browser from the 3.5 software. Third party software is run through a third party vendors server and is not triple DES encrypted. The BlackBerry browser is run through the BES, which triple DES encrypts all the data.

That part I understand...the point I was trying to get across is..How secure is the rest of their network. People seem overly concerned about the wireless security when the rest of their network does not meet the same high standards that Blackberry offers.

JimBobJoeRay.....great explaination of the Blackberry security and common questions people have. Hope you don't mind if I quote you in the future...

If you mean the rest of RIM's network, it is no more secure then any other data sent wirelessly, anyone can capture a wireless packet, however ALL the packets are triple DES encrypted, making it uncrackable... they can capture it, but its useless.
If you mean the client's network, it shouldn't be much of a question. If they are currently using Outlook, and feel secure enough to do so, adding the BlackBerry will not open any holes. If their Exchange server is not currently secure enough, they should address that issue without even considering the BlackBerry. Maybe try SMIME certificates.

Thanks for the compliment wireless guy, feel free to quote. :)