Cracking the BlackBerry with a $100 Key

Hit Reply writes "Eweek is running the contents of a Symantec white paper that details how easy it is for a hacker to manipulate BlackBerry applications. Using a developer key that can be purchased by anyone for $100, an attacker can launch e-mail worms, SMS interception and backdoor attacks, and compromise the integrity of contacts, events and to-do items. The white paper has been yanked from Symantec's Web site." From the article: "Signed applications can send e-mail and read incoming e-mail. A malicious application could be used to allow third parties to send messages from the infected BlackBerry and also read all received messages. A malicious application could also use e-mail as a command and control channel to receive instructions to send and receive e-mails; send and receive SMS messages; add, delete and modify contacts and PIM data; read dialed phone numbers; initiate phone calls; and open TCP/IP connections."

Heh.

[SatanicPuppy]

I see Symantec is still sensitive to the charge that they create worms, etc, to drum up business for themselves.

Personally it doesn't bother me in the least that a security company is interested in, well, security. Having them actually detail vulnerabilities and produce papers like this would at least be a useful function for them.

Of course, so would producing a worthwhile product that doesn't devour processor cycles, hog system resources, and create system instability upon removal.

Re:Heh.

[mordors9]

One thing that seems funny in all of this to me, someone that is going to crack your blackberry is going to legally buy the developer key? Have to see what turns up on astalavista....

Re:Heh.

[cayenne8]

"One thing that seems funny in all of this to me, someone that is going to crack your blackberry is going to legally buy the developer key? "

Well, the article mentions that you could do this by getting an anonymous pre-paid credit card. Does anyone have further information on this? That sounds interesting....

I googled for a couple, but, most seemed to be overseas 'banks' that have you send $250 or $1K or more to them, and they send you a working 'number'. I'm just a little hesitant to try something like that I'd not heard of before.

Anyone have experience with things like that?

Re:Heh.

"One thing that seems funny in all of this to me, someone that is going to crack your blackberry is going to legally buy the developer key? "

Well, the article mentions that you could do this by getting an anonymous pre-paid credit card. Does anyone have further information on this? That sounds interesting....

I googled for a couple, but, most seemed to be overseas 'banks' that have you send $250 or $1K or more to them, and they send you a working 'number'. I'm just a little hesitant to try something like that I'd not heard of before.

Anyone have experience with things like that?

Search for [CC Brand] Gift Card. For example, Amex Gift Cards ( http://www10.americanexpress.com/sif/cda/page/0,16 41,16130,00.asp )

You can even pick them up at many stores

Re:Heh.

[gclef]

I'm more amused by the fact that Symantec seems to think that repeating 4-month-old DefCon presentations and claiming them as thier own is somehow "newsworthy" or "dangerous."

Re:Heh.

[bendodge]

Why is this a big surprise? Anything powerful, complicated, connected and popular is full of holes. I though vulnerabilities were found long ago.

Re:Heh.

[shri]

I can almost picture a Dr Evil Pointy Hair Boss in charge of developer keys, reading this and going .. "It will now cost 1 million dollars". Helps if you picture him as a Mike Myers look alike.

Re:Heh.

[sumdumass]

I was wondering. Can you still use the blackberry as a phone after installing a symantec product on it?

But what if...

[GoldenWolf]

...your email is encrypted?

Use of PGP or something similar could easily defeat this.

Re:But what if...

[inotocracy]

I believe they already are, encryption keys are regenerated monthly on my blackberry, I always assumed that they were for this exact purpose.

Re:But what if...

[Kijori]

No it couldn't, if there's a malicious program running on your blackberry it doesn't matter what happens to the email in transit, it will be copied/modified etc when it's on the compromised device. Imagine a conversation between two people on a secure line; if one of them's selling what you say to the criminals, it doesn't matter how secure the line is, you're sunk.

So what?

[Jason+Pollock]

So you can get a signature really cheap. The device owner still has to install the application on their Blackberry.

Re:So what?

[WeetzieBatt]

That's true. Signatures are very cheap these days. Twenty years ago you could buy a signature for, say, 10 - 20 bucks -- by which I mean antelope. Thank god for Prop 38. *The best scientist is open to experience and begins with romance - the idea that anything is possible. Ray Bradbury

Re:So what?

[goddidit]

Just send them an attachment named pornviewer.exe.

Re:So what?

Sorry windows boy try again. Blackberry applications are .cod I believe.

Re:So what?

[TheRealMindChild]

You DO know that most PE based OS's use .exe for executables don't you?

Maybe not.

Re:So what?

[__aawdrj2992]

And to do that you would have to plug it in via USB (not Bluetooth) to a PC.

Re:So what?

[zizzybaloobah]

Not necessarily. I develop Blackberry apps and they can be installed via USB or via the device's browser.

Re:So what?

[clydemaxwell]

With the exception of one line of products, blackberry devices run a RIM-provided OS. The BlackberryOS. Not windows PE
Furthermore, when I install applications from a browser onto my blackberry, they are typically .jar or .jad. Java apps.

Re:So what?

[TheRealMindChild]

PE stands for "Portable Executable", which is just one of a handful of binary formats for executables. It was/is actually a modified version of the old Unix COFF format. The most widely used, especially in Unix is ELF, or "Executable and Linking Format". This has nothing to do with windows... PE or otherwise. SkyOS used to use PE before switching to ELF. So did BeOS. There are several hobby-os's out there that currently use it. The problem with the PE format is that is is inadequate for some special purposes. This is why Microsoft continually "extends" it, which leads to new formats like .NET PE, PE+ (or PE32), and the PE format that Windows CE uses (not sure if it has an official name yet)

repeat 5x:

[circletimessquare]

how many crackberries could a cracker crack if a cracker could crack crackberries?

Re:repeat 5x:

You're just as racist as that Michael Richards fellow!

Re:repeat 5x:

[k3vlar]

a cracker could crack no amount of crackberries since a cracker can't crack crackberries. at least, not yet.

Wow major FUD

[electrosoccertux]

I can send malicious emails and execute malicious programs in my friend's Linux box with a free "developer key". Just type "su" in the terminal and then enter this "developer key" (absolutely free) and its all yours.

I should mention that yes, indeed, these situations are almost identical. A root password *can* be changed, to whatever you want, even without knowledge of what previous password was, quite easily.

Re:Wow major FUD

[Jeffrey+Baker]

WTF are you talking about? A developer key does not give you "access to every blackberry out there." The key is used to sign your application, and then the Blackberry runtime will give your application access to protected APIs. The user (or IT department, depending on policy) must intentionally install your software. There's no way to accidentally install software on your Blackberry.

Also it's not trivial to get additional keys. The Blackberry signing certificate program is managed by humans and they catch on pretty quickly. If you even use the signing keys from more than one computer, their signature server will become upset and you'll probably get a phone call from RIM operations.

Re:Wow major FUD

[Ferzerp]

mod parent -1:completely wrong

Re:Wow major FUD

[guaigean]

Actually, it's not at all difficult to break into the average SuSE/RedHat fresh out of the box install. You don't even need an account on the machine to get root. Perhaps the real secrets here are physical access to the machine, or a stupid operator. Either will get you total control of the machine.

Re:Wow major FUD

[clydemaxwell]

Except my root password isn't available for $100 on the RIM website.

will it be used maliciously?

[spoondisaster]

It sounds like it could be possible stalker fodder, but I don't know how many people would find the information a Crackberry stores/sends/receives to be highly valuable. Sure, they could be malicious and run up someone's text messaging bill, but there are a lot funnier ways to piss people off, such as by putting gum on the scroller wheel.

Re:will it be used maliciously?

Right... because Blackberry's target audience consists of high school kids. It's quite fortunate that Blackberry doesn't sell their products to, say, corporate executives or independent businessmen or security officers or financial analysts or government officials.

Re:will it be used maliciously?

[Ferzerp]

You do realize that the reason one would use of a BlackBerry is to be hooked in to a corporate LAN yes? A BlackBerry not on a BES basically castrating the whole device.

Re:will it be used maliciously?

[blincoln]

I guess this is as good a place as any to ask - how did RIM ever sell the idea of having all corporate email and web traffic for Blackberries routed through their servers? I mean, it's overhead for most corporations to have the data routed to and from Canada, but it also gives RIM the ability to read all that confidential information - as if they themselves are the exact type of vulnerability this white paper discusses.

I realize that they did it most likely to keep customers locked into paying for service, but the potential for abuse by rogue employees there is huge.

Re:will it be used maliciously?

[blincoln]

Oh yeah, I was also going to mention - the BES depends on the ability of its service account to masquerade as users, rather than having them enter their Windows credential on the handheld and passing it through on a per-user basis. So the BES domain service account tends to have excessive access to the network. Is there a good reason for that design that I'm missing?

Re:will it be used maliciously?

[Ferzerp]

Only if they can crack 256-bit AES encryption.

Re:will it be used maliciously?

[Ferzerp]

Actually, the BES account needs Send As and Read/Write access to the mailboxes on Exchange. While it does have extensive access to the mailboxes, it needs no access to anything else. If you access secure internal websites, you must provide your domain credentials. If you use it for rdp, you must log in, etc.

Properly configured, that account gives you access to every mailbox on the system, but nothing else. No worse than a mail admin account, and generally with a lot stronger password.

Re:will it be used maliciously?

[whoa+buddy]

I don't think you have the idea right (or maybe I'm mistaken). From what I understand a BES server runs like an Exchange server, where you purchase the program and then the required licenses to run the units off of that program from your server.

Besides, I couldn't imagine everybody's blackberry e-mails passing through Canada, that'd be the number one contribution to global warming!

Re:will it be used maliciously?

[Ferzerp]

it's true.

all non-wap blackberry data travels along the blackberry-cell provider-RIM-BES-wherever (and the reverse for data sent to a blackberry)

Re:will it be used maliciously?

[Nimloth]

If you understand the concept of end-to-end encryption, you'll realize that data is encrypted from device to device. The Blackberry Enterprise Server has the encryption key, the RIM servers don't.

Re:will it be used maliciously?

[Curmudgeonlyoldbloke]

I guess this is as good a place as any to ask - how did RIM ever sell the idea of having all corporate email and web traffic for Blackberries routed through their servers? The alternative would be to work the way that MS Mobile 5 does and have the device in the field connect directly into the Exchange Server (or whatever) via an access mechanism that you maintain. That means that you have to do the work to "keep the bad guys out" rather than RIM. Which one is "better" will depend on your point of view, and what you want to use mobile devices for. Personally, the RIM model makes a lot of sense to me, as you're already trusting your data to "someone else's network" (the wireless carrier). It's a lot easier to implement a connection (always initiated outbound) from your company to RIM than it is to support 1000s of remote devices in the field connecting in to you. Also, as has already been said above, the "rogue employee at RIM" would have to crack the AES / 3DES encryption on the traffic as it went through their servers.

Re:will it be used maliciously?

[blincoln]

Properly configured, that account gives you access to every mailbox on the system, but nothing else. No worse than a mail admin account, and generally with a lot stronger password.

Right, but what I'm getting at is that most admins don't generally set up hundreds of remote devices to do things in the context of their mail admin account.

Because of the BES architecture, isn't a compromised handheld connected to a server running the default configuration a gateway for an attacker to read the email of everyone in the company at best?

Re:will it be used maliciously?

[blincoln]

Personally, the RIM model makes a lot of sense to me, as you're already trusting your data to "someone else's network" (the wireless carrier). It's a lot easier to implement a connection (always initiated outbound) from your company to RIM than it is to support 1000s of remote devices in the field connecting in to you.

Fair enough. My employer already maintains a server on the perimeter for Outlook Web Access, so your argument doesn't apply to us, but absent that I would be more likely to agree with you.

Also, as has already been said above, the "rogue employee at RIM" would have to crack the AES / 3DES encryption on the traffic as it went through their servers.

Assuming they don't already collect the keys to make support calls easier or somesuch.

Re:will it be used maliciously?

[clydemaxwell]

The blackberry WAP Push service for quick email relies on your BES (Blackberry Enterprise Server) being connected to exchange, catching your email, forwarding it to their servers, which then alert your device. All mail on blackberries travels outside your corporation

Re:will it be used maliciously?

[aonaran]

How do you think it gets from the BES server in your corporate LAN onto the cell network?
Your BES doesn't have a cell network router attached to it does it? Did you put up your own cell phone towers?
Probably not.

Re:will it be used maliciously?

[Ferzerp]

The handheld itself has no access. The email it receives is doled out by the BES. a compromised BES account yes. a compromised handheld? No.

A compromised handheld WILL give lan access and email access to the user of that handheld until the device is disconnected from the BES. But the device itself has no permissions.

Since there are no offline password attacks (yet) and you only get 10 tries before a BBerry disconnects itself from its BES, compromising a BBerry always comes down to a bad password/no password/password written on the blackberry type issue. The humans are the point of attack which is really the best we can hope for for any solution.

Re:will it be used maliciously?

Assuming they don't already collect the keys to make support calls easier or somesuch.

The only way they would know the keys is if you told them, or they figured out how to crack Diffie-Hellman key exchange (used in the event that enterprise activation is done over the air). They don't need to know the contents of your email to be able to offer support.

In other news

[Van+Cutter+Romney]

In other news, NTP just sued Blackberry, citing that the vulnerability was actually patented by them.

And just like all the other BlackBerry "exploits"

[Ferzerp]

This one again involves someone willfully installing this hypothetical software...

Just like the last attempt I saw to create a 3rd party BlackBerry security market by saying hey you can write a proxy to use a blackberry as a bridge to a company LAN via MDS... Of course you can (if i install your software)... Now if you can install this software without me letting you, then I'll worry... Until then, it's just FUD to create a market for a 3rd party security product.

Amazing!

[cybereal]

It's amazing! An application installed to your phone can do things!

Why is this even posted like it's some kind of new concept?

If you install an application to your desktop machine, it can do all of those things. Why do you think the phone is any different? If you don't like the idea of malicious software then don't use a smartphone of any variety.

In fact, this should be good news. A person has to go to the extra length of signing their application before it has this access. Of course, on my smartphone an application cannot be installed without my confirmation, regardless of signatures. Is this not the case with the blackberry? If so, shame on you RIM.

Re:Amazing!

[TheGreek]

Is this not the case with the blackberry?

Not only is this the case with BlackBerry, but in many corporate BES deployments, you can't install third-party software even if you want to.

Re:Amazing!

[Ferzerp]

I laugh every time I have to make a new BlackBerry policy... There are tons of policy items... but a large portion of them don't even apply. There are policy items to enforce a certain SSID (no, blackberries don't even have wifi), etc.

Re:Amazing!

There are policy items to enforce a certain SSID (no, blackberries don't even have wifi)Huh? What is the BlackBerry 7270? This is a WIFI only device and it's been out for 2ish years (maybe 3)? http://www.blackberry.com/products/blackberry7200/ blackberry7270.shtml

Re:Amazing!

[Ferzerp]

Wow, I've never seen one of those. How did I miss that....

bizarre.

I found it on RIM's site, but I can't seem to find a place to purchase one of these. RIM just has a "have someone contact you" link.

Re:Amazing!

since it's WIFI only, it's sold directly from RIM/BlackBerry, and will only work in a corporate BES environment. I'm not sure of their pricing. But I guess it would be useful in a large corporate wifi environment, if you're looking to bypass cellular changes while on the company campus. Never tried one myself.

Re:Amazing!

[afidel]

That rocks, it so beats your typical house phone setup, even with portable extensions. You can give each employee their own line, give them mobile email, and avoid the costs of the cellular system. Hmm, now I want to do a feasibility study on large scale VoIP over WiFi deployments using those, you might not even need to give expensive VoIP deskphones, just give em all blackberry WiFi devices. That's a VERY interesting concept, would want to see it in practice but I bet it's doable.

Huh?

[Jeffrey+Baker]

This is a pretty stupid white paper. The whole point of the key is that you can easily tell which key is being used by the offending applications, and then revoke that key. And it costs the attacker $100 per attack. It's a good system which balances the needs of the network, the users, and developers.

Re:Huh?

[Lehk228]

if a malicious app sends $1 premium text mesage from 100 devices that fee is paid up, every device after that is pure profit

Re:Huh?

[alunharford]

Can they revoke the key?
Or do you just have to wait for it to expire?

Re:Huh?

RIM can revoke the key, but it will not stop binaries that are already in the wild.

Re:Huh?

[jonfromspace]

good luck collecting that cash from your gateway provider.

I guess you could run it through some kind of third party provider like clickatel or some such, but once you got to any level of worthwhile volume (Remember, the carriers take 50% right off the top of that $1, and most only pay out quarterly) you would never be able to collect.

Re:Huh?

[Lehk228]

most people don't pay much attention to their phone bills, and even if they do they will call and complain very rarely over a single doller added to a large bill.

Re:Huh?

[Jeffrey+Baker]

Yes it will. The BlackBerry OS loads a certificate revocation list from RIM and will stop running applications signed with revoked certs.

Need keys to verify....

Post your keys so we can verify.....

(Only joking -- don't really do that)

Re:Need keys to verify....

[Ferzerp]

::fishes around his pocket::

Ok, this one says Wal-mart, this one says ACE, this one says Dexter....

Re:And just like all the other BlackBerry "exploit

[afidel]

Not to mention that you can lockdown the devices with an IT policy that doesn't allow the user to install any unapproved (by the Blackberry admin) software. Oh yeah and under OS4+ most automation steps still prompt the user. For instance I get prompted when I try to make a call from an entry in google maps mobile or launch a mailto: link from the Internet Browser app.

Re:Wow major FUD: Yeah, you're full of shit

A root password *can* be changed, to whatever you want, even without knowledge of what previous password was, quite easily.Right. Except that's not true.

That's nothing!

[raehl]

I can crack a blackberry with a $4 hammer!

I can do it for free with my fist, but that kinda hurts.

Re:That's nothing!

[daverabbitz]

You could use your shoe, unless you are one of those freedom loving hippies who don't wear shoes...

Duh

[nurb432]

So you buy a dev tool and can make bad things with it afterwards.. Who would have thought.

Re:And just like all the other BlackBerry "exploit

[Ferzerp]

I've decided this news posting was just an elaborate ploy by Slashdot to identify the BES admins in the slashdot community :P

Re:Wow major FUD: Yeah, you're full of shit

[Ferzerp]

depends on the situation... with physical access it's generally trivial to boot in to single user mode and wipe out a root password with no knowledge of the original.

Nobody's that stupid...

[TheGrinningFool]

... I mean come on, nobody's stupid enough to install random software on their machine without knowing what it does. Oh, wait...

No way!

[77Punker]

So if you execute code on a computer, it does what you tell it to do? Better watch out!

Stock Tip: Symantec downgraded to Strong Sell

[astrosmash]

First they come up with the hypothetical Mac "virus" that can hypothetically execute code if you manually download it and run it. And now it's the hypothetical BlackBerry malware that will hypothetically execute code if you manually download it and run it.

What an absolutely pathetic attempt at marketing from the once grand antivirus company.

Re:Stock Tip: Symantec downgraded to Strong Sell

[swordgeek]

We routinely get security warnings from our security team about horrible flaws on our Unix systems that Symmantec has flagged. Usually they're along the lines of,

"You're running Solaris 8. The default install of the first release of Solaris 8 had an obscure FTP bug and so YOU'RE GOING TO GET HACKED!!!!" This bulletin applies to every release of Solaris 2.5.1, 2.6, 2.7, 7, 8, 8.1, 9.0, 10; HP-UX... Linux...AIX...NCFTPD...WU-FTPD..." and so forth.

Usually it's a single bug in a single version that we've already patched, if it's a service that we actually use (given that we run a pretty tight network internally already).

Luckily our security team is smarter than the software they use, and understand the explanations we give them. Once in a (long) while, they actually find something that needs patching.

erm...so what?

[peektwice]

So I can buy a copy of their development software and make signed programs and sucker people into executing them. So what? The only differences between doing it on a Crackberry and an XBox are the barriers to entry. The price of a dev license for Xbox is much higher, and Microsoft probably makes you sign an agreement stating that you won't do this or that blah blah blah. Blackberry just makes it cheaper and apparently doesn't check credentials.

It's even harder to write a blackberry worm...

[MishaGray]

I'm just a beginner bb developer, but I think it's even HARDER than is sounds to write Blackberry worm.

Even if you DO write a program that reads/sends email or connects to the internet.
And then pay the money and SIGN your malicious app--
and then somehow get somebody to INSTALL it..

Well on the BB releases I use - you will also get WARNINGS when you execute the program.
When the program first tries to access your email folder - it will pop up a warning asking you "do you want to allow this program to acesss your email folder?"

First time the application tries to open a TCP/IP connection to the outside world - same thing: "The application is attempting to open a conneciton to X.X.X.X - do you wish to allow it?". You can type "Allow" or "Deny" or "Allow always".

So BE WARNED: A person can a malicous program, that is signed with his name on it (RIM takes your info before they give you the keys), which you MIGHT install and then you MIGHT accidentally give it access to your emails, and address book, and access to internet. If all those things happen - then it would be bad!

Re:It's even harder to write a blackberry worm...

[techpawn]

You've obviously never met my blackberry users... Corprate Email? I'm too busy playing texas hold 'em! that I downloaded last night!

Re:And just like all the other BlackBerry "exploit

[__aawdrj2992]

QUICK! Better tag it as "itsatrap"!

I will never by an AV for a smartphone

[__aawdrj2992]

I can just see a future where your phone's processor is so bogged down by an Anti Virus "security suite" that it isn't responsive enough to answer a call in time.

Re:I will never by an AV for a smartphone

[Shadyman]

You can already get antiviruses for palms, but that's old news. And yes, it's overkill, especially since data is synchronized anyways.

Slashdot/eWeek/etc - Welcome to last summer!!

[beefdart]

Ummm anyone who cares, google BBproxy and Blackhat/Defcon. There were multiple demonstations of this, and more. This is not just FUD, it is an important potential security hole, into many top enterprise companies.

Oh em gee!

This is basically saying that signed applications have access to the device?
What's next, an alert that signed applications for a PSP can access the memory stick? Signed applications for the Xbox 360 can modify things on the hard drive?
Seriously, shouldn't things like this be a feature?

Developer keys or developer tax?

[jrumney]

It sounds like Blackberry are using developer keys as a tax on development for their platform. Developer keys should not work on any device, you should have to configure your device to accept them, either configuring it as a "development device", or better, configuring it to accept a specific developer key. In the latter case, the device manufacturer, network operator, or whoever controls the production keys, can get out of the way, and let developers create their own self-signed keys for development. Unfortunately too many of them see developers as a direct revenue opportunity, rather than encouraging Free development that increases their revenue more indirectly by making their platform more popular due to the wide range of apps that result.

Re:Developer keys or developer tax?

[daveoj]

You don't need a key to develop/run the application on the simulator(s)... so the development cycle is still essentially free. Only when running on a physical device, do you need to sign the code to allow it to call the various controlled APIs.

Re:And just like all the other BlackBerry "exploit

[clydemaxwell]

Ah, crap.

Re:Wow major FUD: Yeah, you're full of shit

[aonaran]

Why wipe the root password? that would let the legitimate root user know you were there as soon as he/she tried to log in as root again.
what you do is create another account, call it root2 or backupop or something like that, set your own password for it and make it user 0 as well as root.

Now you have root access with a different username and password that doesn't look as suspicious.
This is also good for admins with bad memories who change root passwords often. Set up a second root account with a complex password that you keep in the safe and log that account's actions so you know if someone else manages to use it.

Get the white paper here ..

[rs232]

"The white paper has been yanked from Symantec's Web site"

Blackberry security overview

Re:Get the white paper here ..

[MooseTick]

That isn't the white paper. It is a sales pitch!

so it is ...

[rs232]

"That isn't the white paper. It is a sales pitch!"

Re:Wow major FUD: Yeah, you're full of shit

[PinkPanther]

And thus the advent of tripwire. At best the hacker could disable tripwire, but then the (savvy) admin would notice the lack of tripwire reports.