Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cracking the BlackBerry with a $100 Key

Posted by Zonk on from the reach-out-and-worming-someone dept.

Hit Reply writes "Eweek is running the contents of a Symantec white paper that details how easy it is for a hacker to manipulate BlackBerry applications. Using a developer key that can be purchased by anyone for $100, an attacker can launch e-mail worms, SMS interception and backdoor attacks, and compromise the integrity of contacts, events and to-do items. The white paper has been yanked from Symantec's Web site." From the article: "Signed applications can send e-mail and read incoming e-mail. A malicious application could be used to allow third parties to send messages from the infected BlackBerry and also read all received messages. A malicious application could also use e-mail as a command and control channel to receive instructions to send and receive e-mails; send and receive SMS messages; add, delete and modify contacts and PIM data; read dialed phone numbers; initiate phone calls; and open TCP/IP connections."

5 of 94 comments (clear)

  1. Re:Wow major FUD by Jeffrey+Baker · · Score: 5, Informative
    WTF are you talking about? A developer key does not give you "access to every blackberry out there." The key is used to sign your application, and then the Blackberry runtime will give your application access to protected APIs. The user (or IT department, depending on policy) must intentionally install your software. There's no way to accidentally install software on your Blackberry.

    Also it's not trivial to get additional keys. The Blackberry signing certificate program is managed by humans and they catch on pretty quickly. If you even use the signing keys from more than one computer, their signature server will become upset and you'll probably get a phone call from RIM operations.

  2. Re:Heh. by Anonymous Coward · · Score: 2, Informative
    "One thing that seems funny in all of this to me, someone that is going to crack your blackberry is going to legally buy the developer key? "

    Well, the article mentions that you could do this by getting an anonymous pre-paid credit card. Does anyone have further information on this? That sounds interesting....

    I googled for a couple, but, most seemed to be overseas 'banks' that have you send $250 or $1K or more to them, and they send you a working 'number'. I'm just a little hesitant to try something like that I'd not heard of before.

    Anyone have experience with things like that?

    Search for [CC Brand] Gift Card. For example, Amex Gift Cards ( http://www10.americanexpress.com/sif/cda/page/0,16 41,16130,00.asp )

    You can even pick them up at many stores
  3. Re:will it be used maliciously? by Ferzerp · · Score: 2, Informative

    Actually, the BES account needs Send As and Read/Write access to the mailboxes on Exchange. While it does have extensive access to the mailboxes, it needs no access to anything else. If you access secure internal websites, you must provide your domain credentials. If you use it for rdp, you must log in, etc.

    Properly configured, that account gives you access to every mailbox on the system, but nothing else. No worse than a mail admin account, and generally with a lot stronger password.

  4. Re:will it be used maliciously? by Nimloth · · Score: 3, Informative

    If you understand the concept of end-to-end encryption, you'll realize that data is encrypted from device to device. The Blackberry Enterprise Server has the encryption key, the RIM servers don't.

  5. Re:Heh. by gclef · · Score: 4, Informative

    I'm more amused by the fact that Symantec seems to think that repeating 4-month-old DefCon presentations and claiming them as thier own is somehow "newsworthy" or "dangerous."