Slashdot Mirror
Blackberry "Spy" Software Released
Noryungi writes "Maybe the French were on to something after all. It turns out that there is a software available to easily spy on Blackberries, recording voice conversations and all messages (emails or SMS text message) that transmit through the portable device. Of course, the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices. ZDNet reports that RIM isn't concerned: 'Ian Robertson, senior manager of security and research at RIM, said users need not be particularly worried about the capability of FlexiSPY. "While it's the subject of some debate, I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program," he said. Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"
Paris Hilton: back in business.
"Of course, the software has to be installed by the owner of the Blackberry"
If this is true, RIM should go into the software security business and drop this whole phone thing altogether.
This is actually good news for corporate IT Departments. Hopefully this can be pushed out via policy at the BES server.
>an average user that maintains good [gadget] hygiene
SELECT id,name FROM averageusers WHERE good_gadge_hygiene=TRUE;
0 ROW(s) returned.
I'm sure most of you have seen your bosses leave their blackberry, Treo or whatever device they have lying around or just hand it off to the secretary who leaves it on the desk. They really should find some way to alert people if this software or software like this gets on the device as in my humble opinion this is a huge risk for the people who need to have semi-secure communication in most companies I have seen.
Also, I'd like to mention that in my experience, it's often those with the most crucial conversations (ownership/upper management) are the ones who hand off their Blackberry to others for maintenance, etc. A disgruntled/bribed tech could very easily install this.
One other note -- if a user needing to take action to install malware wasn't a problem, we wouldn't see so many compromised machines.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
I insist on good gadget hygiene. An unclean gadget really stinks bad! Those aren't going anywhere near my face!
My blog
France has different reasons for avoiding RIM Blackberries.
:-)
Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US. Therefore, it is a virtual guarantee that all Blackberry emails transit US wires... Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.
The fact that one can install software on a modern microprocessor based telephone-slash-computer that can *gasp* RECORD what the telephone-slash-computer happens to be doing shouldn't come as any sort of surprise to anyone at all.
In fact, this particular bit if news is a bit 'ho-hum', though I'm sure a few tech-stupid executives will gasp and throw their "Crackberry" out the window.
Perhaps this article was written by Microsoft or Apple to bolster the sales of their respective Blackberry competitors?
Stew
There are 10 kinds of people in the world. Those who understand binary and those who don't.
"Want stock quotes quicker try this new freeware program from JimBob's Stock Warehouse.com"
than just about *any* cell phone, pda or laptop? You can write a program that "spies" on someones input into the device for just about any device.
If the government is spying on us, are they really going to let us replace them with open source governance?
I love it when people release these spy tools publicly. Finally "Joe Mousepad" can catch up with the NSA, and spy on his neighbors.
"Suspicion Breeds Confidence"
--
make install -not war
Call Homeland Security! We have a Level 5 Fruit Alert!
Vote monkeys into Congress. They are cheaper and more trustworthy.
I imagine you can silently install this over the air from the BES server. In my current and previous job I am the only IT profesional in the company and the sole administrator of the BES server, if i could roll this out using the BES server to everyones blackberries then only i would know. I would then be able to listen to all of the senior management's mobile phone calls. Ahh the power of being the BOFH
This is a tool because it advertises its functionality... How many game/"productivity"/other third party software packages for the BB have extra program content along these lines? It only costs $100 (http://na.blackberry.com/eng/developers/downloads /api.jsp) to get a program signed by RIM for distribution... And if you provide some bit of useful functionality, pretty soon your SW gets distributed by the cellular providers...
oh, and in answer to the question below about pushing the content from a BES, yes this can be done, but it has to be developed for. You'd have to ask the application provider in question whether their app supports this.
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
and I am finally gonna get that bitch!
While some heavily regulated industries may like this, it seems to me that the piracy and privacy risks warrant more concern from RIM.
Answers to even the toughest problems
Of course, the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices.
... well, then we would have a problem.
huh?! "It would not be surprising"??? Actually, I think that that would be surprising.
The fact that I can install software on my own device which allows calls to be recorded should not really come as a surprise. But if someone else could install said software without my knowledge or touching my device
This article (and its segue) would best be labelled as anti-Blackberry FUD.
<GOAL priority="required">
Convenience
</GOAL>
<GOAL priority="required">
Security
</GOAL>
</PROBLEM>
Which are connected to a BES.
If an administrator does not wish want people installing software on their phones, there is an option in the security profiles to disable this ability.
If an administrator does not want people to run already installed applications on their phones, there are options to disable it.
"Of course, the software has to be installed by the owner of the Blackberry"
I guess this is opposed to something running Windows, where software needs to be installed by the pwner of the device?
Quidquid latine dictum sit, altum sonatur.
Don't ever think any messages you send on Blackberries are secure. Have a friend that wasn't a very good husband. All the messages from his Blackberry, which he thought were private, wound up in court and cost him an additional $2.5million in divorce settlements.
It is worth pointing out that the program itself doesn't claim to record phonecalls, but rather to use the phone as a 'bug'. It does this by silently answering a telephone call from a defined number. ...from the FAQ...(http://www.flexispy.com/faq.htm)
"What is remote monitoring?
Remote Listening is for FlexiSPY PRO only. You set a special spy call number in FlexiSPY. When a call comes into FlexiSPY from this number, the microphone will secretly switch on and you will be able to hear whatever the phone hears. If the phone is in use, or the user presses a key, the spy call will be disconnected
Can I listen to phone conversations?
When PRO-X is released, this will be possible"
Announceware doesn't count.
Is there a way for this software to be installed on BB's that are give to the user by their employer, say, w/o the user being aware the software is there? (I am not a network or hardware type so I don't know.) The more likely scenario, where the user works for a large business or an military organization is that software is being installed willy-nilly whether the user cares or not prior to being issued to the user. I can definitely envision that happening with my boss, the US Army.
It's a feature.
9 times out of 10 I can't think of a reason to want to hear ANYTHING my users say let alone why anyone else would.
Ask not what you can do for your country. Ask what your country did to you
Well, most people I know keep their blackberry in the holster when they are not talking on them... and if someone holsters it on their right side, its probably rotated forward so the top of the device faces forward. This means that the microphone is pointed toward the person's ass.
Are you sure you *really* want to hear what that microphone picks up? Especially *after* lunch?
-Rick
>Robertson said an average user that maintains good [gadget] hygiene would never see the software >loaded onto their device without their knowledge.'"
Exactly. If it's loaded onto my device without my knowledge, i couldn't have seen it. Doh. Perhaps he's intentionally avoiding the question.
"While it's the subject of some debate, I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program," he said. Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"
Let's first of all realize that Blackberries and their like are usually used by manager types (or people who want to appear as if they were). Now, if you have ever worked in support, you'll quickly learn that this species usually shows 3 traits:
1. Needs always the coolest, newest gadgets and knickknacks.
2. Has not the foggiest idea about those gadgets.
3. Will never admit that they might have done anything wrong.
This combination is in the presence of spyware a surefire way to get it onto any device coming close to such a person. Yes, it would require "conscientious effort" (though how "conscientious" a manager is in the vicinity of a tech device is debatable). But as we've all learned with Vista, "click allow every time, or it won't work".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Indeed that some serious delusion right there. Most people wouldn't even notice, much less ask if someone is looking at their phone. If you're paranoid, wait until they're in the can, or busy elsewhere.
In any case, it's something RIM could fix. Rather than deny the problem.
Platform advocacy is like choosing a favorite severely developmentally disabled child.
Most software and patches can be installed silently and remotely to a BlackBerry Device either from the corporate BlackBerry Enterprise Server (BES) or from the Cell Carrier. The Daylight Savings Time (DST) patch was installed by our BES Administrator to all BlackBerry users and Nextel installed a new GPS product onto all BlackBerrys using them as a carrier.
The only action on my part was to turn the BlackBerry on.
Signature applied for, Patent Pending
Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"
This is speculation. I don't care how good you *think* you are about protecting something. There is no way you can say it will "Never" be compromised. Same goes for Blackberries and any other *thing* of any sort. This statement is nothing more than *spin* or damage control.
A BES administrator can indeed push software out to your device, but I don't believe they can do so without you noticing. At the very least, the device would notify you that it needs to restart, if I understand correctly.
As for Nextel installing something on your device over the air, that is simply not possible. Sure, they can make new icons pop up by pushing a new Service Book, but that doesn't mean anything new is installed. It's typically just a shortcut to a web-app, or enabling an app that was already installed (e.g. even if you aren't paying for web-browsing service, the browser is still installed. If you change rate plans, they can make that icon appear by enabling that Service Book).
I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program[...]
Um... it took conscious effort for the original Trojans to load the Greek's Trojan Horse, too. Something deceptive that you install yourself is the very definition of a trojan horse. They don't call it the freakn' "self-propelled automatic city-wall-circumventing horse", now do they?
Does the government care what I do?
ON the former, I had to actually look in Options | Applications to verify that I indeed received the patch. On the Latter, I doubled checked and you are correct that it is a new Icon that invokes the BB Browser.
Signature applied for, Patent Pending
I wonder why so many people bash on RIM for this like "oh noes, security through obscurity" or "oh noes, the average user is stupid!!!!!111one"
This is actually a good thing, the user can install this program if he wants (and he has the rights to do so), there is no need to block a program to be installed. Or do we all want Microsoft's/RIM's approval for any program that we want to install? No, I do whatever the heck I want on my machine. Maybe Linus Torvalds should also approve all software you run on your box... no, Linus Torvalds is like: oh, this virus/trojan/spyware/whatever doesn't run well, let's fix the kernel.
The real problem is: in a managed (business) environment to let users run whatever the heck they like and that's what Microsoft is so bad in, to secure their machines against UNAUTHORIZED access. If a user decides to install something as their user, they should be able to do so, just like on Linux/Unix, not a 100 warnings, but if their user logs out, the program better be gone too, also (a large problem in Windows) a standard user shouldn't be able to run any programs that could b0rk the system or have direct access to hardware (raw sockets), they can only fsck their own profile. What I don't like is when backdoors are installed in my system (Microsoft likes to do so) that either report any activity to anyone (even if it's only the vendor through an anonymous service) or that allow people to come in without my knowledge. If anyone attempts to, it should be blocked by default unless I allow it. That's what a problem is in most security frameworks these days: the user is too dumb to activate something, so when somebody ELSE asks (whether that is a program or an external user), the operating system doesn't block it, but just asks a question if it's allowed, most users don't know/don't care or are just too friendly to deny anything.
Custom electronics and digital signage for your business: www.evcircuits.com
..It's the payload. All you need now is a good Bluetooth stack vulnerability that will allow you to associate, push code, and install it. THEN you have a security vulnerability.
According to Symantec, the program arrives as the following Java application:
net_rim_app_console_pro.cod
"Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"
That's why spyware is no longer a problem on the Windows platform. Should work well with Blackberries too..
I used to work at a company that managed their own BB server, we had the ability to push software to clients without them needing to approve.. i wonder if this will be used by companies to help track usage by their employees...
(wonder meaning yes of course they will).
Once again, I would like to point to McNealy's Law, which states that you have zero privacy and to get over it. The FBI has done this in the past and will likely continue this type of activity.
All of the data is encrypted. Sniff it all you want... but then what?
You are making the assumption the attackers are not colluding with RIM (*). If they are, then the fears are valid. It makes no difference where the data center is, or if the data is encrypted, merely using a Blackberry device would end up being a very high security risk. This is why the French banned it.
(*) For example, despite being supposedly killed, the still on-going TIA project, or some other project run by a governmental 3-letter agency.