Blackberry "Spy" Software Released

Noryungi writes "Maybe the French were on to something after all. It turns out that there is a software available to easily spy on Blackberries, recording voice conversations and all messages (emails or SMS text message) that transmit through the portable device. Of course, the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices. ZDNet reports that RIM isn't concerned: 'Ian Robertson, senior manager of security and research at RIM, said users need not be particularly worried about the capability of FlexiSPY. "While it's the subject of some debate, I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program," he said. Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

Since when can software only be installed by owner

[alcmaeon]

"Of course, the software has to be installed by the owner of the Blackberry"

If this is true, RIM should go into the software security business and drop this whole phone thing altogether.

Another tool in the corporate toobox

[Trigun]

This is actually good news for corporate IT Departments. Hopefully this can be pushed out via policy at the BES server.

Re:Another tool in the corporate toobox

[Itninja]

In an enterprise level environment, I can see the benefit of tracking corporate email and SMS messages. However, if a corporation uses the ability to 'record a voice conversation' they could find themselves in trouble. I believe (and please correct me if I'm mistaken) the courts had determined that personal email sent via a corporate email system is legally the property of the corporation, but that telephone conversations are still protected as private.

Or at least that's something I read somewhere once (I might have been dreaming).

Re:Another tool in the corporate toobox

[Trigun]

Face it, even if it can't be used in court, it is still a great resource. Being able to physically locate a device, record all the conversations, etc. Plus, you could probably argue that the voice conversation is data, the phone was provided as a business resource, etc. You might get a 'fruit from the poison tree' argument, but even still, a lot of these things wouldn't play out in court.

"Bob, we know that you've been leaking secrets to the competitors. You're fired. And if you go quietly, we won't pursue criminal charges."
"Hmmm, I see. I'll clean out my desk."

Null set

>an average user that maintains good [gadget] hygiene

SELECT id,name FROM averageusers WHERE good_gadge_hygiene=TRUE;

0 ROW(s) returned.

The part should make everyone very concerned

[Pulse_Instance]

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"
I'm sure most of you have seen your bosses leave their blackberry, Treo or whatever device they have lying around or just hand it off to the secretary who leaves it on the desk. They really should find some way to alert people if this software or software like this gets on the device as in my humble opinion this is a huge risk for the people who need to have semi-secure communication in most companies I have seen.

Re:The part should make everyone very concerned

[afidel]

In a well run operation you wouldn't be ABLE to install this software, BES has policies to prevent you from installing unapproved software available to the BES administrator.

They dismiss the risk -- I wouldn't

[Red+Flayer]

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

I think Robertson overestimates the average user. Either that, or it's not the "average user" we need to worry about -- it's the singnificant number of below-average users who could pose a problem. I know for certain that the marketroids with company-purchased Blackberrys at my company are the primary source of infections on our network.

Also, I'd like to mention that in my experience, it's often those with the most crucial conversations (ownership/upper management) are the ones who hand off their Blackberry to others for maintenance, etc. A disgruntled/bribed tech could very easily install this.

One other note -- if a user needing to take action to install malware wasn't a problem, we wouldn't see so many compromised machines.

Re:They dismiss the risk -- I wouldn't

[Red+Flayer]

A competent administrator

All admins are competent? All devices are locked-down in most companies? I don't think so.

I'm not saying that the sky is falling -- I'm saying that security on these devices IS a concern, and something we need to be aware of. I'm also saying that it's wrong for Blackberry spokespeople to downplay the risk of malware on the Blackberry, as the risk is real and important (unless of course we take steps to mitigate it, which is the whole point of not downplaying the risk -- to get people to take the necessary precautions).

Re:They dismiss the risk -- I wouldn't

[Red+Flayer]

No.

As you point out, anything that runs software carries with it a risk of infection.

Regardless of RiM's security record and staff, there IS risk.

Furthermore, maybe you're a bit out of touch with people in a typical workplace. A Blackberry is not a computer to most people, it's an upgraded cell phone. Even people used to taking precautions when using their PC don't always use the same common sense when using their "cell phone", regardless of what it's capable of, and what it's capable of being infected by.

I am not claiming to know better than the security staff at RiM. What I am claiming to know is that no device that is capable of downloading software is risk-free, and that the below-average user is of concern, particularly to those charged with maintaining security in a corporate setting.

As for your ad hominem, it's not about karma. It's about a statement made by a spokesperson (which is the first tip-off that you need to look a little deeper) that didn't jibe with me. As you've pointed out, there are precautions that can be taken -- but as I've pointed out, they are not always taken.

Maybe I'm wrong, but it seems to me that the point you're trying to make is, "Don't worry about it -- they have very good people taking care of that" along with "Don't worry about it, Blackberrys should be locked down". As to the first, that's ridiculous -- security should be a concern for everyone, from decision-makers at the executive level down to the lowliest user, regardless of how good the scurity staff are at a vendor company. As to the second, you should never forget that a significant segment of users will not take the simplest security precautions if it inconveniences them in any way (including taking the short time necessary to change a configuration).

To make a long post short, are you just trolling, or do you have points to make that really do contradict what I'm saying, or just more ad hominems and red herrings? I'd be glad to be proven wrong, since then we could all rest assured knowing that Blackberrys are inherently secure with a zero risk of compromise.

One other note:

which is the reason they are the only type allowed by some government agencies

This has little to do with the security of Blackberrys as used by the general public. Note that those government agencies also have more staff devoted to security, policies more conducive to security, and employees more receptive to always acting in accordance with those policies.

France's reasons not related

[StewedSquirrel]

France has different reasons for avoiding RIM Blackberries.

Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US. Therefore, it is a virtual guarantee that all Blackberry emails transit US wires... Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.

The fact that one can install software on a modern microprocessor based telephone-slash-computer that can *gasp* RECORD what the telephone-slash-computer happens to be doing shouldn't come as any sort of surprise to anyone at all.

In fact, this particular bit if news is a bit 'ho-hum', though I'm sure a few tech-stupid executives will gasp and throw their "Crackberry" out the window.

Perhaps this article was written by Microsoft or Apple to bolster the sales of their respective Blackberry competitors? :-)

Stew

Re:France's reasons not related

[Tack]

Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US.

Why do people insist on perpetuating this myth? It is simply untrue.

Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.

Just as trivial as it is to sniff SSL traffic over the general internet. Trivial, and worthless.

iNSA

[Doc+Ruby]

I love it when people release these spy tools publicly. Finally "Joe Mousepad" can catch up with the NSA, and spy on his neighbors.

"Suspicion Breeds Confidence"

Quick

[bryan1945]

Call Homeland Security! We have a Level 5 Fruit Alert!

Depends on who you consider as the user

[jackhererUK]

I imagine you can silently install this over the air from the BES server. In my current and previous job I am the only IT profesional in the company and the sole administrator of the BES server, if i could roll this out using the BES server to everyones blackberries then only i would know. I would then be able to listen to all of the senior management's mobile phone calls. Ahh the power of being the BOFH

a rose by any other name

[conspirator57]

This is a tool because it advertises its functionality... How many game/"productivity"/other third party software packages for the BB have extra program content along these lines? It only costs $100 (http://na.blackberry.com/eng/developers/downloads /api.jsp) to get a program signed by RIM for distribution... And if you provide some bit of useful functionality, pretty soon your SW gets distributed by the cellular providers...

oh, and in answer to the question below about pushing the content from a BES, yes this can be done, but it has to be developed for. You'd have to ask the application provider in question whether their app supports this.

Check your sources - it can't record calls!

[rand0md00d]

It is worth pointing out that the program itself doesn't claim to record phonecalls, but rather to use the phone as a 'bug'. It does this by silently answering a telephone call from a defined number. ...from the FAQ...(http://www.flexispy.com/faq.htm) "What is remote monitoring? Remote Listening is for FlexiSPY PRO only. You set a special spy call number in FlexiSPY. When a call comes into FlexiSPY from this number, the microphone will secretly switch on and you will be able to hear whatever the phone hears. If the phone is in use, or the user presses a key, the spy call will be disconnected Can I listen to phone conversations? When PRO-X is released, this will be possible" Announceware doesn't count.

Listening through the microphone

[rickthewizkid]

Well, most people I know keep their blackberry in the holster when they are not talking on them... and if someone holsters it on their right side, its probably rotated forward so the top of the device faces forward. This means that the microphone is pointed toward the person's ass.

Are you sure you *really* want to hear what that microphone picks up? Especially *after* lunch?

-Rick