An Arrow Pointed at the Heart of Your Enterprise: Part 1
I was on a contract recently where the CEO of a Fortune 50 Company wanted to install XYZ program on his Blackberry. Apparently he had been to some conference or other and was quite impressed with a program that other CEO’s had on their Blackberries. And what they had, he had to have. Thus was born the project to install program XYZ on all C-Level executives Blackberries. My part in this process was to perform the Risk Assessment and present this report to business unit that “owned” the Blackberry for appropriate Risk Control Measures.
Like most IT folks, I considered myself fairly knowledgeable about Blackberries[1], having carried one for a large part of my professional career. But I was in for a huge awakening when I started doing my research into Research In Motion (RIM), its Blackberry product line and the Blackberry Enterprise Server (BES). As I began the research into known vulnerabilities regarding the Blackberry it became very apparent very quickly that I didn’t know nearly as much as I thought I did. What follows is a high level technical overview of the Blackberry
Communications are encrypted end-to-end, from the user’s handheld device all the way through to the inside of the organization’s firewall. RIM has done an outstanding job of encrypting this tunnel with either Triple DES or AES. This very strength is what security researcher Jesse D’Aguanno of Praetorian Global[2] was able to exploit when he presented a vulnerability demonstration at Defcon in 2006. By uploading a specially crafted program to a users Blackberries, he was able to turn the handheld device into a proxy server. Since the Blackberry bypasses all of the organizations typical border protections and exists logically on the organization’s most trusted network segment, it could be used as a proxy by a hacker to access any unsecured asset on the LAN. If this connection were compromised, it would be impossible to detect. The very best scenario would be that sensitive or classified information was detected going from a server to the CEO’s Blackberry. However, what IT person would question the CEO’s need to access this data? And in the worst case scenario, data would leave the organization through this encrypted back channel for years, until the CEO upgraded the Blackberry.
Most users of Blackberries and similar PDA’s think of the device as simply a “cell phone on steroids”. Nothing could be more wrong. The latest generation of Blackberries use an Intel XScale processor which can perform almost as fast an a Pentium III! Couple this fact with 64 MB of RAM and this little device easily qualifies as a mobile computer. But I would venture to bet that none of the business users who routinely use these devices think of them as such. And therein lies the problem. If a handheld device were to be compromised, this would allow the attacker a protected tunnel directly into the very heart of the organization.
In the almost 2 years since the Defcon presentation, the field of PDA suppliers has burgeoned from a handful to well over a dozen. And with each manufacturer and service provider vying for “ease of use” and more features than the competition, security concerns fall by the wayside. As an example, the majority of these handheld devices ship with Bluetooth enabled. As long ago as 2006 several investigators were able to “hack” Bluetooth cell phones and PDA’s from over a mile away! There is even a special device for such long range hacking called a Bluetooth Sniper Rifle. The author of one particular online article pointed his Bluetooth rifle at an office building in downtown Los Angeles and remarked “This building is full of Bluetooth! Look we got some Blackberries!” While it is true that newer cell phones and PDA’s have become harder to hack it is also true that hacking tools have become much more sophisticated. Nico Darrow is the author of the article Bluetooth Security Risks in Business which was published less than a month ago. In this article he says “We are now seeing complex Bluetooth hacking tools becoming available to the public.” A quick search on You Tube looking for “Bluetooth hacks” yields almost 200 hits. In addition to hawking a particular piece of hacking software they also give step by step tutorials on exactly how to exploit cell phones, PDA’s and Smart Phones. In a McAfee’s annual report on Mobile Security for 2008 they state that “94% of all mobile users do not have mobile protection software on their mobile devices.” And with worms like Beselo propagating among the SymbOS community, security professionals need to be on the alert.
RIM is among the better companies at securing their PDA’s, but is by no means immune from the malware challenge. Most PDA’s and Smart Phones do not protect data “out of the box”. For this reason a thriving market exists for third party security software. But this problem is larger than can be fixed by simply installing encryption software. What is needed is a well planned training program for the business users who depend on these devices. Users from the Ceo the the newly hired sales person must understand that today’s PDA’s and Smart Phones are more than just a “cell phone on steroids”. They are full blown computers with connections to the private LAN and need to be secured as such. Unfortunately training budgets are usually the first casualty when IT budgets get trimmed, but some problems can only be fixed by educating users. And the threat posed to PDA’s, Smart Phones and similar devices is one such instance.
Next Installment: Current Threats to PDA’s and Smart Phones (and how to protect your user community)
[1] While I refer to the Blackberry PDA by RIM throughout this article, I am sure that any of the other modern PDA’s could just as easily be substituted. However, all the technical details along with particular exploits mentioned are specific to the Blackberry.
[2] Due to a limitation of Ezine Articles, I cannot include all of my references here. A complete list can be found at:
www.ultimatecomputersecurity.com
10761-080820-247420-81
© 2008 All Rights Reserved.