Is Your Blackberry a Hacker’s Back Door?

BlackBerry is in the news again. This time, the buzz surrounds a soon-to-be-released hacking program aimed at the tool. But don’t worry. Like the threatened shutdown of Blackberries this past winter, this new threat may do little more than highlight the ubiquity of the devices.

The program, BBProxy, created by Jesse D’Aguanno, a director at security research firm Praetorian Global, demonstrates how an attacker could use the BlackBerry to attack a company’s internal network. BBProxy, which D’Aguanno presented recently at Defcon, a computer hacker conference in Las Vegas, is scheduled to be posted on the Praetorian Global Web site this week. The intent is educational rather than malicious, he explains.

“This is just a proof of concept to raise awareness of security implications of improperly deploying BlackBerry solutions,” commented D’Aguanno. BBProxy is not a typical malware program that intends to exploit a vulnerability, rather, it is a program that corporate technology administrators can peruse to ensure no one can access an internal network through a backdoor, he said. “BBProxy itself doesn’t attack anything,” said D’Aguanno, adding that it allows access to a company’s internal network, which most BlackBerries have.

However, a different version of the program includes an actual Trojan horse that is delivered through a game in an E-mail link and connects a BlackBerry to an attacker-controlled machine. That application will not be released to the public.

Research in Motion, the maker of BlackBerry, has met with D’Aguanno to discuss his program and confirms that BBProxy itself would not pose a threat to BlackBerry users. Users and network administrators would need to complete several hurdles in order to start such an application on a device. “This isn’t a virus or a hacking tool,” said Scott Totzke, director of the global security group at Research in Motion, “it is a sample code a security researcher is making available to show how to access network resources.” That, he said, can be controlled by using tools that already exist in the device.

“The important thing for customers is [to] understand there are a lot of tools that help administrators control what users can and can’t do with their BlackBerry,” said Totzke. “This is an exercise in configuration management.” For instance, there are 225 policies in a BlackBerry that allow detailed control over what the user can do with the device. Large companies typically set about 180 of those policies on a BlackBerry.

Paul Henry, vice president of Strategic Accounts for Secure Computing, recommends precautions including: isolating servers that connect to the Internet, restricting the internal network or Internet connections a BlackBerry server can access, and allowing only connections necessary to facilitate the normal operation of the mail server.

It seems the “hacking program” should be considered a test — for corporate security. A real security threat would be a disturbance to the business of a device that so many rely upon. When asked if the release of BBProxy is costing Research in Motion extra time and money to respond to the perceived threat, Totzke responded, “The time and money is spent more on answering questions from the media and making sure they are informed of what is already running in the product.”

Research in Motion already has posted two security white papers that describe how to deploy BlackBerry devices securely and protect against malicious software. Additionally, D’Aguanno’s company, Praetorian Global, provides security consulting services.