By Kim Zetter
Aug, 05, 2006
LAS VEGAS -- A computer security researcher says he's found an unexpected
new path into company networks: the BlackBerry.
Jesse D'Aguanno, a consultant with Praetorian Global, has developed a
hacking program that exploits the trust relationship between a BlackBerry
and a company.s internal server to hijack a connection to the network.
Because the data tunnel between the BlackBerry and the server is
encrypted, intrusion detection systems at the perimeter of the network
won't detect the attack.
The technique is successful, D'Aguanno says, because most companies aren't
equipped to detect someone trying to deliver an exploit from inside the
network. It also works because few companies view the BlackBerry as a
plausible attack vector.
"Because it's a handheld device, most people don't think it's something
that can actually harm the rest of your internal network," D'Aguanno
said. "But a BlackBerry is not your average handheld. It's not just a PDA
that's connected (to your network) only when you're in the office. It's a
code-running machine that's always on and always connected to your
internal network and has direct access to whatever you give it access to.
And most company architectures allow it unfettered access to everything on
the internal network."
The program, called BBProxy, has to be placed on a BlackBerry either
physically or as a Trojan horse delivered by e-mail. Once installed, it
causes the BlackBerry to call back to the attacker's system in the
background, opening a communications channel between the attacker and the
company's internal network.
>From there, safely behind the organization firewall, the intruder can
scan for hosts with security vulnerabilities.
D'Aguanno said he'll release BBProxy for download in a week or so.
Given how ubiquitous the BlackBerry is, it's an obvious target for attack,
but few researchers have examined it for vulnerabilities. D'Aguanno says
the attack could be prevented if companies built more secure architectures
on the back end and tightened user policies so not just any user can
install third-party code
"Securely deploying it shouldn't be that hard but there hasn't been a
whole lot of documentation provided by (BlackBerry maker) Research in
Motion in the past on securely deploying the BlackBerries."
D'Aguanno, who has met with Research in Motion about the issue, said the
company posted two new documents on its website this week in anticipation
of his presentation at the DefCon hacker convention here. The documents
include instructions to customers for configuring a more secure
architecture for BlackBerry service.
Ironically, D'Aguanno's own BlackBerry was stolen during a recent business
trip in Paris.
Visit the InfoSec News store!