Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Cracking the BlackBerry with a $100 Key

Posted by Zonk on Thu Nov 30, 2006 07:15 PM
from the reach-out-and-worming-someone dept.
Security Handhelds IT
Hit Reply writes "Eweek is running the contents of a Symantec white paper that details how easy it is for a hacker to manipulate BlackBerry applications. Using a developer key that can be purchased by anyone for $100, an attacker can launch e-mail worms, SMS interception and backdoor attacks, and compromise the integrity of contacts, events and to-do items. The white paper has been yanked from Symantec's Web site." From the article: "Signed applications can send e-mail and read incoming e-mail. A malicious application could be used to allow third parties to send messages from the infected BlackBerry and also read all received messages. A malicious application could also use e-mail as a command and control channel to receive instructions to send and receive e-mails; send and receive SMS messages; add, delete and modify contacts and PIM data; read dialed phone numbers; initiate phone calls; and open TCP/IP connections."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Cracking the BlackBerry with a $100 Key 25 Comments More | Login /

 Full
 Abbreviated
 Hidden
More | Login
Keybindings Beta
Q W E
A S D
Loading ... Please wait.

  • Heh. (Score:5, Insightful)

    by SatanicPuppy (611928) * <Satanicpuppy@gma3.1415926il.com minus pi> on Thursday November 30 2006, @07:20PM (#17058098) Journal
    I see Symantec is still sensitive to the charge that they create worms, etc, to drum up business for themselves.

    Personally it doesn't bother me in the least that a security company is interested in, well, security. Having them actually detail vulnerabilities and produce papers like this would at least be a useful function for them.

    Of course, so would producing a worthwhile product that doesn't devour processor cycles, hog system resources, and create system instability upon removal.

    • Re: (Score:2)

      by mordors9 (665662)
      One thing that seems funny in all of this to me, someone that is going to crack your blackberry is going to legally buy the developer key? Have to see what turns up on astalavista....

      • Re: (Score:2)

        by cayenne8 (626475)
        "One thing that seems funny in all of this to me, someone that is going to crack your blackberry is going to legally buy the developer key? "

        Well, the article mentions that you could do this by getting an anonymous pre-paid credit card. Does anyone have

      • Re:Heh. (Score:5, Informative)

        by gclef (96311) on Thursday November 30 2006, @09:21PM (#17059592)
        I'm more amused by the fact that Symantec seems to think that repeating 4-month-old DefCon presentations [defcon.org] and claiming them as thier own is somehow "newsworthy" or "dangerous."
        [ Parent ]

  • So what? (Score:5, Insightful)

    by Jason Pollock (45537) on Thursday November 30 2006, @07:23PM (#17058140) Homepage
    So you can get a signature really cheap. The device owner still has to install the application on their Blackberry.

  • repeat 5x: (Score:5, Funny)

    by circletimessquare (444983) <circletimessquare@gma i l . com> on Thursday November 30 2006, @07:26PM (#17058170) Homepage
    how many crackberries could a cracker crack if a cracker could crack crackberries?

  • Wow major FUD (Score:3, Insightful)

    by electrosoccertux (874415) on Thursday November 30 2006, @07:29PM (#17058214)
    I can send malicious emails and execute malicious programs in my friend's Linux box with a free "developer key". Just type "su" in the terminal and then enter this "developer key" (absolutely free) and its all yours.

    I should mention that yes, indeed, these situations are almost identical. A root password *can* be changed, to whatever you want, even without knowledge of what previous password was, quite easily.

      • Re:Wow major FUD (Score:5, Informative)

        by Jeffrey Baker (6191) on Thursday November 30 2006, @07:53PM (#17058570)
        WTF are you talking about? A developer key does not give you "access to every blackberry out there." The key is used to sign your application, and then the Blackberry runtime will give your application access to protected APIs. The user (or IT department, depending on policy) must intentionally install your software. There's no way to accidentally install software on your Blackberry.

        Also it's not trivial to get additional keys. The Blackberry signing certificate program is managed by humans and they catch on pretty quickly. If you even use the signing keys from more than one computer, their signature server will become upset and you'll probably get a phone call from RIM operations.

        [ Parent ]
  • It sounds like it could be possible stalker fodder, but I don't know how many people would find the information a Crackberry stores/sends/receives to be highly valuable. Sure, they could be malicious and run up someone's text messaging bill, but there are

    • Re: (Score:2)

      by Ferzerp (83619)
      You do realize that the reason one would use of a BlackBerry is to be hooked in to a corporate LAN yes? A BlackBerry not on a BES basically castrating the whole device.

      • Re: (Score:3, Insightful)

        by blincoln (592401)
        I guess this is as good a place as any to ask - how did RIM ever sell the idea of having all corporate email and web traffic for Blackberries routed through their servers? I mean, it's overhead for most corporations to have the data routed to and from Cana

        • Re: (Score:3, Informative)

          by Nimloth (704789)
          If you understand the concept of end-to-end encryption, you'll realize that data is encrypted from device to device. The Blackberry Enterprise Server has the encryption key, the RIM servers don't.

        • Re: (Score:3, Interesting)

          by Curmudgeonlyoldbloke (850482)
          I guess this is as good a place as any to ask - how did RIM ever sell the idea of having all corporate email and web traffic for Blackberries routed through their servers?
          The alternative would be to work the way that MS Mobile 5 does and have the device in the field connect directly into the Exchange Server (or whatever) via an access mechanism that you maintain. That means that you have to do the work to "keep the bad guy

          • Re: (Score:3, Informative)

            by Ferzerp (83619)
            Actually, the BES account needs Send As and Read/Write access to the mailboxes on Exchange. While it does have extensive access to the mailboxes, it needs no access to anything else. If you access secure internal websites, you must provide your domain cr

  • In other news (Score:5, Funny)

    by Van Cutter Romney (973766) <sriram@venkataramani.gmail@com> on Thursday November 30 2006, @07:36PM (#17058320) Homepage
    In other news, NTP just sued Blackberry, citing that the vulnerability was actually patented by them.
  • This one again involves someone willfully installing this hypothetical software...

    Just like the last attempt I saw to create a 3rd party BlackBerry security market by saying hey you can write a proxy to use a blackberry as a bridge to a company LAN via MDS

      • Re: (Score:3, Funny)

        by Ferzerp (83619)
        I've decided this news posting was just an elaborate ploy by Slashdot to identify the BES admins in the slashdot community :P

  • Amazing! (Score:2, Insightful)

    by cybereal (621599)
    It's amazing! An application installed to your phone can do things!

    Why is this even posted like it's some kind of new concept?

    If you install an application to your desktop machine, it can do all of those things. Why do you think the phone is any differen

  • Huh? (Score:5, Insightful)

    by Jeffrey Baker (6191) on Thursday November 30 2006, @07:47PM (#17058466)
    This is a pretty stupid white paper. The whole point of the key is that you can easily tell which key is being used by the offending applications, and then revoke that key. And it costs the attacker $100 per attack. It's a good system which balances the needs of the network, the users, and developers.

  • That's nothing! (Score:3, Funny)

    by raehl (609729) <raehl311.yahoo@com> on Thursday November 30 2006, @08:19PM (#17058890) Homepage
    I can crack a blackberry with a $4 hammer!

    I can do it for free with my fist, but that kinda hurts.

  • Nobody's that stupid... (Score:3, Funny)

    by TheGrinningFool (1014867) on Thursday November 30 2006, @08:35PM (#17059098) Homepage
    ... I mean come on, nobody's stupid enough to install random software on their machine without knowing what it does. Oh, wait...

  • No way! (Score:3, Interesting)

    by 77Punker (673758) <royallthefourthNO@SPAMgmail.com> on Thursday November 30 2006, @09:05PM (#17059428) Homepage
    So if you execute code on a computer, it does what you tell it to do? Better watch out!

  • Stock Tip: Symantec downgraded to Strong Sell (Score:3, Insightful)

    by astrosmash (3561) on Thursday November 30 2006, @09:38PM (#17059748) Homepage Journal
    First they come up with the hypothetical Mac "virus" [symantec.com] that can hypothetically execute code if you manually download it and run it. And now it's the hypothetical BlackBerry malware that will hypothetically execute code if you manually download it and run it.

    What an absolutely pathetic attempt at marketing from the once grand antivirus company.
  • I'm just a beginner bb developer, but I think it's even HARDER than is sounds to write Blackberry worm.

    Even if you DO write a program that reads/sends email or connects to the internet.
    And then pay the money and SIGN your malicious app--
    and then somehow get somebody to INSTALL it..

    Well on the BB releases I use - you will also get WARNINGS when you execute the program.
    When the program first tries to access your email folder - it will pop up a warning asking you "do you want to allow this program to acesss your email folder?"

    First time the application tries to open a TCP/IP connection to the outside world - same thing: "The application is attempting to open a conneciton to X.X.X.X - do you wish to allow it?". You can type "Allow" or "Deny" or "Allow always".

    So BE WARNED: A person can a malicous program, that is signed with his name on it (RIM takes your info before they give you the keys), which you MIGHT install and then you MIGHT accidentally give it access to your emails, and address book, and access to internet. If all those things happen - then it would be bad!
Check for more

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 SourceForge, Inc.