BlackBerrys suceptible to Trojans?

12 Comments

Trojan Horse A presenter at Kiwicon, a security conference in New Zealand, recently showed how easy it is to set up a Trojan virus on a BlackBerry. Given this involves installing the client-side program in the first place, Graeme Neilson from Aura Software Security makes it sound like a piece of cake.

“But all code that runs on Blackberrys is signed, right? Yes, Neilson says, but the maker of the portable device, Research in Motion (RIM), isn’t too fussy about who it sells certs to. If you want to get your Trojan code signed to run on a Blackberry, just go to the Research In Motion Web-site, plug in your details, pay a fee and voila! You’re in business.”

  • http://www.blackberry.com/security bb Expert

    Except once you manage to get your malicious code signed, you then need to make sure the user explicitly allows that application to be able to send/receive any data, or access persistent data stored on the device.

    ATMs are pretty susceptible to someone stealing your money if you give your pin out to everyone…

  • http://www.blackberry.com/security bb Expert

    Except once you manage to get your malicious code signed, you then need to make sure the user explicitly allows that application to be able to send/receive any data, or access persistent data stored on the device.

    ATMs are pretty susceptible to someone stealing your money if you give your pin out to everyone…

  • http://www.devberry.com/ Neil

    This article is simply fear mongering. Technically, the definition of a Trojan is “a piece of software which appears to perform a certain action, but in fact, performs another”.

    There is no way it is possible for any device which permits the installation of software to not be open to abuse from Trojans, unless you have some body that approves every single application out on the market. That is never going to happen because its simply not economical.

    The BlackBerry is no more susceptible to a Trojan than any other computing device out there. The take home message for the user is to only install software from a publicly validated source. But that should be a pretty ‘duh’ statement given the current Internet climate.

  • http://www.devberry.com Neil

    This article is simply fear mongering. Technically, the definition of a Trojan is “a piece of software which appears to perform a certain action, but in fact, performs another”.

    There is no way it is possible for any device which permits the installation of software to not be open to abuse from Trojans, unless you have some body that approves every single application out on the market. That is never going to happen because its simply not economical.

    The BlackBerry is no more susceptible to a Trojan than any other computing device out there. The take home message for the user is to only install software from a publicly validated source. But that should be a pretty ‘duh’ statement given the current Internet climate.

  • Dave

    So that being the case, is it possible that a certificate can be invalidated? I think my browser has something called a certification revokation list; Does BB have a similar function? I noticed in the newest BB Desktop Manager, there are now some certificate sychronization options. Would I have to manually go get expired certifcates?

    The net of what I’m asking is that if a certificate does fall into the wrong hands, can it be un-certifed or does the process just give us a place to send the lawyers?

  • Dave

    So that being the case, is it possible that a certificate can be invalidated? I think my browser has something called a certification revokation list; Does BB have a similar function? I noticed in the newest BB Desktop Manager, there are now some certificate sychronization options. Would I have to manually go get expired certifcates?

    The net of what I’m asking is that if a certificate does fall into the wrong hands, can it be un-certifed or does the process just give us a place to send the lawyers?

  • JD

    CRLs (revocation lists) are an important part of security design, but are regularly disabled because they slow things down. Obvious example: IE is the most popular browser in the world and disables CRL checks by default, and it is rarely if ever turned on via group policy at corporations.

    Not that it matters much. Most internet users wouldn’t blink at installing unsigned code; some of Microsoft’s own code is unsigned at times.

    Trojans are incredibly easy. The real issue is that they aren’t good vectors for distribution – you can be sure that someone will be infected but it’s not the fastest way to spread them. So they are best for targetted attack on specific people to establish a beachhead for other attacks.

  • JD

    CRLs (revocation lists) are an important part of security design, but are regularly disabled because they slow things down. Obvious example: IE is the most popular browser in the world and disables CRL checks by default, and it is rarely if ever turned on via group policy at corporations.

    Not that it matters much. Most internet users wouldn’t blink at installing unsigned code; some of Microsoft’s own code is unsigned at times.

    Trojans are incredibly easy. The real issue is that they aren’t good vectors for distribution – you can be sure that someone will be infected but it’s not the fastest way to spread them. So they are best for targetted attack on specific people to establish a beachhead for other attacks.

  • http://www.blackberryforums.com/ d_fisher

    Keep in mind that trojans can be eliminated on BES connected devices by simply enabling the IT policy rule that restricts the installation of third party software. Any company that is on BES and even remotely cares about security uses this policy.

  • http://www.blackberryforums.com/ d_fisher

    Keep in mind that trojans can be eliminated on BES connected devices by simply enabling the IT policy rule that restricts the installation of third party software. Any company that is on BES and even remotely cares about security uses this policy.

  • Ummm…

    I think one important fact has been lost here. This was first reported in Aug 2006 and there is no new content… literally.

    Here’s another article with the same “hack” described:
    http://www.pdastreet.com/articles/2006/8/2006-8-9-BBProxy-Hack-Exposes.html

    Further more I found that the site you linked actually plagiarized this site word for word in some instances.

    Check “The BlackBerry server and mail server should also not be permitted to open arbitrary connections to the internal network or Internet, and internal users should not be permitted to open arbitrary connections to either the BlackBerry server or mail server. ”

    and check “There is something like 250 plus commands that allow the administrator to have full control over how the BlackBerry as a platform is used by the users within the BlackBerry Enterprise Server community. ” versus “”There is something like 250 plus commands that allow the administrator to have full control over how the BlackBerry as a platform is used by the users with in the BlackBerry Enterprise Server community,” Totzke said .”

    RIM shot this down years ago. So how is this news again? Intentionally spreading FUD should be illegal IMHO.

  • Ummm…

    I think one important fact has been lost here. This was first reported in Aug 2006 and there is no new content… literally.

    Here’s another article with the same “hack” described:
    http://www.pdastreet.com/articles/2006/8/2006-8-9-BBProxy-Hack-Exposes.html

    Further more I found that the site you linked actually plagiarized this site word for word in some instances.

    Check “The BlackBerry server and mail server should also not be permitted to open arbitrary connections to the internal network or Internet, and internal users should not be permitted to open arbitrary connections to either the BlackBerry server or mail server. ”

    and check “There is something like 250 plus commands that allow the administrator to have full control over how the BlackBerry as a platform is used by the users within the BlackBerry Enterprise Server community. ” versus “”There is something like 250 plus commands that allow the administrator to have full control over how the BlackBerry as a platform is used by the users with in the BlackBerry Enterprise Server community,” Totzke said .”

    RIM shot this down years ago. So how is this news again? Intentionally spreading FUD should be illegal IMHO.