RIM talks about security threat of DDOS attacks on carriers

12 Comments

Scott Totzke, RIM’s vice-president of BlackBerry security, recently spoke with the press about the potential of the DDOS attack by hackers using BlackBerry devices to target wireless networks. The thought is that because the BlackBerry is essentially a smaller PC, it could be used in a similar manner to overload networks.

But is this really a big concern? I have to agree with Ronen at BerryReview, that someone stealing personal data with an application seems like a bigger concern. All you have to do is build an application that accesses user data, and sends it back to the company’s servers. If they wanted to, a company could use the data on your BlackBerry for malicious purposes.

It seems like only a matter of time until someone in Nigeria figures out how to submit a malicious app into Mobihand. While App World might have a vetting process that looks at what the app is accessing, I can guarantee you the Mobihand network isn’t diligent enough to catch something like this.

Remember, Mobihand are the same people who sell NetworkACC, a bogus application that claims to speed up your mobile network. Not only is the app bogus and a waste of money, but I bet you eMobiStudio are gaming the review system because their app is filled with 5 star reviews. Mobihand have such a weak review system that anyone can write a hundred positive reviews about their app.

We can only hope that if a malicious app shows itself, the good people at BlackBerry Cool, BerryReview, CrackBerry, etc. will find out and spread the word not to download it.

  • http://www.berryreview.com/ Ronen

    I agree with you Kyle. It is crazy what an app can do to your private info once installed. You could come up with a fart app that stole all of the users confidential information. I wonder if any user has ever selected that they don’t want to give an application “Trusted” status…

  • http://www.berryreview.com Ronen

    I agree with you Kyle. It is crazy what an app can do to your private info once installed. You could come up with a fart app that stole all of the users confidential information. I wonder if any user has ever selected that they don’t want to give an application “Trusted” status…

  • Pierre-Alain R.

    So far I know, if an app what to access your personal data, it needs your aproval, but in addition it must be “signed” by RIM, otherwise the device refuses to grant access.

    And DDOS on carriers (or threat to do so) could grant much more cash than the cellphone number of my grand mother.

  • Pierre-Alain R.

    So far I know, if an app what to access your personal data, it needs your aproval, but in addition it must be “signed” by RIM, otherwise the device refuses to grant access.

    And DDOS on carriers (or threat to do so) could grant much more cash than the cellphone number of my grand mother.

  • Pierre-Alain R.

    So far I know, if an app what to access your personal data, it needs your aproval, but in addition it must be “signed” by RIM, otherwise the device refuses to grant access.

    And DDOS on carriers (or threat to do so) could grant much more cash than the cellphone number of my grand mother.

  • http://www.berryreview.com/ Ronen

    Pierre,
    The app will just ask you after it installs if you want to grant it trusted application status. I have yet to run into anybody that does not click yes instinctively. Even RIM makes it the default option as yes. That gives them full access to your phone book, all your email, calendar, & more.

    On the other hand you don’t make any money off of DDOS attacks since all they do is take a service out of commission. Essentially what the iPhone is doing to AT&T’s network every day all day… :) The only way you make money off DDOS attacks is if somebody pays you to attack one of the carriers like a competitor or terrorists… which would be pretty easy to spot.

  • http://www.berryreview.com Ronen

    Pierre,
    The app will just ask you after it installs if you want to grant it trusted application status. I have yet to run into anybody that does not click yes instinctively. Even RIM makes it the default option as yes. That gives them full access to your phone book, all your email, calendar, & more.

    On the other hand you don’t make any money off of DDOS attacks since all they do is take a service out of commission. Essentially what the iPhone is doing to AT&T’s network every day all day… :) The only way you make money off DDOS attacks is if somebody pays you to attack one of the carriers like a competitor or terrorists… which would be pretty easy to spot.

  • http://www.blackberrycool.com/ Kyle

    It’s true, even the most experienced BlackBerry users are giving applications “Trusted” status without thinking. I know I instinctively trust the apps I download and I probably shouldn’t be so open about it. It’s like EULA’s. Does anybody take the time to actually read those agreements? I just scan through the stuff thinking “yeah yeah yeah, just give me the app already!”

  • http://www.blackberrycool.com Kyle

    It’s true, even the most experienced BlackBerry users are giving applications “Trusted” status without thinking. I know I instinctively trust the apps I download and I probably shouldn’t be so open about it. It’s like EULA’s. Does anybody take the time to actually read those agreements? I just scan through the stuff thinking “yeah yeah yeah, just give me the app already!”

  • Pierre-Alain R.

    Sorry for the digitally signed, I was sure that your private data could be accessed by digitally signed apps.

    But for the money side, make no mistake. This can ce very lucrative. Imagine:
    - take big red network down for 5 min
    - contact them and say: 1M by 1 hour, or network down for a good while

    This technique usually works fine. Imagine how much down time cost to a carrier. Loss in money (no call, no service, prejudice to clients), loss for the image of the company. At least, that’s one of the way banks get milked.

  • Pierre-Alain R.

    Sorry for the digitally signed, I was sure that your private data could be accessed by digitally signed apps.

    But for the money side, make no mistake. This can ce very lucrative. Imagine:
    - take big red network down for 5 min
    - contact them and say: 1M by 1 hour, or network down for a good while

    This technique usually works fine. Imagine how much down time cost to a carrier. Loss in money (no call, no service, prejudice to clients), loss for the image of the company. At least, that’s one of the way banks get milked.

  • Pierre-Alain R.

    Sorry for the digitally signed, I was sure that your private data could be accessed by digitally signed apps.

    But for the money side, make no mistake. This can ce very lucrative. Imagine:
    - take big red network down for 5 min
    - contact them and say: 1M by 1 hour, or network down for a good while

    This technique usually works fine. Imagine how much down time cost to a carrier. Loss in money (no call, no service, prejudice to clients), loss for the image of the company. At least, that’s one of the way banks get milked.