Specifications
Table Of Contents
- Introduction........................................................................................................................................................
- Architecture Overview........................................................................................................................................
- Operating System..............................................................................................................................
- Code Signing...................................................................................................................................................
- Modifying Signed Applications..................................................................................................................
- Malicious Code Signing..............................................................................................................................
- Mitigation Strategies......................................................................................................................................
- BIS Deployment.........................................................................................................................................
- Application Permissions.......................................................................................................................
- Device Firewall....................................................................................................................................
- BES Deployment......................................................................................................................................
- IT Policy...............................................................................................................................................
- Application Control Policy...................................................................................................................
- Application Permissions.....................................................................................................................
- Device Firewall....................................................................................................................................
- Attack Surface Analysis....................................................................................................................................
- Introduction.................................................................................................................................................
- JAD Files.......................................................................................................................................................
- Mitigation................................................................................................................................................
- File System...................................................................................................................................................
- Persistent Storage...................................................................................................................................
- J2ME File System.....................................................................................................................................
- USB Mass Storage....................................................................................................................................
- Mitigation................................................................................................................................................
- Memory and Processes................................................................................................................................
- Auto start-up and Background processes...............................................................................................
- SMS (Short Message Service)......................................................................................................................
- Premium Rate Scam................................................................................................................................
- SMS Interception.....................................................................................................................................
- SMS Backdoor..........................................................................................................................................
- Mitigation................................................................................................................................................
- Bluetooth......................................................................................................................................................
- Bluetooth Backdoor.................................................................................................................................
- Bluetooth Worms.....................................................................................................................................
- Mitigation................................................................................................................................................
- Email.............................................................................................................................................................
- Email Interception...................................................................................................................................
- Backdoor..................................................................................................................................................
- Worm........................................................................................................................................................
- Mitigation................................................................................................................................................
- PIM Data (Personal Information Manager Data).........................................................................................
- Data Theft................................................................................................................................................
- Loss of data availability and integrity.....................................................................................................
- Mitigation................................................................................................................................................
- TCP/IP Connections......................................................................................................................................
- Proxy/Firewall Bypass.............................................................................................................................
- Backdoor..................................................................................................................................................
- Port Scan..................................................................................................................................................
- Mitigation................................................................................................................................................
- Port Scan..................................................................................................................................................
- HTTP / WAP...................................................................................................................................................
- Data Theft................................................................................................................................................
- Backdoor............................................................................................................................................
- HTTP Proxy...............................................................................................................................................
- Mitigation................................................................................................................................................
- Telephony.....................................................................................................................................................
- Call Record Monitoring............................................................................................................................
- Premium Rate Calls.................................................................................................................................
- Bypassing Caller Verification Systems....................................................................................................
- Telephony Data Theft...............................................................................................................................
- Mitigation................................................................................................................................................
- Camera.........................................................................................................................................................
- Mitigation................................................................................................................................................
- Conclusions......................................................................................................................................................
- Appendix A........................................................................................................................................................
- References........................................................................................................................................................
Attack Surface Analysis of BlackBerry Devices
Bluetooth
The BlackBerry Pearl 8100 has increased Bluetooth support compared to some of its predecessors. It now
provides the following profiles:
• Handsfree
• Handset
• Serial Port
• OBEX (OBject EXchange, for file transfer)
• DUN (Dial Up Networking)
Applications can transmit data to and from the BlackBerry via the Bluetooth serial port profile, but pairing
is always required (Figure 11). To bypass pairing, a vulnerability in the Bluetooth stack would have to be
present. Symantec are not aware of any such vulnerability at the time of writing.
Unsigned applications can use Bluetooth via the
javax.microedition.io.Connector class, but need to be signed in order
to use the net.rim.device.api.bluetooth.BluetoothSerialPortInfo
class. This class is required to gather the information necessary to estab-
lish a client-side Bluetooth connection. If an application can ascertain
this information in another manner (for example if Bluetooth device
address and channel are hard-coded) then it can use the Bluetooth seri-
al port connection without being signed (must still be paired though). The
DUN profile allows a paired PC to use the BlackBerry's data connection.
However it provides the user with a standard "AT command set" interface,
which can be used for tasks other than dial up networking, such as initi-
ating phone calls from the paired PC.
Bluetooth Backdoor
Sensitive data (such as emails, contacts) can be obtained using the meth-
ods discussed in this document. Once this information has been obtained, the application can open a
Bluetooth serial connection with a paired device that is within range, and transmit the gathered data. Note
that the user would have to intentionally pair with the attacker's Bluetooth device before this could work,
making it less feasible than most of the other attacks outlined in this document.
Bluetooth Worms
Bluetooth worms are very unlikely due to the significant amount of human interaction involved in pairing
with a Bluetooth device, accepting a file transfer, and the difficulty in executing any transferred content.
21
Figure 11: Bluetooth Pairing, PIN entry