Specifications
Table Of Contents
- Introduction........................................................................................................................................................
- Architecture Overview........................................................................................................................................
- Operating System..............................................................................................................................
- Code Signing...................................................................................................................................................
- Modifying Signed Applications..................................................................................................................
- Malicious Code Signing..............................................................................................................................
- Mitigation Strategies......................................................................................................................................
- BIS Deployment.........................................................................................................................................
- Application Permissions.......................................................................................................................
- Device Firewall....................................................................................................................................
- BES Deployment......................................................................................................................................
- IT Policy...............................................................................................................................................
- Application Control Policy...................................................................................................................
- Application Permissions.....................................................................................................................
- Device Firewall....................................................................................................................................
- Attack Surface Analysis....................................................................................................................................
- Introduction.................................................................................................................................................
- JAD Files.......................................................................................................................................................
- Mitigation................................................................................................................................................
- File System...................................................................................................................................................
- Persistent Storage...................................................................................................................................
- J2ME File System.....................................................................................................................................
- USB Mass Storage....................................................................................................................................
- Mitigation................................................................................................................................................
- Memory and Processes................................................................................................................................
- Auto start-up and Background processes...............................................................................................
- SMS (Short Message Service)......................................................................................................................
- Premium Rate Scam................................................................................................................................
- SMS Interception.....................................................................................................................................
- SMS Backdoor..........................................................................................................................................
- Mitigation................................................................................................................................................
- Bluetooth......................................................................................................................................................
- Bluetooth Backdoor.................................................................................................................................
- Bluetooth Worms.....................................................................................................................................
- Mitigation................................................................................................................................................
- Email.............................................................................................................................................................
- Email Interception...................................................................................................................................
- Backdoor..................................................................................................................................................
- Worm........................................................................................................................................................
- Mitigation................................................................................................................................................
- PIM Data (Personal Information Manager Data).........................................................................................
- Data Theft................................................................................................................................................
- Loss of data availability and integrity.....................................................................................................
- Mitigation................................................................................................................................................
- TCP/IP Connections......................................................................................................................................
- Proxy/Firewall Bypass.............................................................................................................................
- Backdoor..................................................................................................................................................
- Port Scan..................................................................................................................................................
- Mitigation................................................................................................................................................
- Port Scan..................................................................................................................................................
- HTTP / WAP...................................................................................................................................................
- Data Theft................................................................................................................................................
- Backdoor............................................................................................................................................
- HTTP Proxy...............................................................................................................................................
- Mitigation................................................................................................................................................
- Telephony.....................................................................................................................................................
- Call Record Monitoring............................................................................................................................
- Premium Rate Calls.................................................................................................................................
- Bypassing Caller Verification Systems....................................................................................................
- Telephony Data Theft...............................................................................................................................
- Mitigation................................................................................................................................................
- Camera.........................................................................................................................................................
- Mitigation................................................................................................................................................
- Conclusions......................................................................................................................................................
- Appendix A........................................................................................................................................................
- References........................................................................................................................................................
Attack Surface Analysis of BlackBerry Devices
attacker may be able to obtain another BlackBerry SIM from the same network provider, which uses the
same BlackBerry APN. If the network provider does not sufficiently segment or filter user IP traffic, then this
second SIM could be used by the attacker in another device to connect to the TCP server socket on the
affected BlackBerry device.
Note that signed code can open TCP connections without the user being prompted, unless they have acti-
vated the device firewall, in which case they will receive a prompt similar to that in Figure 13. See the
Mitigation Strategies section for more details.
Proxy/Firewall Bypass
A malicious application could connect to the attacker and then connect to services on the corporate net-
work via MDS. Note that if the MDS is run on the internal portion of the enterprise LAN, instead of in a
DMZ
12
, then corporate firewalling will also be bypassed allowing data to flow between the general Internet
and services internal to the enterprise in question. This allows the attacker to utilize the BlackBerry as a TCP
proxy between herself and services normally not visible to those on the broader Internet. With the firewall
turned off and default application permissions, if the application is unsigned the user will be prompted to
allow network access using the standard dialog. However if the application is disguised as an application
that requires network access, then they may not notice anything unusual. If the application is signed, then
it requires no user interaction, and can run silently.
8
Note that in a default BES deployment, the firewall is enabled, and the user will receive additional prompts
before connections are allowed, even for signed code.
26
Figure 12: Unsigned application opening
TCP socket
Figure 13: Signed application opening TCP
socket when device firewall is enabled