Researchers Warn of Serious BlackBerry Vulnerability

Updated: Companies with BlackBerry communications servers installed behind their gateway security devices could be compromised when a security researcher releases new hack code for the wireless devices.

Businesses that use gateway security appliances to protect Research In Motions BlackBerry communications servers could be subject to attacks based on the planned release of exploit code by a high-profile malware researcher.

According to a warning released by network security applications and device provider Secure Computing, organizations with their BlackBerry servers installed behind their gateway intrusion detection boxes could be compromised when researcher Jesse DAguanno, a consultant with risk management experts Praetorian Global, of Placerville, Calif., releases his code the week of Aug. 14. DAguanno first revealed his vulnerability exploit on Aug. 5 at the Defcon hacker convention in Las Vegas.

For its part, RIM maintains that the so-called vulnerability illustrated at Defcon merely proves that third-party applications can run on its devices, not that the handhelds or their back-end systems are necessarily open to attack. By administering the various security tools available in its systems, IT administrators can greatly reduce the potential for any attack by banning or limiting the privileges of various types of applications, company officials said.

"I wouldnt characterize this as a flaw, but the ability to run a program on the network," said Scott Totzke, director of RIMs Global Security Group, in Waterloo, Ontario. "We have tools [that can be used] to manage and control third-party applications, and administrators can close the door to third-party applications completely, or use a whitelist approach that can allow them to be very granular in what they might allow."

The company also maintains that the attack described by DAguanno, which requires that a user consciously download malware to the device, could be used to access systems on almost any mobile device, including smart phones, PDAs and laptops.

In addition to utilizing the security features in its software, the company said customers can take the additional step of installing BlackBerry servers in segmented networks to protect themselves.

Totzke pointed out that RIM has not experienced any major malware attacks thus far, and that it has reported only a handful of potential vulnerabilities.

"There have been some things brought to [our] attention over time that were fixed, but not a lot," he said. "We encourage researchers to work with us to find potential issues and resolve them; were big fans of responsible disclosure and working with researchers to help build the best products."

The company has posted a pair of documents highlighting BlackBerry security features on its Web site in response to the vulnerability report.

In his presentation at Defcon, DAguanno highlighted the ability of a hacking program dubbed BBProxy to be installed on a BlackBerry device or sent as an e-mail attachment to an unsuspecting user. Once installed, the attack opens a covert communications channel with the RIM servers by bypassing gateway security controls installed between the hacker and the inside of the victims network.

Because the communications channel between the BlackBerry server and any connected handheld device is encrypted and cannot be scoured by most network intrusion detection tools, unsuspecting administrators could be lured into opening the connection and allowing it to link to the network, according to Secure, which is based in San Jose, Calif. Once an outsider has been given such access to a network they could use it to carry out a range of dishonest activity, from stealing information to using the connection to deliver malware code.

As a result, Secure is recommending that companies using BlackBerry servers in such an environment should isolate the devices on their own DMZ segments, while limiting any network connections to those specifically necessary to facilitate the operation of the BlackBerry servers. The company said that the servers should not be configured to open arbitrary connections to the internal network or Internet.

/zimages/6/28571.gifA pair of hackers at the Black Hat conference showed off a new technique for breaking into computers via flaws in wireless drivers. Click here to read more.

Secure advises that any mail servers working with the BlackBerry infrastructure should also be isolated on their own separate DMZ, allowing only the minimum connections needed to remain up-and-running. BlackBerry-connected mail servers should not be allowed to open arbitrary connections to internal networks or the Internet to protect against attacks, the company said. Internal users should also be barred from opening arbitrary connections to either BlackBerry servers or connected mail servers, according to the security company.

The attack detailed by DAguanno uses the trusted relationship established between the RIM back-end servers and its popular wireless devices to take over the network on which they are running. Because the communications between the devices are encrypted, network defenses will not find or shut down the tunnel, the researcher maintains. Since most companies cannot detect the attack once it has been launched internally on a network, and the BlackBerry infrastructure has not yet been singled out by high-profile attacks, enterprises operating the gear are likely to be vulnerable, DAguanno said.

After reporting the potential weakness, DAguanno said he would release his exploit code for download in roughly one week. The attack is not yet believed to have been made publicly available.

RIM shipped just under 1.3 million BlackBerry devices during the second quarter of 2006, according to the latest figures from researchers at Gartner, in Stamford, Conn. The wireless device maker reported that it had approximately 5.5 million subscribers worldwide at the close of its first quarter, which ended June 3, and said it hoped to add another 700,000 customers during the second quarter as it drives toward its target of attracting 10 million users around the globe.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.