If your BlackBerry server sits behind a firewall or IDS, beware: A researcher will release proof-of-concept code this week that an attacker could use to get inside the corporate network.
Jesse D'Aguanno, director of professional services and research for Praetorian Global, says his project doesn't actually target the BlackBerry Enterprise Server itself. "It's not an exploit in the traditional sense where it's a software bug that needs a patch," D'Aguanno says. "It's really more of an architectural issue, exploiting the trust between a BlackBerry and BES and the components that allow network access."
It's a back-channel that subverts perimeter security, he says. The BES then becomes a stepping-stone to any other machines on the internal network, he says. Once in through the BlackBerry, an attacker could hit any vulnerable machines on the network. "The attacker wouldn't have to use BlackBerry as a conduit anymore, and would have a more viable attack vector" inside, he says.
BlackBerry maker Research in Motion (RIM) says the potential problem is being overblown, but more on that in a bit. According to D'Aguanno, the underlying problem is many systems and network admins don't consider handhelds as computers that connect to the network. "The application exploits the trust relationship between the handheld and BES to subvert IDSes and firewalls," he says.
D'Aguanno demonstrated two versions of a BlackBerry-born attack at Defcon earlier this week, one of which he'll be releasing. The proof-of-concept code, called Bbproxy, runs on the BlackBerry and requires that the attacker interact with it, he says. "They have to have physical access to the BlackBerry to interact with this app and call out to a hacker-controlled machine," for instance.
The danger is that employee could steal data from his company without leaving a trail. "An inside employee could siphon data without being recorded by traditional data logging and being picked up by perimeter defenses because it can create two separate connections," D'Aguanno explains.
D'Aguanno also showed a proof-of-concept Trojan attack via a BlackBerry, but he says he won't be releasing that code due to the attack implications of it. The Trojan would be downloaded to the user's BlackBerry.
Both attacks would allow an attacker access to the internal network. The best way to protect yourself? "Securely deploying the BlackBerry server and segregating it from rest of network so it's not open with unfettered access to Net," D'Aguanno says. If you don't set policies for third-party apps on the BlackBerry, you're setting yourself up for trouble, he says. "Most large enterprise networks are hard to penetrate from the outside, but on the inside, many security practices are lax."
Scott Totzke, director of the global security group at RIM, explains that since the BES doesn't allow users to download attachments, a Trojan could only infect a BlackBerry if the user downloaded it from a Website. It's up to an IT policy setting on BES whether a BlackBerry device can run third-party apps or whether an app can make an external connection from a BlackBerry, he notes. "In addition, the ability for the BlackBerry Mobile Data System to have access to systems on an internal network is also controlled by an IT policy setting in BlackBerry Enterprise Server, which would also have to be allowed by the administrator," he says.
Along with his proof-of-concept code release this week, D'Aguanno will also include source code to "patches" that work with the Metasploit tool to show how an attacker would exploit an internal machine.
"Companies need to start thinking of small, embedded devices as a threat," says Jon Ellch, an independent researcher. "Another good example of these are Internet-ready Webcams. Most of these things are actually full blown Linux boxes; they just don't have a keyboard and a mouse attached so no one thinks of it."
Ellch says it's a good thing D'Aguanno didn't show an exploit that runs code on the BlackBerry without user intervention. "That combined with Bbproxy would be a much wider threat," Ellch says.
"It's like a VPN tunnel," says Paul Henry, vice president of strategic accounts for Secure Computing. "Users tend to install BlackBerry servers too casually. A BlackBerry server should be on its own subnet and not open to connections, and internal users shouldn't have the ability to open arbitrary connections to BlackBerry or mail servers."
Richard Stiennon, founder of IT-Harvest, says the whole thing is no big deal. "It's too esoteric an attack," he says.
RIM's Totzke, meanwhile, says users could consciously download malware on any mobile device, including a PDA, laptop, and smartphone, and IT can set policies that prevent such exploits.
Kelly Jackson Higgins, Senior Editor, Dark Reading