Blackberry Security
First Published: SC Magazine

One of the most interesting things about providing penetration testing services relates to the technologies that you come up against and how they gradually change over time. Each new technology requires a new set of knowledge to be absorbed by a consultant and can often provide stimulating security research potential.

With this in mind, over the last few months there has been a sizable increase in the number of clients that I work with that have chosen to integrate secure mobile communication solutions such as BlackBerry into their critical messaging infrastructure. Consequently my colleagues and I have been ramping up our skills with BlackBerry and carrying out sophisticated vulnerability assessments of some infrastructure deployments – usually followed with dedicated penetration testing of the mobile applications themselves.

As is expected with any newly deployed messaging technology, the security flaws we are finding in these engagements range from departures to best practices through to show stoppers such as potential external compromise of all internal messaging services. Sadly - nothing unusual there.

What is interesting though is how these organisations have ignored their own internal security procedures and failed to follow guidelines for deploying a critical infrastructure component which is capable of bridging their perimeter defence solutions. For instance deploying messaging hosts that have not been hardened, have default administrator accounts with easily guessable passwords, include the installation of default or sample files, or even a fail to install appropriate network segregation devices between the mobile messaging platform and corporate LAN.

Perhaps these failures can be attributed to a perception by IT departments that a deployment of BlackBerry is really just an executive toy or is part of an evaluation programme – not worthy of serious security consideration. Or it may be that business managers have already decided that the ability to securely send and receive email or access Intranet resources on the move outweighs any probable security implications. Or worse yet, perhaps everyone has accepted the product marketing departments promise of an “end-to-end security model” without verifying it for themselves?

Needless to say, the security implications of the vulnerabilities we are discovering during these assessments tend to have high risk consequences to business continuity. Fortunately the most serious flaws are trivial to remediate and can be fixed within a very short period.

In the next few months, as more security research teams turn their attention to BlackBerry – or any other popularly deployed new mobile technology – new vulnerabilities and ingenious methods to exploit them are guaranteed to appear. To labor under the false impression that there are no vulnerabilities in a technology just because they haven’t been publicly disclosed to date is dangerous. Indeed, security departments of organisations who have deployed these technologies should keep a close eye on the popular vulnerability alerting services for the next wave of exploits and (hopefully) timely vendor patches.

Certainly the vulnerabilities unique to a default deployment of the mobile technology uncovered thus far during penetration tests means that organisations who have already deployed – or are thinking of deploying it (or similar mobile messaging solutions) – really should call in a professional security team with prior knowledge of the technology before going “live”. Where possible, organisations should try to make use of any knowledge transfer possibilities to build up internal security expertise.

While I appreciate the business justifications for the technology, and the steps that BlackBerry and the other mobile messaging solutions have taken to address current security concerns; the continued blurring of the network perimeter and the increasing volume of confidential data accessible remotely means that organisations need to be even more vigilant in the technologies they select.

It is equally important that organisations update their computer and data usage polices to cover mobile messaging devices and ensure that all users fully understand the security significance of the devices they use and their limitations.

Top Tips for Mobile Messaging services:

  1. Despite what the products marketing material may say, adding mobile messaging functionality to your corporate environment will have significant security implications.
  2. It doesn’t matter if it is a trial deployment or the real thing – follow standard security procedures and harden the environment before use.
  3. Update internal policies and procedures to cover the mobile messaging platforms and educate users in their secure usage.
  4. Be vigilant – this is a popular security research area with new vulnerabilities and attack vectors being discovered continuously. Ensure that security personnel are up to date with the research and capable of responding rapidly.
    Copyright 2001-2007 © Gunter Ollmann