Home & Office

Researcher demos BlackBerry hack

But RiM says the threat is overblown and offers solutions.
Written by ZDNET Editors, Contributor
Every government employee's indispensible toy is his or her BlackBerry. But last week, at Defcon, consultant Jesse D'Auguanno showed off a program he wrote for hacking into Research in Motions' internal network via the encrypted connection between a BlackBerry handheld and the Blackberry Enterprise Server, Computer Reseller News reports.
Security vendor Secure Computing on Tuesday warned companies that their BES deployments on internal networks could be vulnerable to a BBProxy attack. After manually installing BBProxy or getting a user to install it via an e-mail attachment, a hacker could piggyback the encrypted connection between the handheld and the BES and gain access to the internal network, according to San Jose, Calif.-based Secure.

RiM, however, says the threat is overblown and misleading. The malware can't be spread my email without user approval to download the program. Scott Totzke, director of the global security group at RIM, said:

"Our attachment service doesn't work that way. You can send and view e-mail, but the BES system is designed to require users to manually download the application from a Web site. [BBProxy] isn't a hacking tool. It's an application that runs on the BlackBerry and potentially does something malicious," Totzke added. On its Web site, RIM's documents describe how companies can protect themselves from apps like BBProxy.
Dan King, president of New West Technologies, a Portland, Ore.-based solution provider, said he thinks it's interesting that security researchers are announcing hacks before releasing them, which he said helps educate companies about the risks they take by not locking down their networks.

"Hopefully, companies will take the appropriate steps to make sure their data is not intruded on so that they are not enabling the proliferation of viruses and hacks by leaving their compromised systems open and on the Internet," King said.

Editorial standards