A small shock wave went through the community of BlackBerry users recently when a security consultant, presenting at the notorious Def Con hacker convention in Las Vegas last month, revealed a method of using the popular wireless technology to circumvent a network's defences and attack its core computers.
Read Simon Avery's BlackBerry security story from Thursday's Globe
Jesse D'Aguanno, director of research at Praetorian Global, a Placerville, Calif.-based consultancy that specializes in information technology risk management, created an attack program called BBProxy, which he said could penetrate computers behind a corporate firewall once it is installed on a BlackBerry device.
And then he released his source code — BlackBerry Attack Toolkit — to the public.
Research in Motion, makers of the uberpopular handheld, while conceding hackers might try to use malware to access a network via a BlackBerry and steal data or create a denial of service attack to make a network unusable, said the threat demonstrated by Mr. D'Aguanno can be prevented by using the correct settings built into its BlackBerry Enterprise Server.
Technology reporter Simon Avery was on-line earlier today to discuss BlackBerry security and the potential threat to user and network.
Simon can also take your question on the new Pearl.
Simon Avery is a Globe technology reporter and has covered Research In Motion since June 2004. Previously, he was a staff reporter for The Associated Press in Los Angeles and for The Wall Street Journal in San Francisco. He covered the boom and bust in Silicon Valley for the Financial Post between 1998 and 2001. Mr. Avery holds a Master's degree in journalism from Columbia University and a Bachelor of Arts in English and political science from the University of Western Ontario.
Editor's Note: globeandmail.com editors will read and allow or reject each question/comment. Comments/questions may be edited for length or clarity. HTML is not allowed. We will not publish questions/comments that include personal attacks on participants in these discussions, that make false or unsubstantiated allegations, that purport to quote people or reports where the purported quote or fact cannot be easily verified, or questions/comments that include vulgar language or libellous statements. Preference will be given to readers who submit questions/comments using their full name and home town, rather than a pseudonym.
Michael Snider, Technology Editor: Hello Simon, thanks for being with us today. And welcome readers. Simon, I got the impression from your piece that, like so much other tech, the BB attack toolkit is as beatable as patching your operating system or making sure your anti-virus program is up to date. I'm wondering, though, more about RIM's response to the news. What do you think about their relatively subdued reaction to the Def Con presentation (ie: posting a couple pages on the web page) rather than blitzing the media with loud denials and hair-pulling?
Simon Avery: I think RIM's subdued response fits in with the company's general strategy on PR matters. They're pretty low key. It takes a lot to get these guys jumping up and down in public, and I think they'd rather let the technology speak for itself. I'm sure the documents they posted will be helpful for IT managers, but the company would have done better to make that information clearer even before Def Con.
Jason Bassett from Oakville writes: Not surprising that someone found a vulnerability. Anything with an OS and a way to connect to a network can be hacked. Would have been nice if the BES settings were linked on the article though.
Simon Avery: Yes, I would agree with you Jason that vulnerabilities themselves are not surprising. I think what makes the attack toolkit demonstration noteworthy is that it should wipe away any false sense of security BlackBerry users have. Security has to come down to best practices, and users need to make sure the system is operated with the right settings.
Matt from Scarborough writes: This D'Aguanno guy is a security consultant, right? So do you think this exploit he demonstrated — which has not been found "in the wild" as virus types like to say — is just an attempt to make people scared and drum up business for his consulting company, or is it something that people should really be concerned about? I know some virus experts have been criticized for doing the same thing — making too much of theoretical exploits in order to sell more anti-virus solutions.
