A small shock wave went through the community of BlackBerry users recently when a security consultant, presenting at the notorious Def Con hacker convention in Las Vegas last month, revealed a method of using the popular wireless technology to circumvent a network's defences and attack its core computers.
Read Simon Avery's BlackBerry security story from Thursday's Globe
Jesse D'Aguanno, director of research at Praetorian Global, a Placerville, Calif.-based consultancy that specializes in information technology risk management, created an attack program called BBProxy, which he said could penetrate computers behind a corporate firewall once it is installed on a BlackBerry device.
And then he released his source code — BlackBerry Attack Toolkit — to the public.
Related Articles
Research in Motion, makers of the uberpopular handheld, while conceding hackers might try to use malware to access a network via a BlackBerry and steal data or create a denial of service attack to make a network unusable, said the threat demonstrated by Mr. D'Aguanno can be prevented by using the correct settings built into its BlackBerry Enterprise Server.
Technology reporter Simon Avery was on-line earlier today to discuss BlackBerry security and the potential threat to user and network.
Simon can also take your question on the new Pearl.
Simon Avery is a Globe technology reporter and has covered Research In Motion since June 2004. Previously, he was a staff reporter for The Associated Press in Los Angeles and for The Wall Street Journal in San Francisco. He covered the boom and bust in Silicon Valley for the Financial Post between 1998 and 2001. Mr. Avery holds a Master's degree in journalism from Columbia University and a Bachelor of Arts in English and political science from the University of Western Ontario.
Editor's Note: globeandmail.com editors will read and allow or reject each question/comment. Comments/questions may be edited for length or clarity. HTML is not allowed. We will not publish questions/comments that include personal attacks on participants in these discussions, that make false or unsubstantiated allegations, that purport to quote people or reports where the purported quote or fact cannot be easily verified, or questions/comments that include vulgar language or libellous statements. Preference will be given to readers who submit questions/comments using their full name and home town, rather than a pseudonym.
Michael Snider, Technology Editor: Hello Simon, thanks for being with us today. And welcome readers. Simon, I got the impression from your piece that, like so much other tech, the BB attack toolkit is as beatable as patching your operating system or making sure your anti-virus program is up to date. I'm wondering, though, more about RIM's response to the news. What do you think about their relatively subdued reaction to the Def Con presentation (ie: posting a couple pages on the web page) rather than blitzing the media with loud denials and hair-pulling?
Simon Avery: I think RIM's subdued response fits in with the company's general strategy on PR matters. They're pretty low key. It takes a lot to get these guys jumping up and down in public, and I think they'd rather let the technology speak for itself. I'm sure the documents they posted will be helpful for IT managers, but the company would have done better to make that information clearer even before Def Con.
Jason Bassett from Oakville writes: Not surprising that someone found a vulnerability. Anything with an OS and a way to connect to a network can be hacked. Would have been nice if the BES settings were linked on the article though.
Simon Avery: Yes, I would agree with you Jason that vulnerabilities themselves are not surprising. I think what makes the attack toolkit demonstration noteworthy is that it should wipe away any false sense of security BlackBerry users have. Security has to come down to best practices, and users need to make sure the system is operated with the right settings.
Matt from Scarborough writes: This D'Aguanno guy is a security consultant, right? So do you think this exploit he demonstrated — which has not been found "in the wild" as virus types like to say — is just an attempt to make people scared and drum up business for his consulting company, or is it something that people should really be concerned about? I know some virus experts have been criticized for doing the same thing — making too much of theoretical exploits in order to sell more anti-virus solutions.
Simon Avery: This is a good point. It's the same issue faced every time a security software firm such as Symantec or McAfee puts out a report on new threats. They can't help but be self serving to the company's own business interests. But within the report, there's usually some awareness value. In the case of Mr. D'Aguanno, who specializes in IT risk management, he made his presentation at the conference and hasn't hyped his report to the public since. I think there's value in his demonstration because it makes BlackBerry users think twice about how they are using their devices.
Rasha from Toronto writes: How does the new line of BlackBerrys compare with what's already available? Are there any cool new features or are the modifications minimal?
Simon Avery: Thanks for the question, Rasha. The BlackBerry Pearl, which was one of the telecom world's worst kept secrets until the announcement today, is in fact a major step in a new direction for RIM. The company is pushing into the consumer market with this device. For the first time, RIM has a product with a camera, a music player, and expandable memory. And priced at $199 in the U.S., the Pearl is going head to head with Motorola's Q and Palm's Treo smart phones.
Rod Hudson from Canada writes: What are the prospects for an alliance with Apple Computers?
Simon Avery: Rod, you're asking the question we all want to know. I think the market loves the idea of these two mega-brands coming together to create an iPod smart phone, an AppleBerry. Some analysts predicted weeks ago a partnership was in the works and the rumours continue. But there are natural obstacles. Both companies are very strong believers in their own hardware, which would make compromise difficult for a blended device. Also, RIM is closely aligned with the phone companies, which spend millions to not only market but subsidize the sale of BlackBerrys. The telecoms would love to get a share of the lucrative music download business, but Apple has shown no willingness to share its iTunes franchise. Finally, let's not forget the personal factor: these two companies are run by men with super sized egos. Any partnership would have to fit them in the same room.
Chad from Toronto writes: It seems to me that, despite this supposed hole, RIM has a good security track record when it comes to security. Are you aware of any specific instances of major corporate or government security breeches that were initiated via Blackberries?
Simon Avery: Better than a good track record, Chad. An excellent record. There really haven't been any publicized accounts of security breeches, and RIM services some demanding customers that include the FBI, the WhiteHouse and NATO. So I would stress again that the attack toolkit demo is a useful reminder to people that they have to be vigilant in how they set up and use their BlackBerrys if they want to keep them secure. But I wouldn't expect any of these reports to hurt RIM's business today.
Michael Snider, Technology Editor: Simon, thanks for joining us today to talk about your story. We'll see you again. Readers, thanks for your questions. Feel free to add your thoughts on the discussion or the topic by clicking on the "comment" link below.
If you would like to see a particular technology reporter/columnist invited on or a particular subject covered, let me know. You can email your suggestions to msnider@globeandmail.com
Simon Avery: Thanks for hosting this today, Michael.
