Blackjacking

Executive Overview

Companies are realizing the need for the latest Enterprise Hardware and Software for running their business, particularly in extending the office environment to mobile employees. With the amount of confidential information that this mobile environment holds and impact to the organization if this information falls in the hands of competitor, companies have security at the top of their list when evaluating such wireless solutions. This white paper throws some light on the various threats to BlackBerry devices and some solutions/recommendations to counter them.

If someone thinks about a Mobile Solution, first thought would be BlackBerry. The reason for this being it already occupies majority of the existing market share, it is supported by most of the mobile service providers and because of its functionality. With Blackberry’s there is an inherent feeling of security. Vulnerabilities on Laptops are discussed on a regular basis, but there haven’t been any cover story stuffs on BlackBerry Hacks or Vulnerabilities in the press.

Introduction

BlackBerry’s inherent sense of security doesn’t mean they are tightly secure. You can say that they do not have the same number of public vulnerabilities that laptop computer have. But if you think BlackBerry as a Computer (which it is), there would be vulnerabilities exploited sometime in near future. There would be millions of people out there trying to write exploits to take advantage of the confidential data available in the BlackBerry devices.

Common threats to BlackBerry’s include

• Malware
• Direct Attacks
• Intercepting BlackBerry communication
• Spoofing and intercepting authentication
• Physically compromising the BlackBerry

Threats to BlackBerry

One of the most widely used security threat to compromise the security of a computer system is a Malware attack. Malware, in other words Malicious Software, which is designed to damage the computer system without the owner’s consent. BlackBerry are also computers, they run an operating system and are prone to the Malware attacks. Will go through a scenario and understand the threats to BlackBerry device. Company A showcases itself as one of the tech savvy companies. It invests hugs amounts of capital on the latest Corporate Hardware and Software. Most of their employees travel on a regular basis. So the CIO realized the need to implement an advanced mobile communications solution to ensure that their mobile employees can securely access their email, make phone calls, and surf the Internet at anytime from any location. After some researching they decided to implement an enterprise BlackBerry Solution.

Based on the reputation of security of BlackBerry devices the CISO of Company A felt very comfortable with the solution. The solution was ordered and implemented within a very short notice and the employees are very happy with the new Mobile Solution. Company A had direct competition with Company B for projects for quite sometime now. Both companies are bidding on a big project which would decide the future of both the companies. It would be a significant advantage to the company which secures the project. The decision date was very near so most of Company A’s executives were traveling to the prospect’s offices and between Company A’s offices in an effort to secure the project. By, utilizing their new BlackBerry solution they had an advantage over Company B with the latest updates instantly available through their new solution. The BlackBerry’s become their sole device for their out-of-office communication. While conversing with a key decision-maker at the prospective client’s company, the CEO of Company A stayed in contact with his company via his BlackBerry. He opened numerous emails from numerous sources, which included Word documents, Excel spreadsheets, and even some faxes sent via email. The key decision-maker commented on how this was crunch time and that his team would be making a decision imminently.

Sometime around 2’o clock the CEO of Company A receives a phone call from his CIO. There seems to be a problem with the BlackBerry Service. The Attachment service is coming up and going down. Due to this the employees are having problems sending and receiving attachments. The employees at Company A needed to continuously share important pricing and contractual documents with the personnel at the company offering the project. This technical problem resulted in Company A loosing the project.

Analyzing an Attack

The technical problem which resulted in Company A loosing the project was a Malware-initiated denial-of-service (DoS) attack. The result of the attack was disruption of communication within Company A by flooding the BlackBerry Enterprise Server and chocking it down and was spearheaded illegally by Company B. While Company A’s employees unable to share information during crunch time, the competition had an advantage in securing the project. This was done by taking advantage of various vulnerabilities, some social and some technical. It started with a Social Vulnerability and was easy to execute since it didn’t involve any technical expertise. At a job fair about a month back Company A’s employees were telling how their company was so much better than the competition, even stating that their marketing guy’s new BlackBerry blew away the competition’s laptops. This has given Company B heads-up about what Technology Company A was using.

Now Company B knows that Company A uses BlackBerry, now the next technical step was to implement the DoS attack. The CEO of Company B hired a hacker to launch an attack on Company A. The hacker by ‘Googling’ found DoS vulnerability for BlackBerry. If he can run the DoS vulnerability it would result in disruption of Company A’s communications. And this would make Company A unable to communicate with the prospect’s office and that could be enough from Company B to win the contract. To run the DoS attack, the hacker followed the following steps which are common with hackers implementing such attacks:

• Gather information
• Set up for the attack (including a way to cover tracks)
• Launch the attack

Collating Information

Collating information was the easiest thing to do, because in most cases the information required in this step would be email address and phone number which is generally published on the company websites. If the information is not published on the Website hacker can directly call the company and ask for the head of projects, marketing, etc and get those details.

This apart there are other social engineering threats, where colleagues, friends or any known person may pass the personnel details about your mobile and email address. As the sources of collecting information are many, the hacker may try one or all options to obtain and collate information to set up the attack.

Setting Up for the Attack and Covering Tracks

Setting up an attack is easy, but to cover his tracks needs some planning. The hacker can send a simple email with infected .TIFF file, but he can be easily traced back and held responsible by using the IP Addresses in the email headers. Every email that is being sent from an IP Address would have the IP Address from which it is sent, the route which it has followed in the email headers. So by carefully analyzing the email headers the origin of the email can be found and traced back. So to cover his tracks the hacker would create a temporary email id on a free email service provider like yahoo or gmail. He also needs to find a way to hide his real IP Address.

There are two ways to hide the original IP Address:

• Sending the email from a Internet Café or public Wi-Fi hotspot
• Using an anonymizer to hide the real IP address

Launching the Attack

The hacker composes an email, attaches the infected .TIFF file and sends it to the email addresses he has found in the Collating Information phase. Once the email reaches the users BlackBerry device, the user needs to open the infected .TIFF attachment which would trigger the DoS attack. Since the user gets faxes sent via email in .TIFF format, without doubting the user would try to open the attachment and respond to it immediately.

Process flows as shown below: The infected .TIFF file is sent as attachment by the Hacker from an Anonymized IP address. The email with the infected .TIFF attachment reaches the User’s BlackBerry device. When user tries to open the attachment, it crashes the Attachment Service on the BlackBerry Enterprise Server. Internet is the medium used by Company A to access their BlackBerry Enterprise Server and Company B’s hacker to launch the attack. With the Attachment Service down, nobody in the company can send or receive any attachments. Because urgent, communications with valid attachments need to be sent and received to help win the big project, this would give an edge for Company B over Company A in securing the project.

Protecting against Attack

Company A should have taken some precautions to avoid such an attack. Further, there are several steps Company A needs to take to prevent future Malware attacks from occurring. This section describes ways to prevent this specific attack from occurring, as well as define ways to prevent future BlackBerry-related Malware attacks.

BlackBerry identifies the problem by saying the following:

• A corrupt .TIFF file sent to a user may stop a user’s ability to view attachments.
• There is no impact on any other services (for example, sending and receiving messages, making phone calls, browsing the Internet, and running BlackBerry wireless device applications to access a corporate network).
• The BlackBerry Attachment Service automatically restarts either immediately or within a specified time period (the default is 25 minutes). The administrator can restart the Attachment Service at any time.
• You may notice the portion about the automatic, default restart of the Attachment Service after 25 minutes. In our example, the default restart is why mobile users were able to view attachments intermittently. The service would restart itself, and then a different user would attempt to view the malformed .tif, only to inadvertently crash the Attachment Service again.

To protect BlackBerry Enterprise Servers from this exploit, BlackBerry offers Service Pack Hotfixe’s. In addition, there is a workaround where administrators can disable the processing of .tif’s or can disable attachments altogether. Depending upon the enterprise in question, this may not, in and of itself, be disruptive. However, it would make a whole lot of sense for a company under this attack to filter out the .tif’s while it makes plans to follow the aforementioned upgrade procedures.

To exclude TIFF images from being processed by the Attachment Service as part of the workaround, do the following:

1. On the desktop, click Start Programs  BlackBerry Enterprise Server BlackBerry ESC.
2. Click the Attachment Server tab.
3. In the Format Extensions field, delete the .tiff and .tif extensions.
4. Click Apply then click OK.
5. In Microsoft Windows Administrative Tools, double-click Services.
6. Right-click BlackBerry Attachment Service then click Stop.
7. Right-click BlackBerry Attachment Service then click Start.
8. Close the Services window.

Even though the .tiff and .tif extensions have been removed from the list of supported file types, the Attachment Service may automatically detect a TIFF file with a renamed extension and attempt to process the file. Administrators may need to disable the image attachment distiller.

To disable the image attachment distiller, follow these steps:

1. On the desktop, click Start Programs BlackBerry Enterprise Server BlackBerry ESC.
2. On the Attachment Server tab, select Attachment Server from the Configuration Option.
3. In the Distiller Settings window, clear the Enabled check box for Image Attachments.
4. Click Apply then click OK.
5. In Administrative Tools, double-click Services.
6. Right-click BlackBerry Attachment Service then click Stop.
7. Right-click BlackBerry Attachment Service then click Start.
8. Close the Services window.

New Vulnerabilities

The BlackBerry technology is evolving rapidly to match the business need of today’s world. This also means that there are new vulnerabilities growing along with the latest features. To encounter these new vulnerabilities the administrators should be aware of latest tools and techniques. There are quite a few good web sites and email-subscription services that can enlighten administrators to new vulnerabilities to not only their BlackBerry devices, but to just about any computer technology. To protect enterprise BlackBerry’s, it is important to know about these sites and services and to take advantage of their knowledge.

Securing through Antivirus Software

In addition to taking the previously mentioned measures, it is important to be knowledgeable about antivirus solutions for BlackBerry’s, just as it is to do so for laptops, desktops, and other computer systems.