The Latest BlackBerry Spyware Scare: Don't Worry, Yet
Boo! New BlackBerry spyware can supposedly steal all your e-mail, listen in on voicemail messages and even wipe your smartphone clean. But CIO.com's BlackBerry guru Al Sacco isn't too worried. Here's why.
Mon, February 08, 2010
CIO — UPDATE: Since this story was originally posted, it has been updated to include additional information from Veracode Research's Tyler Shields.
Here we go again. Another BlackBerry security scare, in which some "noble" researcher explains to all of us blissfully-unaware BlackBerry users that our precious devices aren't nearly as safe as we think they are.
Lions, tigers, mobile spyware. Oh my.
This time it's security-software-maker Veracode decrying the BlackBerry's weaknesses. More specifically, Tyler Shields, a senior researcher with Veracode Research Lab, has put together and publicly released some proof-of-concept spyware code, dubbed TSXBBSpy, that can reportedly wipe a BlackBerry clean, distribute on-board data via e-mail and monitor voice-mail messages in real-time.
Why would Shields release the source code for such an app? Well, to show the world "how easy it is to write" of course.
Sounds frightening, right? Well, yes and no. First of all, such malicious software really isn't new. We've seen similar "spyware" emerge over the past couple of years with the growing popularity of the BlackBerry platform among RIM's traditional enterprise customer-base and in the massive consumer ranks.
The most recent example that comes to mind is PhoneSnoop, which could "turn your BlackBerry into a remote listening device." This app could indeed record your phone calls and send them to a third-party, but you not only had to install the suspicious app, but also grant it permission to your phone activity. As my friend, colleague and security-pro Ariel Silverstone put it in his blog post on the subject:
"It took over ten years for such a 'hack' as the listening software to be available. And it is not even a hack. It is no more a hack than a user being asked, in bold letters, to perform five steps to install spyware software on their pc...If someone does all of [this] they should be reminded how to buckle their belts on every airliner they board, and they indeed do not deserve a berry."
Ariel's point: Sure, software exists that can "hack" into your BlackBerry and potentially perform all sort of nefarious deeds. But the security safeguards built into RIM's BlackBerry OS make it extremely difficult for miscreants to do so without the approval, and often assistance, of the BlackBerry user.
Like much online malware, the BlackBerry spyware apps rely on human error, and protecting yourself and your users calls for education: education about the potential threats, and how you should never install questionable apps or software from suspicious sources; education on how the BlackBerry OS and its associated security-protections work, i.e., when to grant changes to permissions and when to be cautious; and education about how to get the most from your BlackBerry smartphone in general without subjecting yourself and your organizations to undue risk, a.k.a., always use a password and don't let your device out of your sight where someone could install spyware without your knowledge.