The Latest BlackBerry Spyware Scare: Don’t Worry, Yet

UPDATE: Since this story was originally posted, it has been updated to include additional information from Veracode Research’s Tyler Shields.

Here we go again. Another BlackBerry security scare, in which some “noble” researcher explains to all of us blissfully-unaware BlackBerry users that our precious devices aren’t nearly as safe as we think they are.

Lions, tigers, mobile spyware. Oh my.

This time it’s security-software-maker Veracode decrying the BlackBerry’s weaknesses. More specifically, Tyler Shields, a senior researcher with Veracode Research Lab, has put together and publicly released some proof-of-concept spyware code, dubbed TSXBBSpy, that can reportedly wipe a BlackBerry clean, distribute on-board data via e-mail and monitor voice-mail messages in real-time.

Why would Shields release the source code for such an app? Well, to show the world “how easy it is to write” of course.

Sounds frightening, right? Well, yes and no. First of all, such malicious software really isn’t new. We’ve seen similar “spyware” emerge over the past couple of years with the growing popularity of the BlackBerry platform among RIM’s traditional enterprise customer-base and in the massive consumer ranks.

The most recent example that comes to mind is PhoneSnoop, which could “turn your BlackBerry into a remote listening device.” This app could indeed record your phone calls and send them to a third-party, but you not only had to install the suspicious app, but also grant it permission to your phone activity. As my friend, colleague and security-pro Ariel Silverstone put it in his blog post on the subject:

“It took over ten years for such a ‘hack’ as the listening software to be available. And it is not even a hack. It is no more a hack than a user being asked, in bold letters, to perform five steps to install spyware software on their pc…If someone does all of [this] they should be reminded how to buckle their belts on every airliner they board, and they indeed do not deserve a berry.”

Ariel’s point: Sure, software exists that can “hack” into your BlackBerry and potentially perform all sort of nefarious deeds. But the security safeguards built into RIM’s BlackBerry OS make it extremely difficult for miscreants to do so without the approval, and often assistance, of the BlackBerry user.

Like much online malware, the BlackBerry spyware apps rely on human error, and protecting yourself and your users calls for education: education about the potential threats, and how you should never install questionable apps or software from suspicious sources; education on how the BlackBerry OS and its associated security-protections work, i.e., when to grant changes to permissions and when to be cautious; and education about how to get the most from your BlackBerry smartphone in general without subjecting yourself and your organizations to undue risk, a.k.a., always use a password and don’t let your device out of your sight where someone could install spyware without your knowledge.

So while such BlackBerry spyware surely sounds scary, it’s still not really a major threat. No one has bundled any suspect code into reputable apps and/or nobody has figured out a way to effectively trick piles and piles of BlackBerry users into installing the sketchy code in other ways&yet.

I don’t mean to downplay the potential security threat to RIM’s BlackBerry OS; the threat exists, and it’s likely only a matter of time before the previously described fears and resulting paranoia become founded.

But until a “black hat” hacker, or a hacker with truly bad-intentions, shows us that the Bad Guys have finally deemed the BlackBerry a worthy target, I wouldn’t worry much about Mr. Shields’ BlackBerry spyware.

Shields claims his purpose in releasing this new BlackBerry spyware was to inspire a “call to action to encourage development of BlackBerry applications to make it clear what these apps do before releasing them,” according to NetworkWorld. However, this makes little sense to me, since hackers or other villains would presumably want to hide the true purposes of their malware or they’d sneak some suspect code into someone else’ app. And they’d presumably do whatever they could to hide the harmful code.

(UPDATE: I just received the following statement from a representative of Mr. Shields: “Tyler was misquotes, [sic] his call to action is to make folks aware that the security model of the mobile platforms are inadequate defenses with app stores making the problem worse by giving customers a sense of security even though they do not screen for issues.”

I wouldn’t exactly call RIM’s BlackBerry Enterprise Server “inadequate,” from a security perspective–it’s accredited for its strong security by some of the world’s foremost security institutions. But I’m hopefully speaking with Shields tomorrow for some more clarification. Check my CIO.com author page for updates.)

I think Shields is just stirring up the pot, in an attempt to ready CIOs and smartphone admins to pull out those corporate checkbooks for more BlackBerry security software. That’s just lil’ old me, and my conspiracy theories. But additional security awareness certainly doesn’t hurt.

Organizations worried about such threats can already purchase or license BlackBerry-device-auditing software from companies like Zenprise, so they can see which apps are running on users’ device, as well as eliminate any unidentified or potentially-troublesome apps.

To sum that up, yes, BlackBerry spyware is real. But as long as you’re vigilant about the activities you perform with your BlackBerry device–don’t just download any and all apps you come across, take some responsibility, do your research, and so on–the current crop of known BlackBerry spyware shouldn’t pose much of threat to you, your BlackBerry or your organization’s infrastructure.

So enjoy it while it lasts. Shields is right about one thing, I think: The future won’t likely be nearly as kind to the BlackBerry OS, its users or admins.

AS

FREE CIO BlackBerry Newsletter