BlackBerry has spyware risk too, researcher says
Veracode researcher demonstrates spyware that allows someone to steal a stranger's contact list, read text messages in real time, and track the location of the phone.
We've heard a lot about security issues with the iPhone, but the BlackBerry isn't immune to threats from malicious apps.
Tyler Shields, a senior researcher at the Veracode Research Lab, has written a piece of spyware that allowed me to shoot an SMS command to his phone and have his contact list forwarded to my e-mail address in a demonstration. With another short text command, I was able to get his BlackBerry to e-mail me any SMS messages he sends.
And if I had wanted--and he had allowed me--I could have seen a log of all his calls, monitored his inbound text messages, tracked his location in real-time based on the GPS (Global Positioning System) in his device and turned his microphone on to listen to conversations in the room and record them.
"It's trivial to write this type of code using the mobile provider's own API [application programming interface] they provide to any developer," Shields said in an interview in advance of his talk on the spyware scheduled for the ShmooCon security show on Sunday.
He calls his program "TXSBBSpy" and is releasing the source code but not an executable version of it. "My goal is to show how easy it is to create mobile spyware," he said.
TXSBBSpy "can take data from the phone, both in real-time and in snapshots, and send it off via SMS or e-mail to any Web server or TCP [Transmission Control Protocol] or UDP [User Diagram Protocol] network connections," Shields said.
While I was able to control the spyware using text messages sent from my mobile phone, the spyware had to be first installed on his BlackBerry for the snooping to work. This can be done by sending the target victim an e-mail or text with a link to a Web page where the spyware is surreptitiously installed. Or it can be hidden inside a legitimate-looking app downloaded from the App Store.
The risks are similar to those posed by Swiss researcher Nicolas Seriot in his iPhone spyware demo at the Black Hat DC security conference.
"These types of behaviors we're demonstrating will be universal across all mobile platforms," Shields said.
The BlackBerry platform has a "significant number" of security mechanisms in place that could be used to mitigate against these types of attacks, he said. For instance, the user can set the options to limit what access to specific types of data a particular app can have, he said.
However, many smartphone users either don't know about the security risks, don't think the risks are serious or don't know how to be more secure with their devices. A Trend Micro survey from last August found that only 23 percent of smartphone owners use the security software already installed on their device.
App stores also need to do more to vet the apps, Shields said--the same message Seriot had for Apple.
In the meantime BlackBerry users should be more cautious about what apps they download and what rights they give them. "Users should not hit the 'I trust this app' button," Shields said. "That will give it access to all your personal information."
Users should go into the app security configuration within the BlackBerry option screen and tell it specifically what information the app can access or set it to prompt if the app tries to access certain data, he said.
"The security models are inadequate because they trust by default," he added. "Sandboxing [techniques] only protect one app from another app; not from accessing user data. App stores give users a false sense of security."
Shields said he has contacted Research in Motion about the issues and the company's official comment was: "We won't make any comment on how the security of the App Center operates."
Shields has also created a video demonstration of his spyware.
A Research In Motion representative provided this comment: "Applications containing spyware cannot be installed on a BlackBerry smartphone without the user's explicit consent unless of course someone else gains physical possession of the user's device along with knowledge of any enabled password...the spyware app cannot simply install itself stealthily on to a user's device. Further, a user can review and confirm the list of installed apps on their device by looking in the 'Options' area at any time."
Updated 9:11 a.m. PST February 8 with RIM comment.