The malicious software could be used to get into company networks, but RIM says it's not a major threat.
At the Defcon hacker confab on Saturday, researcher Jesse D'Aguanno said he developed a program called BBProxy that, when running on a BlackBerry, gives an attacker entry to the network the wireless device connects to. The program exploits the link between the handheld and the e-mail server, and it could be used to place additional malicious code onto a network.
"A malicious person could potentially use this back channel to move around inside of an organization unabated and remove confidential information undetected, or use the back channel to install malware on the network," Secure Computing, a provider of security services, said in a media alert Tuesday.
The BlackBerry service allows companies to give their employees access to e-mail while they are on the road. A typical installation includes server software that is installed on a corporate network as well as the handhelds used to send and receive messages.
For an attack to be successful, a BlackBerry user has to be tricked into running the malicious application. At Defcon, D'Aguanno suggested that his program could be delivered to users wrapped in a game of "Tic Tac Toe." "First and only BlackBerry Trojan (horse) that I know of," D'Aguanno wrote in his presentation.
It could be the first malicious program aimed at the BlackBerry, Scott Totzke, director of the global security group at RIM, agreed in an interview Tuesday. However, the Waterloo, Ontario-based company doesn't see a major threat to its customers, he said.
"There are a number of hoops that you have to go through to make this thing possible," Totzke said. For one, it is impossible to e-mail an application to the device; people have to download it, he said.
"When you step back and look at it, BlackBerry is a computing platform and able to run applications similar to a laptop and a VPN connection," he said.
The BlackBerry can run applications, including malicious ones, Totzke noted. To avoid that, the device offers several settings that allow companies to protect their systems. These include blocking the ability to run programs. Also, RIM suggests that companies put their BlackBerry servers and e-mail servers in discrete sections of the network to limit the connection between the two.
In anticipation of D'Aguanno's presentation, RIM published two documents on its security Web site that provide instructions on secure installation of a BlackBerry system and on protection against malicious software.
D'Aguanno plans to publicly release BBProxy in the coming weeks. RIM isn't worried. "I don't see releasing code as much of a threat," Totzke said. "It is an example of an application running on a BlackBerry that is designed to connect to network resources."