© 2007 Aon Consulting
Blackberry Security
Session G5George G. McBride
Tuesday 20 March 20073:30 PM to 5:00 PM
© 2007 Aon Consulting
Introduction
Security at the device Security at the server Security in transit Precautions and controls Assessing and Auditing Security Conclusion and Wrap-Up
© 2007 Aon Consulting
And Because:
Around 3 million shipped in 2006 More than 7 million subscribers today It weighs 4.6 ounces Hundreds are lost daily in the US We often synchronize our e-mails,
contacts, calendars, and tasks list Access to applications puts more
data on the devices
© 2007 Aon Consulting
Typical Blackberry Infrastructure
BES
BES
srp.na.blackberry.netOr
srp.xx.blackberry.net
Blackberry Network
CorporateIntranet
Service Provider Network
© 2007 Aon Consulting
Blackberry Infrastructure Components
This diagram excerpted from:Blackberry Enterprise Server for Microsoft Exchange Version 4.0Feature and Technical Overview© 2004 Research In Motion Limited
© 2007 Aon Consulting
Blackberry Infrastructure Components
Blackberry Router– Connects the BB Infrastructure to user’s
computers with Desktop Manager Messaging Server
– Your MS Exchange or Lotus Notes server Blackberry Dispatcher
– Encrypts / Decrypts and compresses / decompresses messages to and from the devices and the BB infrastructure
© 2007 Aon Consulting
Blackberry Infrastructure Components
Attachment Service– Manages and optimizes attachments on the
device Mobile Data Service
– Conduit between the device and the Application and Content Servers
Configuration Database– Maintains all configuration data for the BES
Components, BB users, and the devices
© 2007 Aon Consulting
Blackberry Infrastructure Components
Messaging Agent– Scans for or is notified of new
messages and sends to the Blackberry Dispatcher
Synchronization Service– Memo, Notes, Address Book, and
Tasks to be wirelessly synchronized through the dispatcher
© 2007 Aon Consulting
Blackberry Infrastructure Components – Last One!
Blackberry Controller– Monitors and manages the messaging
agent and the dispatcher. Restarts and throttles as required and provides statistics
Policy Service– Maintains and serves as an
administrative interface to the various policies and provisioning functions
© 2007 Aon Consulting
Typical E-Mail Flow - Sending
Alice sends a message to Bob The Blackberry device compresses and
encrypts the message – Designated BES Server address information is part
of the message header information Through the Blackberry Infrastructure, the
message is delivered over SRP to Alice’s corporate BES server
The BES receives the message The BES decompresses and decrypts the
message The BES delivers the message to the user’s
mailbox
© 2007 Aon Consulting
Typical E-Mail Flow - Receiving
Alice has sent a message to Bob Bob’s e-mail server receives the message
and notifies the BES– Message may be retrieved via Desktop
The BES retrieves the message The BES retrieves the user preferences The BES compresses and encrypts the
message The BES places the message in the outgoing
queue The message is delivered via SRP to the
wireless network Bob’s Blackberry receives the message and
decompresses and decrypts the message
© 2007 Aon Consulting
“Pin” Messaging
Encrypted with Triple DES– Every Blackberry uses the same peer to
peer encryption key Can generate a Corporate encryption
key and distribute to all corporate devices through a policy
“Scrambled” – not encrypted Ideal for use during a catastrophic
failure
© 2007 Aon Consulting
Short Message Service (SMS)
Remember the old days where a cool game we downloaded surreptitiously dialed Madagascar or Andorra?
How about a program that does that for “Premium” SMS Messages?– If the application is signed, you’ll
never know– If the application is not signed, you’ll
only know about the first one
© 2007 Aon Consulting
Device Security
Focus on BlackBerry devices manufactured by Research In Motion
Must of this presentation also applies to devices with “Blackberry Push” technology
Some of the presentation applies to Smartphones and PDAs as well
© 2007 Aon Consulting
Back-ups are good!
Generated from the desktop software
Can be automated Restore to
alternate device Includes
configuration information
Includes data (not media card)
Plaintext!
© 2007 Aon Consulting
The Magic Screen
Password can be 4-14 characters with minimal complexity checking
1 minute to 1 hour timeout
Can automatically lock handheld when holstered
Content Compression:– Not “Security”– Compresses data
© 2007 Aon Consulting
Content Protection
E-Mail, Calendar, MemoPad, Tasks, Contacts, Browser (cache, saved pages), and Auto-text (corrections) are protected
Can be used by 3rd party developers Uses a combination of AES and ECC to
encrypt the data Encryption keys not part of the BB
back-up solution Back-ups are not afforded the same
level of protection
© 2007 Aon Consulting
SmartCard
Something you have and something you know
Uses AES over Bluetooth
Can protect your blackberry and your computer
Power level adjustable
Keys stored in RAM
© 2007 Aon Consulting
Bluetooth Security
Bluetooth is disabled by default Can be managed centrally by policy
– Connections to other Bluetooth device– Connections to Bluetooth handsfree
devices Bluetooth Object Exchange (OBEX)
disabled Watch “Discoverable Mode” Can utilize Desktop Manager over
Bluetooth
© 2007 Aon Consulting
Applications on your device
Application signing is required for complete access to the Blackberry API
According to RIM, the $100 required fee is used to verify your identity
Allocated per development environment
Hash (SHA-1) sent to RIM to obtain a signature which is appended to the application
© 2007 Aon Consulting
Lost Your Blackberry?
Set a Password and Lock Handheld– Creates a new password and immediately
locks handheld• You risk the loss of your contents if Content
Protection is enabled Erase Data and Disable Handheld Secure Wipe Delay After IT Policy
Received and Secure Wipe Delay After Lock– Time in hours after IT policy updates or IT
Admin commands or after device is locked Secure Wipe if Low Battery
– Why?
© 2007 Aon Consulting
Device Wiping
Three ways to wipe the device:– By command at the BES or pre-
defined policy from the BES– By default, after 10 unsuccessful
password attempts.• Can be changed by policy• You get 5 attempts, then have to type
“blackberry” and then you get 5 more– User chooses to “Wipe Device”
© 2007 Aon Consulting
Wiping aka Memory Scrub
Wireless Disabled “Device Under Attack” flag is set – in case
of power interruption! Flash Memory (Persistent Store) is deleted RAM heap is overwritten in 8 passes, with
each bit changing 4 times Flash memory file system is overwritten in
8 passes, with each bit changing at least twice
Password is cleared Data space in RAM is cleared 4 times Handheld is restarted Compliant with DoD and NIST requirements
© 2007 Aon Consulting
Simple Defeat
Made of a Nickel, Copper, Silver Plated Nylon plain woven fabric
http://www.paraben-forensics.com
Work like a charm
Also great for quiet evenings!
© 2007 Aon Consulting
Blackberry Forensics
Screenshot courtesy of: Paraben’s PDA Seizure
Software ©2006
© 2007 Aon Consulting
Paraben’s PDA Seizure Software
File View
Note: Device has “Content Protection” enabled, but has been unlocked!
© 2007 Aon Consulting
Connection to the outside
From the Enterprise (BES) to the Research in Motion infrastructure:– Utilizes SRP– From the BES to a RIM designated
end point– TCP Port 3101– Needs a hole in the Firewall for TCP
Port 3101
© 2007 Aon Consulting
SRP
Keys and configuration information maintained in the Configuration DB
If a BES uses the same unique SRP authentication key and SRP ID (both provided by RIM) more than 5 times in one minute, the SRP ID is disabled
Uses bi-directional hashing to authenticate the BES end RIM Infrastructure
© 2007 Aon Consulting
Increasing Messaging Security
PGP Support available through the PGP Support Package– Package provides tools to manage keys
PGP Universal Server enforces administrator policies and key management– Integrates with LDAP infrastructure
Users can encrypt, decrypt, and digitally sign messages
Encrypted twice!
© 2007 Aon Consulting
S/MIME Too!
S/MIME Support package supports users who already utilize S/MIME on the computer– Package supports certificate and
private key management Integrates with PKI infrastructure Encrypted twice!
© 2007 Aon Consulting
Communications Infrastructure
MDS:– Mobile Data System– Provides access to
custom applications within the corporate network
– By design, MDS bypasses the firewall
– Works for signed and unsigned applications
BES
BES
CorporateIntranet
MDSApplications
© 2007 Aon Consulting
MDS – The Good Stuff
Formerly known as IP Proxy Uses AES as a session key and a 1024 bit
RSA key to exchange keys between the Blackberry and MDS Services server– Standard Blackberry encryption to the device
Proxy mode: TLS/SSL (HTTPS) between the MDS Services server and application and standard BB encryption out to the device
Handheld mode: TLS/SSL (HTTPS) between the device and the content server– When you “trust” the end-points
© 2007 Aon Consulting
MDS – The Bad
A hacker could develop an application that collects information and then sends it to them – a signed application would be quite stealthy
Or an application could connect to the hacker, just like a remote back-door
How about a port scanner to determine what services are running?
Accessing a devices GSP Data?
© 2007 Aon Consulting
The Proof…BBProxy
Also known as “Blackjacking” BBProxy created by Jesse D’Aguanno
– Demonstrated at DefCon 2006 A rogue application could establish
an outbound connection to a hacker controlled system
And utilize MDS to connect to a trusted internal system or perhaps to another external machine the bad guy wants to “own”
© 2007 Aon Consulting
BBProxy
Enhanced Metasploit to utilize the BB proxied connection– Metasploit: “open-source platform
for developing, testing, and using exploit code”. See http://www.metasploit.com
Code may be available Praetorian Global web-site (see resources)
Slides definitely are available
© 2007 Aon Consulting
Server / Protocol Vulnerabilities
Common Vulnerability Database
Lists 7 vulnerabilities
Some require IP access to the server
Some are from just sending a message
© 2007 Aon Consulting
Blackberry Vulnerabilities
SecurityFocus™ maintains BugTraq, a mailing list of all things vulnerable
Blackberry maintains an IT Edition Blackberry Connection newsletter
Mitre maintains the Common Vulnerabilities and Exposure DB
United States Computer Emergency Readiness Team (CERT) maintains a DB
© 2007 Aon Consulting
You Can Protect the Infrastructure
Controls at the user level
Controls at the network level
Controls at the handheld
© 2007 Aon Consulting
Recommended ControlsHandheld
Security at the handheld:– Passwords turned on– Automatic locking– Content Protection Enabled
Do not download or install untrusted applications (signed is not trusted!)
© 2007 Aon Consulting
Recommended ControlsNetwork
Segmentation– Segment the BES in a DMZ to limit
exposure– Consider the MDS back-end
applications in a DMZ as well Firewall Control and monitoring
– It’s tough monitoring SSL inbound traffic!
© 2007 Aon Consulting
Recommended ControlsUsers
Educate them why the controls are important– Why they are responsible and
accountable– Why the password shouldn’t be the
phone number Recognize the question
– “Allow an external Connection”
© 2007 Aon Consulting
Recommended Controls
Conduct an Assessment based on your infrastructure and your implementation.
Publicly available assessments:– @Stake (now Symantec) conducted
an assessment in 2003– Fraunhofer conducted an
assessment in 2006– Neither uncovered significant
vulnerabilities
© 2007 Aon Consulting
And with any control…
Why leave it to the user?
Enforce via policy
Trust, but verify.
© 2007 Aon Consulting
Assessments - Policy
Review the usage policy including:– Provisioning– Account Management– Decommissioning
• Employee terminations and remote wiping
– Monitoring of traffic and usage– Acceptable use– Do the employees know what is expected
of them?
© 2007 Aon Consulting
Assessments – Review BES Policies
Are passwords and device locks enabled? Is application download disabled? Has the remote wipe feature been tested? Does the BES policy reflect your corporate
policy?– Some companies utilize the “Owner” screen
(what you see before you type your password) to display a corporate monitoring / usage policy
© 2007 Aon Consulting
Assessments - Infrastructure
Review Firewall rules Network segmentation Are the MDS applications and data
adequately protected and encrypted?
Is the Configuration DB secured? How about the Exchange Servers? Software updates and patches?
© 2007 Aon Consulting
Resources
http://oppitronic.de/pb/ (BB Screenshots)
http://blackberryforums.pinstack.com/
http://www.bbhub.com/
http://na.blackberry.com/eng/ataglance/security/
http://www.praetoriang.net/ (BBProxy)
© 2007 Aon Consulting
Summary
The “user” experience is a very simplified one. The administrator’s is not.
You can provide a solid security infrastructure for Blackberry devices by reducing a number of risks very easily
Solution is not just at the handheld Resources abound and solutions
continue to be developed Is it time for a thorough assessment?
© 2007 Aon Consulting
Contact Information
Aon Consulting, Inc.
1 Industrial Way West Bldg B Eatontown, NJ 07724Office: +1.732.389.8944 Mobile: +1.732.429.0676
[email protected] www.aon.com
Financial Advisory andLitigation Consulting Services
George G. McBrideDirector