Session G5 Blackberry Security. © 2007 Aon Consulting Blackberry Security Session G5 George G. McBride Tuesday 20 March 2007 3:30 PM to 5:00 PM.

Session G5Blackberry Security

© 2007 Aon Consulting

Blackberry Security

Session G5George G. McBride

Tuesday 20 March 20073:30 PM to 5:00 PM


Welcome!


Introduction

Security at the device Security at the server Security in transit Precautions and controls Assessing and Auditing Security Conclusion and Wrap-Up


Why are we here?


And Because:

Around 3 million shipped in 2006 More than 7 million subscribers today It weighs 4.6 ounces Hundreds are lost daily in the US We often synchronize our e-mails,

contacts, calendars, and tasks list Access to applications puts more

data on the devices


Typical Blackberry Infrastructure

BESBES

CorporateIntranet

CorporateIntranet


Typical Blackberry Infrastructure

BES

BES

srp.na.blackberry.netOr

srp.xx.blackberry.net

Blackberry Network

CorporateIntranet

Service Provider Network


Blackberry Infrastructure Components

This diagram excerpted from:Blackberry Enterprise Server for Microsoft Exchange Version 4.0Feature and Technical Overview© 2004 Research In Motion Limited



Blackberry Router– Connects the BB Infrastructure to user’s

computers with Desktop Manager Messaging Server

– Your MS Exchange or Lotus Notes server Blackberry Dispatcher

– Encrypts / Decrypts and compresses / decompresses messages to and from the devices and the BB infrastructure



Attachment Service– Manages and optimizes attachments on the

device Mobile Data Service

– Conduit between the device and the Application and Content Servers

Configuration Database– Maintains all configuration data for the BES

Components, BB users, and the devices



Messaging Agent– Scans for or is notified of new

messages and sends to the Blackberry Dispatcher

Synchronization Service– Memo, Notes, Address Book, and

Tasks to be wirelessly synchronized through the dispatcher


Blackberry Infrastructure Components – Last One!

Blackberry Controller– Monitors and manages the messaging

agent and the dispatcher. Restarts and throttles as required and provides statistics

Policy Service– Maintains and serves as an

administrative interface to the various policies and provisioning functions


Typical E-Mail Flow - Sending

Alice sends a message to Bob The Blackberry device compresses and

encrypts the message – Designated BES Server address information is part

of the message header information Through the Blackberry Infrastructure, the

message is delivered over SRP to Alice’s corporate BES server

The BES receives the message The BES decompresses and decrypts the

message The BES delivers the message to the user’s

mailbox


Typical E-Mail Flow - Receiving

Alice has sent a message to Bob Bob’s e-mail server receives the message

and notifies the BES– Message may be retrieved via Desktop

The BES retrieves the message The BES retrieves the user preferences The BES compresses and encrypts the

message The BES places the message in the outgoing

queue The message is delivered via SRP to the

wireless network Bob’s Blackberry receives the message and

decompresses and decrypts the message


“Pin” Messaging

Encrypted with Triple DES– Every Blackberry uses the same peer to

peer encryption key Can generate a Corporate encryption

key and distribute to all corporate devices through a policy

“Scrambled” – not encrypted Ideal for use during a catastrophic

failure


Short Message Service (SMS)

Remember the old days where a cool game we downloaded surreptitiously dialed Madagascar or Andorra?

How about a program that does that for “Premium” SMS Messages?– If the application is signed, you’ll

never know– If the application is not signed, you’ll

only know about the first one


Device Security

Focus on BlackBerry devices manufactured by Research In Motion

Must of this presentation also applies to devices with “Blackberry Push” technology

Some of the presentation applies to Smartphones and PDAs as well


Back-ups are good!

Generated from the desktop software

Can be automated Restore to

alternate device Includes

configuration information

Includes data (not media card)

Plaintext!


Where are the Security Options?


The Magic Screen

Password can be 4-14 characters with minimal complexity checking

1 minute to 1 hour timeout

Can automatically lock handheld when holstered

Content Compression:– Not “Security”– Compresses data


Content Protection

E-Mail, Calendar, MemoPad, Tasks, Contacts, Browser (cache, saved pages), and Auto-text (corrections) are protected

Can be used by 3rd party developers Uses a combination of AES and ECC to

encrypt the data Encryption keys not part of the BB

back-up solution Back-ups are not afforded the same

level of protection


SmartCard

Something you have and something you know

Uses AES over Bluetooth

Can protect your blackberry and your computer

Power level adjustable

Keys stored in RAM


Bluetooth Security

Bluetooth is disabled by default Can be managed centrally by policy

– Connections to other Bluetooth device– Connections to Bluetooth handsfree

devices Bluetooth Object Exchange (OBEX)

disabled Watch “Discoverable Mode” Can utilize Desktop Manager over

Bluetooth


Applications on your device

Application signing is required for complete access to the Blackberry API

According to RIM, the $100 required fee is used to verify your identity

Allocated per development environment

Hash (SHA-1) sent to RIM to obtain a signature which is appended to the application


Lost Your Blackberry?

Set a Password and Lock Handheld– Creates a new password and immediately

locks handheld• You risk the loss of your contents if Content

Protection is enabled Erase Data and Disable Handheld Secure Wipe Delay After IT Policy

Received and Secure Wipe Delay After Lock– Time in hours after IT policy updates or IT

Admin commands or after device is locked Secure Wipe if Low Battery

– Why?


Device Wiping

Three ways to wipe the device:– By command at the BES or pre-

defined policy from the BES– By default, after 10 unsuccessful

password attempts.• Can be changed by policy• You get 5 attempts, then have to type

“blackberry” and then you get 5 more– User chooses to “Wipe Device”


Doing It Yourself


Wiping aka Memory Scrub

Wireless Disabled “Device Under Attack” flag is set – in case

of power interruption! Flash Memory (Persistent Store) is deleted RAM heap is overwritten in 8 passes, with

each bit changing 4 times Flash memory file system is overwritten in

8 passes, with each bit changing at least twice

Password is cleared Data space in RAM is cleared 4 times Handheld is restarted Compliant with DoD and NIST requirements


Simple Defeat

Made of a Nickel, Copper, Silver Plated Nylon plain woven fabric

http://www.paraben-forensics.com

Work like a charm

Also great for quiet evenings!


Blackberry Forensics

Screenshot courtesy of: Paraben’s PDA Seizure

Software ©2006


Paraben’s PDA Seizure Software

Main Screen


Paraben’s PDA Seizure Software

File View

Note: Device has “Content Protection” enabled, but has been unlocked!


Coming Soon?


Connection to the outside

From the Enterprise (BES) to the Research in Motion infrastructure:– Utilizes SRP– From the BES to a RIM designated

end point– TCP Port 3101– Needs a hole in the Firewall for TCP

Port 3101


SRP

Keys and configuration information maintained in the Configuration DB

If a BES uses the same unique SRP authentication key and SRP ID (both provided by RIM) more than 5 times in one minute, the SRP ID is disabled

Uses bi-directional hashing to authenticate the BES end RIM Infrastructure


Increasing Messaging Security

PGP Support available through the PGP Support Package– Package provides tools to manage keys

PGP Universal Server enforces administrator policies and key management– Integrates with LDAP infrastructure

Users can encrypt, decrypt, and digitally sign messages

Encrypted twice!


S/MIME Too!

S/MIME Support package supports users who already utilize S/MIME on the computer– Package supports certificate and

private key management Integrates with PKI infrastructure Encrypted twice!


Communications Infrastructure

MDS:– Mobile Data System– Provides access to

custom applications within the corporate network

– By design, MDS bypasses the firewall

– Works for signed and unsigned applications

BES

BES

CorporateIntranet

MDSApplications


MDS – The Good Stuff

Formerly known as IP Proxy Uses AES as a session key and a 1024 bit

RSA key to exchange keys between the Blackberry and MDS Services server– Standard Blackberry encryption to the device

Proxy mode: TLS/SSL (HTTPS) between the MDS Services server and application and standard BB encryption out to the device

Handheld mode: TLS/SSL (HTTPS) between the device and the content server– When you “trust” the end-points


MDS – The Bad

A hacker could develop an application that collects information and then sends it to them – a signed application would be quite stealthy

Or an application could connect to the hacker, just like a remote back-door

How about a port scanner to determine what services are running?

Accessing a devices GSP Data?


The Proof…BBProxy

Also known as “Blackjacking” BBProxy created by Jesse D’Aguanno

– Demonstrated at DefCon 2006 A rogue application could establish

an outbound connection to a hacker controlled system

And utilize MDS to connect to a trusted internal system or perhaps to another external machine the bad guy wants to “own”


BBProxy

Enhanced Metasploit to utilize the BB proxied connection– Metasploit: “open-source platform

for developing, testing, and using exploit code”. See http://www.metasploit.com

Code may be available Praetorian Global web-site (see resources)

Slides definitely are available


Server / Protocol Vulnerabilities

Common Vulnerability Database

Lists 7 vulnerabilities

Some require IP access to the server

Some are from just sending a message


Blackberry Vulnerabilities

SecurityFocus™ maintains BugTraq, a mailing list of all things vulnerable

Blackberry maintains an IT Edition Blackberry Connection newsletter

Mitre maintains the Common Vulnerabilities and Exposure DB

United States Computer Emergency Readiness Team (CERT) maintains a DB


You Can Protect the Infrastructure

Controls at the user level

Controls at the network level

Controls at the handheld


Recommended ControlsHandheld

Security at the handheld:– Passwords turned on– Automatic locking– Content Protection Enabled

Do not download or install untrusted applications (signed is not trusted!)


Recommended ControlsNetwork

Segmentation– Segment the BES in a DMZ to limit

exposure– Consider the MDS back-end

applications in a DMZ as well Firewall Control and monitoring

– It’s tough monitoring SSL inbound traffic!


Recommended ControlsUsers

Educate them why the controls are important– Why they are responsible and

accountable– Why the password shouldn’t be the

phone number Recognize the question

– “Allow an external Connection”


Recommended Controls

Conduct an Assessment based on your infrastructure and your implementation.

Publicly available assessments:– @Stake (now Symantec) conducted

an assessment in 2003– Fraunhofer conducted an

assessment in 2006– Neither uncovered significant

vulnerabilities


And with any control…

Why leave it to the user?

Enforce via policy

Trust, but verify.


Assessments - Policy

Review the usage policy including:– Provisioning– Account Management– Decommissioning

• Employee terminations and remote wiping

– Monitoring of traffic and usage– Acceptable use– Do the employees know what is expected

of them?


Assessments – Review BES Policies

Are passwords and device locks enabled? Is application download disabled? Has the remote wipe feature been tested? Does the BES policy reflect your corporate

policy?– Some companies utilize the “Owner” screen

(what you see before you type your password) to display a corporate monitoring / usage policy


Assessments - Infrastructure

Review Firewall rules Network segmentation Are the MDS applications and data

adequately protected and encrypted?

Is the Configuration DB secured? How about the Exchange Servers? Software updates and patches?


Resources

http://oppitronic.de/pb/ (BB Screenshots)

http://blackberryforums.pinstack.com/

http://www.bbhub.com/

http://na.blackberry.com/eng/ataglance/security/

http://www.praetoriang.net/ (BBProxy)


Summary

The “user” experience is a very simplified one. The administrator’s is not.

You can provide a solid security infrastructure for Blackberry devices by reducing a number of risks very easily

Solution is not just at the handheld Resources abound and solutions

continue to be developed Is it time for a thorough assessment?


Contact Information

Aon Consulting, Inc.

1 Industrial Way West Bldg B Eatontown, NJ 07724Office: +1.732.389.8944 Mobile: +1.732.429.0676

[email protected] www.aon.com

Financial Advisory andLitigation Consulting Services

George G. McBrideDirector

Session G5 Blackberry Security. © 2007 Aon Consulting Blackberry Security Session G5 George G. McBride Tuesday 20 March 2007 3:30 PM to 5:00 PM.

Documents

blackberry dispatcher

aon consulting welcome

aon consulting introduction

bes message

dispatcher slide

bb infrastructure slide

blackberry router

blackberry enterprise