Security Basics mailing list archives
Re: how do you secure a blackberry
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Wed, 22 Jul 2009 13:25:32 -0430
On Martes 21 Julio 2009 18:26:49 Enquiries @ Globalart 4u escribió:
How do you secure a blackberry if your provider decides to send an update with spyware on it as is the case of the UAE http://news.bbc.co.uk/1/hi/technology/8161190.stm ? How do you secure your data ?
The answer: deciding not to install the update. --------- But, lets look inside blackberry security: ---- At communication level, blackberry have some improvements on security. But we need to differentiate the networks, the telephony network, the rim data network, the wifi network, and others... 1. In the first one, telephony network, SMS and voice data are sent usually without crypto or defined by the operator network (Your Telephony Provider). What it means? the telephony provider could do what he wants with voice and sms data. blackberry does not provide you end to end cryptography on voice or SMS. 2. At the rim network (web browsing, PIN related messaging), a SSL with some "other" cryptography connection is driven to the RIM communication center, then, connections like internet browsing escapes to the internet from RIM. PIN Messaging are also encrypted by this way. 3. The third possibility is when you have an APN-TCP and/or BES defined. In such case, the telephony service provider could look inside your TCP connections, and more. But usually, apn are defined only by rare applications who needs tcp directly and can not handle their connections by the http system. 4. WiFi Network: This depends on your wifi network and the ISP ruling the WiFi Network. Communication conclusion: This is never an end-to-end encrypted device. Pin based blackberry messenger are encrypted from your handheld to RIM and from RIM to others handhelds.... you have to put your trust directly on RIM. Another conclusion is... some people does not have the capacity to distinguish the security over the several communication ways offered by the device, and since not all communication way used on handheld are secure... the phrase: "blackberry is a secure/uncrackeable/anti-spy device" could dangerously generalize it over all the ways. Therefore, you will have people sharing trade secrets over common sms thinking that "blackberry are secure". ---- At storage level... blackberry offers a good security mechanism, you have to set a key on your phone and there is no known way to crack it, moreover, if you try to test more than 10 passwords, you will automatically erase the blackberry memory (contacts, messages, etc). BUT... not the SD card. There are also some cypher protection for your SD card (personally, i didn't test it...) When you don't encrypt your SD card, the problem is a bit dangerous... your pictures/voicenotes/whateversavedonsd and your deleted pictures/voicenotes/whateversavedonsd can be recovered from the SD. Therefore, an stolen device could be a serious compromise to your personal security. My recommendation: don't save anything really important (like a picture of your credit card) on your sd cards... ------------ Application level.... blackberry offers a interesting level of security. RIM applications are signed, and applications installed on your handheld device will have a set of restrictions. You have to allow some of these restrictions by hand... And something more... blackberry also request for your blackberry password if you want to install something from your computer to your blackberry. ----------- In conclusion, the blackberry have a lot of security mechanisms, most of the attacks comes by phishing and some imprudent behavior. my recommendations: - Set a password - Encrypt the sd - don't accept to install applications if you really don't trust on the developer - Know what are encrypted and what not. - Also know how is encrypted. - make a complete backup periodically. If someone plays with your blackberry and type the password over 10 times, you will have an issue ;-). -- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503 BBPIN: 0x 247066C1
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- how do you secure a blackberry Enquiries @ Globalart 4u (Jul 22)
- Re: how do you secure a blackberry Shawn Merdinger (Jul 22)
- Re: how do you secure a blackberry Jon Janego (Jul 27)
- Re: how do you secure a blackberry Aarón Mizrachi (Jul 27)
- Re: how do you secure a blackberry Shawn Merdinger (Jul 27)
- Re: how do you secure a blackberry Aarón Mizrachi (Jul 28)
- RE: how do you secure a blackberry Joseph Williams (Jul 28)
- RE: how do you secure a blackberry Steve Armstrong (Jul 29)
- Message not available
- Re: how do you secure a blackberry joseph . s . williams (Jul 29)
- Message not available
- RE: how do you secure a blackberry Joseph Williams (Jul 29)
- Re: how do you secure a blackberry Aarón Mizrachi (Jul 29)
- Re: how do you secure a blackberry Nicholas Harvey (Jul 29)
- Re: how do you secure a blackberry Kurt Buff (Jul 29)
- Re: how do you secure a blackberry Shawn Merdinger (Jul 27)