Lock up your Crackberries
Most of the articles about the security of Research In Motion’s Blackberries have focused on governments that want a peek behind RIM’s encryption, but other elements of the Blackberry make it well-designed for a business environment. Administrators who work with Blackberries are familiar with the ways in which handhelds can be …
Why don't the Lock Screens for smart phones have a space where the owner could provide his contact information (alternate landline telephone number, e-mail). As it is, if you have a password on your smart phone, then when someone finds it there's no obvious way to contact the rightful owner. At best, they drop it off with the local authorities and, with luck, it eventually gets returned.
But if the Enter Passcode screen had a spot for an alternate telephone number or e-mail address, then it would make things very easy for the finder to contact the owner.
Perhaps the alternate telephone number could even be an active button that would allow the call to be made from the found phone.
This improvement would allow lost phones to be returned within hours. Directly.
...but what company is worried about someone trying to return a phone and not being able to? surely the unscrupulous aren't going to steal the data, then try and hand the phone back in?
Well, I know my Blackberry shows the wallpaper behind the lock screen. If your phone does too, you could always create a wallpaper with that info on it -- if you want to hand out your contact details.
Of course, the secure answer is for the finder to take the phone to the network provider, who can read the SIM and send the phone back to the account owner without giving out anyone's contact details.
The company Blackberry does this: the lock screen has a wallpaper overlay saying "This belongs to Company XXX, if found, please return to YYY"
at the moment, in my environment, the user information just shows the name of the user - so they don't get them mixed up when they'r together.
But if one was to get lost, I could remotely set the display to read, "Please call xxx xxx xxxx to return this phone to its owner"
The closest I got to using that was when I mislaid my phone on the train. Fortunately, as my laptop wasn't working and so I couldn't remote into the server to change the display, my jacket turned up in the overhead storage half the length of the carriage away.
I didn't get to use the remote deactivate when an employee of the company left under strained circumstances: we wanted to read the phone log of the phone and so I just turned off the email reconcilliation so they couldn't delete anything from their mailbox.
the remote password reset I used when we did get the phone back, as I wasn't going to phone them for it.
BB and windows mobile devices do, and also allow room for a home address, which IMHO is a bit dodgy as its just given the opportunistic thief details of where you live on a plate.
Thats why for ours we just give a central 0300 number that people can call if they find one of our phones.
Paris because - we who wouldn't want her address.
I always had mine set up to show the "owner information" when the device was brought out of sleep. Not possible now I'm using Android, as far as I can see.
No doubt Windows Phone 7 will remove the feature but look prettier.
"Why don't the Lock Screens for smart phones have a space where the owner could provide his contact information (alternate landline telephone number, e-mail)."
My Blackberry does this. It has a configurable lock screen message for "Owner Name" and "brief message", which are shown every time the phone's locked. While I didn't put my home phone or address, a quick search on the whitepages can give them my home number. Or even better, they could go to a Customer Service center for my carrier and get them to send the handset to me.
However, I think I'll stick my email on the screen, so that anyone can send me an e-mail telling me they have my phone. That is, of course, assuming that the person who found it wants to give it back. Whoever nicked my Bold 9000 clearly wasn't interested in giving it back.
BlackBerry's do have that function. Under setup, select owner info and you can stick a tag line in the info field, after Owner Name.
"a reward is available if found. fred@tixylix.com"
That will appear on the lock screen.
I've previously lost a BB and had it returned from the bar in question (it's either that or a cab!) the next morning.
Blackberrys already do have this feature, along with a hundred other "common sense" business settings available via BES. That's why I get so frustrated with the almost zero ability to manage Android, WinMo and Apple phones.
If any of these other platforms, especially Apple, ever come out with a BES equivalent, RIM won't have to watch their back - they'll have to pull the knife out of it!
My old O2 XDA II has my contact details on the front screen and my work Blackberry shows my company name and contact phone number for a finder to call.
I've also noticed that more and more 'consumers' are getting Blackberrys, rather than iPhones. The number of cracked iPhone screens (in my office) and the ease of typing on the BB qwerty keyboard seem to be winning over (mainly female) users, at least where I am!
Same over here. Most "first smartphone" buyers have been buying into the Blackberry appeal; it seems that the idea of a cellphone-based IM system (Blackberry Messenger) has a big appeal over here. The iPhone being much more expensive than even the priciest BB might be another reason...
My Blackberry peal has such a feature so not sure what you're talking about.....
FAIL for you matey.....
A snag with Blackberry kit in a corporate environment is that the BES makes an encrypted tunnel through the corporate firewall to RIM and the BES (if RIM's requirements are followed) will be placed inside the corporate network. Whilst this makes life convenient for providing access to corporate data from a Blackberry, it also means a hacker only has to crack a Blackberry to gain access to the internal corporate network and not the corporate firewall. If you were a hacker, which do you think would make an easier target?
...because everybody's doing it. All you have to do is steal a device, hope nobody notices it's gone and wipes/deactivates it from BES, and then tunnel your ill deeds through the BES protocol through the RIM NOC and through an exploited BES server.
Simple, I think I'll do it tonight just to show how easy it is. Maybe I could film it and put it on Youtube.
/sarcasm
Seriously, not trying to offend here but you have no idea what you're talking about. The BES server is only open to the RIM NOC - an ISA (assuming you're running Exchange) or Traveler (if you're one of the rare Lotus types) server is open to everything.
Which is easier - the hack that requires you to have physical access to a trusted device and relies on some unknown method/ability to exploit a BES server, or the one that does not require a physical device (i.e. can be spoofed) and is open to the world (meaning: direct connection by the attacker)?
"Seriously, not trying to offend here but you have no idea what you're talking about" - back at you.
Firstly, nobody needs to "steal a device" - a visit by a device browser to a suitable malicious website would be enough.
The point of entry is neither at RIM or at the BES but at the Blackberry device itself. The device is connected to both the Internet and the corporate network. What is needed is to get the Blackberry device to proxy or route a connection back to the corporate network. Try Googling bb_proxy for some proof of concept code - although that is a bit old now.
No - I'm sure you're right. A Blackberry device is every bit the equal to a security appliance, so there's no problem having it tunnelled back via the BES into the corporate network. Plus, you would know if any of the Blackberry devices were making connections to various servers inside because that is all being logged somewhere, right?
Traveler is not necessarily open to everything. Sure you can have it open on port 80 if you want, but most companies would have their Traveler server at least using SSL with every other port except for sync blocked. Comms to the other Domino servers where the mail actually sits is easily encrypted using built in Domino encryption.
The Traveler server could be sat on the corporate VPN since iPhone, Symbian, WinMo handsets can all handle that, or use Lotus Mobile Connect, which is tailored for Traveler, Sametime, etc.
Ah yeah, you've then got to hack Domino itself. Good luck with that
Touché. I wouldn't call a BB a security appliance - that is of course ridiculous, but I think that was your point ;)
The BBProxy exploit, interesting read BTW, seems to be pretty severely overhyped and can be prevented in a number of ways (more commonly policies, less commonly network segmentation). If it were really as severe of a vulnerability as advertised I think someone would have done something creative with it in the last four years. I can't find any reference to anyone bypassing the device security to silent-install this onto someone's device, or bypassing the policy controls for 3rd party applications. Also, since this really isn't a break of existing functionality/protocols but more of a feature misuse - I'd be pretty surprised if it wasn't logged somewhere on the BES/MDS server.
If a user installs malware on the device, the policy allows it, the company IT police don't bother to check/monitor what applications are installed, and the BB server has full access to the network then yes, I guess there is the potential for this to open your network. That's a lot of if's, but until this exploit lives up to the hype and is actually seen working in the wild somewhere it's all academic.
As much as I may sound like a RIM fanboy, I'm really not, all I'm trying to get at here is that the security reputation for RIM seems to be at least somewhat deserved... and if someone wants to say it's really less secure than other architectures, that's all well and good, but the scenario you outlined does not seem like a very viable exploit scenario.
What I was getting at was the IP range access to the open ports on the Traveler server. The point of comparison with RIM is that the protocol hole in the firewall and what that protocol is opened up to. With Blackberry you open up the port(s) in play to the RIM NOC. With ActiveSync you have to open up your SSL port to direct connection from the devices unless, as you say, you put behind your VPN (which would be more secure IMO than BB).
I must be a little rusty on Mobile connect - does that use Lotus RPC like the old Notes Passthru connectivity works? If so, good luck trying to get into that one - agreed :D
We have a few clients using Goodlink to help them manage their non-Blackberry phones. Rumor has it they have an iPad management product in the works too.
I was a little surprised to see them pop back up again - way back when they were exclusively for Palm devices if I recall correctly.
*grumble* Make me research another company *grumble* work work work...*grumble*
If they weren't in use by multiple Enterprise clients I know, one of which owns a pretty well known AV label, I wouldn't have said a word I swear it!
The company I work for does not give a toss about a cheap bit of hardware - they want to know that they can zap it should I report it lost. And they do not want the finder to know that it belonged to Mr XXX of XXXX Ltd, either, as that just helps identify the data source.
They don't want it back if lost/stolen - they just want it, and its data, to die.
There was a possible way to hijack a companies BB's on BES a couple of years back but not sure if still works
Both corporate BES and consumer BIS BlackBerry has this feature to display the Owner info, under options - Owner. As the phone is the first thing a member of the emergency services will look for, I have in the past always advised clients to put the phone users name and a contact number that can be used for out of hours contact, plus the words ICE - means In Case of Emergency, so if that person is in an accident at say 2am sunday morning, they call that number and should get a relative who knows that person,and can at least know any health problems probelms, like Diabetic or a heart condition. It could save that person life. Most BlackBerry users lock the phone with a password, and with the owner set correctly it will still display the details. I think it is also a directive of the UK Lone Worker Policy, a series of guidelines for employers to protect their employees.
"The push by vendors and carriers to move Android and iPhone into the business world have focused on Exchange connectivity at the expense of discussing security. Non-Blackberry administrators may simply not have been exposed to these features."
I do think it's true that some do not know about the Blackberry security. However, in general I think the Android and iPhone push is for people who don't care about security -- this push is not towards administrators (who should care about security), it's towards the users (who usually don't) and especially PHBs (Pointy Haired Bosses) to get them to say "you will support my shiny new phone!"
Sign up, sign up for Blocks and Files, The Reg's weekly storage newsletter
