I’ve always had my suspicions about Blackbery and their security. I while back I read an interesting article about how a particular government department was funding RIM to determine how it could best encrypt traffic over the air since encryption of email wasn’t done during to transmission to the device. I figured it was only a matter of time before something even more harmful was done considering the infrastructure on the backend that Blackberry requires.

Via Wired News: 

By Kim Zetter|  Also by this reporter
18:15 PM Aug, 05, 2006

LAS VEGAS — A computer security researcher says he’s found an unexpected new path into company networks: the Blackberry.

Jesse D’Aguanno, a consultant with Praetorian Global, has developed a hacking program that exploits the trust relationship between a Blackberry and a company’s internal server to hijack a connection to the network. Because the data tunnel between the Blackberry and the server is encrypted, intrusion detection systems at the perimeter of the network won’t detect the attack.

The technique is successful, D’Aguanno says, because most companies aren’t equipped to detect someone trying to deliver an exploit from inside the network. It also works because few companies view the Blackberry as a plausible attack vector.

"Because it’s a handheld device, most people don’t think it’s something that can actually harm the rest of your internal network," D’Aguanno said. "But a Blackberry is not your average handheld. It’s not just a PDA that’s connected (to your network) only when you’re in the office. It’s a code-running machine that’s always on and always connected to your internal network and has direct access to whatever you give it access to. And most company architectures allow it unfettered access to everything on the internal network."

The program, called BBProxy, has to be placed on a Blackberry either physically or as a Trojan horse delivered by e-mail. Once installed, it causes the Blackberry to call back to the attacker’s system in the background, opening a communications channel between the attacker and the company’s internal network.

From there, safely behind the organization firewall, the intruder can scan for hosts with security vulnerabilities.

D’Aguanno said he’ll release BBProxy for download in a week or so.

Given how ubiquitous the Blackberry is, it’s an obvious target for attack, but few researchers have examined it for vulnerabilities. D’Aguanno says the attack could be prevented if companies built more secure architectures on the back end and tightened user policies so not just any user can install third-party code

"Securely deploying it shouldn’t be that hard but there hasn’t been a whole lot of documentation provided by (Blackberry maker) Research in Motion in the past on securely deploying the Blackberries."

D’Aguanno, who has met with Research in Motion about the issue, said the company posted two new documents on its website this week in anticipation of his presentation at the DefCon hacker convention here. The documents include instructions to customers for configuring a more secure architecture for Blackberry service.

Ironically, D’Aguanno’s own Blackberry was stolen during a recent business trip in Paris.