BlackBerry Security: A Benchmark for Wireless Mobile Devices
by Melisa LaBancz-Bleasdale
In today's business environment the mobile wireless device has become as much a lifeline—a sort of adjunct to air—as it is a business tool. Originally adopted by road warriors and C-level execs, it has evolved from its origins as a cool gadget to an indispensable part of the business arsenal. With over 10 million subscribers and 20 million handsets sold, Research In Motion (RIM), makers of the BlackBerry, sits at the top of the mobile wireless food chain. Osterman Research, in its 2007 report, The Growing Impact of Mobile Messaging, found that 85 percent of organizations already support the BlackBerry with another 21 percent receiving requests for its support.
The benefits of always-on connectivity are well documented, with increased productivity, employee availability, and efficiency, as its hallmarks. The vast majority of organizational decision makers believe that mobile messaging can significantly improve users' productivity, notes the Osterman report, and when BlackBerry devices are unavailable due to unplanned downtime, for example, 93 percent of users are less productive. Organizations increasingly support and often encourage the use of mobile wireless devices, yet they also underestimate the potential security risks. According to RIM, organizations should manage mobile security in the same way that they approach securing the wired components of the corporate local area network (LAN), such as services, desktop and laptop computers.
Security First and Foremost
Mobile wireless access to the enterprise enables organizations to squeeze the most from every minute of the workday, however, the increase in devices and transfer of enterprise information assets has created a window of vulnerability. As a result the IT community has not rushed to embrace the BlackBerry with open arms. Instead, many view it as a hole in their security operations—an open door for the hackers to gain entry.
Sina Miri, director of product marketing for PostPath has another point of view. "I think the BlackBerry reduces the threats against corporate entities as opposed to increasing them. Rather than carrying a laptop with a huge hard drive and lots of sensitive data, users are more reliant on their BlackBerry, which not only contains much less sensitive data, but also can be remotely erased if need be." BlackBerry devices can bring companies a step closer to a centralized data model, believes Miri, where the data is available from anywhere, yet is owned and secured in the corporate data center.
"The biggest security concern I have is the users that do not set passwords on their device and forget or lose them in public places," says Miri. "The worst BlackBerry incident I have experienced is with a user who lost his handset in Mexico. As soon as he reported it we remotely erased the data and cancelled the service. You can imagine what a big deal this would have been if he were carrying a laptop to access his email on the road."
Security concerns spawned the continued evolution of the Blackberry, and were the inspiration for a bevy of vendor solutions that followed. "One of the things that we identified with our initial BlackBerry concept was that security needed to be the cornerstone of our product philosophy if we were going to succeed," says Scott Totzke, vice president of global security group for RIM. "That message came loud and clear from potential clients who, while excited about the idea of having mobile access to email and other information, also would not put their information at risk for the sake of mobility. When you think about it, it makes perfect sense—you should not have to compromise your security for the sake of mobility."
Despite adopting the "security as a priority" mantra, RIM remains pragmatic. In its paper The CIO's Guide to Mobile Security, the RIM author explains that data transmitted outside the corporate network and stored outside the physical boundaries of the organization, is potentially subject to man-in-the-middle attacks, DoS attacks, malware threats, and other data breaches. The paper notes that while losing data can be an embarrassment to some organizations, in many cases it can also cause financial and legal risks.
James O'Connor, author of Symantec's Attack Surface Analysis of BlackBerry Devices, agrees, and explains that though the BlackBerry solution has a comprehensive inbuilt security framework at both device and server level, it is still susceptible to a number of potential attacks. Further, these attacks vary in the degree to which the user is involved but include the device being "backdoored", allowing confidential data to be exported from the device, and the device being used as a proxy for attackers. Some of these attacks, he writes, require applications to be digitally signed, thus limiting the likelihood of occurrence. Others can be conducted by unsigned code.
RIM, it seems, did not leave out the welcome mat for would be criminals. O'Connor points out that none of the potential BlackBerry attacks are purely autonomous. All require the user to be convinced to perform a number of actions in order to be successful. Also, he states, the viability of such attacks depends largely on the configuration of existing controls on the BlackBerry device: i.e. Firewall, Application Control and IT Policy setup and that using these available security mechanisms greatly reduces the risks associated with the attacks mentioned.
Miri believes that the biggest step that RIM has taken toward securing the BlackBerry is the addition of remote data erase capability, but is still concerned with users downloading third party applications on their devices. "How can IT guarantee that users are prevented from modifying their devices, or that only approved applications can be installed? Companies are taking steps to prevent users from installing random applications on desktops and laptops and they enforce this by locking down the systems, but nothing is done to prevent modifications to the BlackBerry."
The Next Best Target
Hackers, viruses, trojans, malware, and other forms of miscreant behavior are inclusive of the hazing ceremony each new popular and enterprise technology is exposed to. The collective short attention span of hackers drives them to seek out better and more malicious ways to wreak havoc. A practice, some say, that puts the BlackBerry squarely in harms' way.
"As mobile devices increase in functionality, criminals can tap this functionality for increased monetary gain, through stealing authentication and transaction information in the "mobile wallet," or by sending high cost SMS messages from the infected phone," says Kian Saneii, general manager for Websense Wireless, "Compromised mobile devices present a significant potential for corporate espionage, by stealing passwords and emails or turning the phone itself into a digital recorder, without the user's knowledge. Indeed, today's mobile devices are more vulnerable than ever and are quickly becoming as vulnerable as the PC. It is absolutely essential for carriers and enterprises to protect against this evolving threat using wireless-specific Web security measures."
Totzke emphasizes that since the BlackBerry is an increasingly important part of the communications infrastructure of government agencies and corporate customers, the profile of the system is raised— thereby increasing the value of the information associated with the system. "It's only natural that these systems will become targets," he says. RIM believes that controlling access to wireless mobile devices is an important issue and that leaving devices with remote access to sensitive data accessible to potentially malicious users can be dangerous.
"With more than 370 mobile phone viruses identified thus far and rapidly rising, and the growing adoption and sophistication of features, 3G mobile devices like the BlackBerry and others, have become the latest attack vector for online criminals," says Saneii. While safeguards may be in place for protecting against old emailbased threats, any mobile device with a Web Browser is potentially susceptible to drive-by malware hosted on infected sites he warns. "Criminals are recognizing this, and we are seeing a growth in attackers launching cross-platform Web attacks with malware produced to specifically target mobile devices."
The BlackBerry Enterprise Solution consists of a BlackBerry device, BlackBerry Device Software, BlackBerry Desktop Software, and the BlackBerry Enterprise Server. RIM designed the BlackBerry Enterprise Solution to protect corporations from data loss or alteration in the event of malicious interception of data on the corporate network, including while a BlackBerry device user is sending and receiving messages or accessing corporate data over the wireless network; an attack intended to steal corporate data; using malicious application code (for example, a virus) and theft of the BlackBerry device.
What Does the Future Hold?
When asked about the future, Totzke says BlackBerry is watchful of where the industry is going and where its customers want to see things go. "You will see some of the ease-of-use that end-users experience become part of the administrators' world too," notes Totzke. "We want to simplify some of the basic security decisions for our administrators, so that it becomes easier for administrators to manage security for their customers. BlackBerry is all about introducing balance and flexibility into the work/ life equation. In fact, I'm responding to this interview between games at my son's hockey tournament," reveals Totzke. "By working with IT from the beginning, we have given them what they want—centralized management, built in security and an easy to use solution with amazing battery life and performance that 'just works' for their end-users. We think that is a pretty compelling value proposition." MB/TMP