Blackberry "Spy" Software Released

Noryungi writes "Maybe the French were on to something after all. It turns out that there is a software available to easily spy on Blackberries, recording voice conversations and all messages (emails or SMS text message) that transmit through the portable device. Of course, the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices. ZDNet reports that RIM isn't concerned: 'Ian Robertson, senior manager of security and research at RIM, said users need not be particularly worried about the capability of FlexiSPY. "While it's the subject of some debate, I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program," he said. Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

hm

[nawcom (941663)]

Paris Hilton: back in business.

Since when can software only be installed by owner

[alcmaeon (684971)]

"Of course, the software has to be installed by the owner of the Blackberry"

If this is true, RIM should go into the software security business and drop this whole phone thing altogether.

Re:

[earnest murderer (888716)]

Indeed that some serious delusion right there. Most people wouldn't even notice, much less ask if someone is looking at their phone. If you're paranoid, wait until they're in the can, or busy elsewhere.

In any case, it's something RIM could fix. Rather than deny the problem.

Another tool in the corporate toobox

[Trigun (685027)]

This is actually good news for corporate IT Departments. Hopefully this can be pushed out via policy at the BES server.

Re:

[Itninja (937614)]

In an enterprise level environment, I can see the benefit of tracking corporate email and SMS messages. However, if a corporation uses the ability to 'record a voice conversation' they could find themselves in trouble. I believe (and please correct me if I'm mistaken) the courts had determined that personal email sent via a corporate email system is legally the property of the corporation, but that telephone conversations are still protected as private.

Or at least that's something I read somewhere once (I

Re:

[Trigun (685027)]

Face it, even if it can't be used in court, it is still a great resource. Being able to physically locate a device, record all the conversations, etc. Plus, you could probably argue that the voice conversation is data, the phone was provided as a business resource, etc. You might get a 'fruit from the poison tree' argument, but even still, a lot of these things wouldn't play out in court.

"Bob, we know that you've been leaking secrets to the competitors. You're fired. And if you go quietly, we won't pur

Re:

[bluekanoodle (672900)]

You did read this somewhere, but you probably missed the part where the courts said that there is an "expectation of privacy" in phone calls, but a company can listen in on phone calls if the employee is notified that there is no privacy.

The courts have said that once notification is is given (most companies do it during orientation, or as a disclaimer in he employee handbook they give you when you start) if it is company equipment during work hours, they can listen all they want.

Re:

[Itninja (937614)]

All phone contact must be recorded? What country do you live in exactly? I think that's not really enforceable or even possible in the financial industry, except for maybe at the call-center level. My financial adviser (stocks, bonds, etc.) is available via his cell phone, and I doubt his conversations are "prescribo aliquando". My mortgage broker works in a little office of 6 people, and I've spent many hours there. They certainly don't record phone calls.

Null set

[by Anonymous Coward]

>an average user that maintains good [gadget] hygiene

SELECT id,name FROM averageusers WHERE good_gadge_hygiene=TRUE;

0 ROW(s) returned.

The part should make everyone very concerned

[Pulse_Instance (698417)]

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

I'm sure most of you have seen your bosses leave their blackberry, Treo or whatever device they have lying around or just hand it off to the secretary who leaves it on the desk. They really should find some way to alert people if this software or software like this gets on the device as in my humble opinion this is a huge risk for the people who need to have semi-secure communication in most companies I have seen.

Re:

[afidel (530433)]

In a well run operation you wouldn't be ABLE to install this software, BES has policies to prevent you from installing unapproved software available to the BES administrator.

Re:

[Puls4r (724907)]

Who modded this insiteful? You're absolutely RIGHT! We should create a program - let's call it a scanner - that checks for this stuff. Then let's invent a program that doesn't allow outbound or inbound connections to the device without our approval. Then let's write a special tool that can remove them if they get on the device. Then lets........ Anyone, and I mean ANYONE, who thinks this isn't an issue is insane. These devices are one step away from a computer, and people seem to think they're magica

Re:

[blhack (921171)]

If this gets installed on your blackberry you'll notice your battery life go from about a day and a half, to a few hours. That and you'll see that little data arrow at the top right of your screen (bb users will know what i'm talking about) going crazy. While I agree that this software would might be useful for tracking sortof "low-level" employees (delivery drivers and such that need phones, but aren't really supposed to use them for anything other than emergencies), most high-level manager types that ac

They dismiss the risk -- I wouldn't

[Red Flayer (890720)]

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

I think Robertson overestimates the average user. Either that, or it's not the "average user" we need to worry about -- it's the singnificant number of below-average users who could pose a problem. I know for certain that the marketroids with company-purchased Blackberrys at my company are the primary source of infections on our network.

Also, I'd like to mention that in my experience, it's often those with the most crucial conversations (ownership/upper management) are the ones who hand off their Blackberry to others for maintenance, etc. A disgruntled/bribed tech could very easily install this.

One other note -- if a user needing to take action to install malware wasn't a problem, we wouldn't see so many compromised machines.

Re:

[0xdeadbeef (28836)]

A disgruntled/bribed tech could very easily install this.

ZOMG! I've even heard of these people having access to the boss's desktop PC, even the email server! Imagine what they could do with such power!

A competent administrator would set the security policy of the device to disallow the installation of unapproved software. Oh, but let's not let that get in the way of hysterical FUD.

Re:

[Red Flayer (890720)]

A competent administrator

All admins are competent? All devices are locked-down in most companies? I don't think so.

I'm not saying that the sky is falling -- I'm saying that security on these devices IS a concern, and something we need to be aware of. I'm also saying that it's wrong for Blackberry spokespeople to downplay the risk of malware on the Blackberry, as the risk is real and important (unless of course we take steps to mitigate it, which is the whole point of not downplaying the risk -- to get p

Re:

[0xdeadbeef (28836)]

I'm saying that security on these devices IS a concern

The security of these devices is the best on the market, which is the reason they are the only type allowed by some government agencies. Research in Motion has security experts with graduate degrees on their payroll, are you claiming to know better than them?

You are a karma whore trying to make an issue of the fact that computers designed to run software can run software.

Re:

[Red Flayer (890720)]

No.

As you point out, anything that runs software carries with it a risk of infection.

Regardless of RiM's security record and staff, there IS risk.

Furthermore, maybe you're a bit out of touch with people in a typical workplace. A Blackberry is not a computer to most people, it's an upgraded cell phone. Even people used to taking precautions when using their PC don't always use the same common sense when using their "cell phone", regardless of what it's capable of, and what it's capable of being infected

Re:

[0xdeadbeef (28836)]

It's about a statement made by a spokesperson (which is the first tip-off that you need to look a little deeper)

So, what has your expert digging found that contradicts the words of the Global Security Team Manager at RIM?

And if you want to be an effective bullshitter, you might want to employ some consistency in your rhetoric, as you have little else. If your talking point started out as "important people might have important data compromised", you shouldn't change it to "unimportant people don't have a sec

Re:

[Red Flayer (890720)]

So, what has your expert digging found that contradicts the words of the Global Security Team Manager at RIM?

Nothing, you're deliberately obfuscating the point. Go back to my OP, and one of the points I made was that the "average" user isn't the concern, it's the sub-average user. The basis for my OP was that the GSTM at RiM downplayed the possible risk of malware, based upon the "average user" -- you shouldn't base your response to potential security threats on the average user. Period. Of course he's

Re:

[0xdeadbeef (28836)]

If a password lock is still too complicated, I believe a simpler security device [gizmodo.com] is more appropriate for the level of competence you're supporting. (Yes, I waited all day to safely google that.)

BTW, while you were at work, someone might have broken into your home and installed spying software on your PC. Oh, sure, it's highly unlikely, but the risk is real and you must be warned!

Re:

[Red Flayer (890720)]

namely using a password, not letting other people use the device and only loading software from known, trusted sources,

You're ignoring two of my main points, which are:

There is a significant segment of Blackberry users to which these simple steps are not going to be followed, and
A disproportionately large part of that segment consists of those to whom secure communications are most important from a corporate POV.

Re:

[Red Flayer (890720)]

No, the infections typically aren't from their Blackberrys. Usually idiot user + loaded email. Sometimes it's a driveby from a sketchy site.

Using a Blackberry won't eliminate their lack of common sense, so I'm betting they could be easily tricked into installing malware on their Blackberry.

good gadget hygiene.

[morgan_greywolf (835522)]

an average user that maintains good [gadget] hygiene

I insist on good gadget hygiene. An unclean gadget really stinks bad! Those aren't going anywhere near my face!

France's reasons not related

[StewedSquirrel (574170)]

France has different reasons for avoiding RIM Blackberries.

Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US. Therefore, it is a virtual guarantee that all Blackberry emails transit US wires... Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.

The fact that one can install software on a modern microprocessor based telephone-slash-computer that can *gasp* RECORD what the telephone-slash-computer happens to be doing shouldn't come as any sort of surprise to anyone at all.

In fact, this particular bit if news is a bit 'ho-hum', though I'm sure a few tech-stupid executives will gasp and throw their "Crackberry" out the window.

Perhaps this article was written by Microsoft or Apple to bolster the sales of their respective Blackberry competitors? :-)

Stew

Re:France's reasons not related

[Tack (4642)]

Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US.

Why do people insist on perpetuating this myth? It is simply untrue.

Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.

Just as trivial as it is to sniff SSL traffic over the general internet. Trivial, and worthless.

Re:

[Tack (4642)]

All messages go through a Canadian server instead of an American one. Not really an improvement.

Are you also so sure it's not the case that when an email is sent from a BlackBerry in Europe to a BES connected in Europe it never leaves Europe?

If a government (France, say) is terribly concerned about this, I have every confidence that RIM would make every effort to allay their doubts.

Re:

[RasputinAXP (12807)]

Speak for yourself, but all of OUR BlackBerry data goes through our BlackBerry Enterprise Server.

What the end user does with their own personal POP or IMAP accounts through blackberry.net is their decision.

Still a threat

[jshriverWVU (810740)]

It's called social engineering.

"Want stock quotes quicker try this new freeware program from JimBob's Stock Warehouse.com"

how is this any different

[SolusSD (680489)]

than just about *any* cell phone, pda or laptop? You can write a program that "spies" on someones input into the device for just about any device.

Re:

[arivanov (12034)]

Not all have open interfaces for this. iPhone is a prime example in this category. Samsung non-Windows phones closely follow.

Some that have open interfaces do not have enough resources to record all voice traffic (though most can probably manage data sniffing as it is not a realtime task). Early windows mobile are in this category. Most of them have the APIs to sniff, but are likely not to have enough CPU to do so.

iNSA

[Doc Ruby (173196)]

I love it when people release these spy tools publicly. Finally "Joe Mousepad" can catch up with the NSA, and spy on his neighbors.

"Suspicion Breeds Confidence [imdb.com]"

Quick

[bryan1945 (301828)]

Call Homeland Security! We have a Level 5 Fruit Alert!

Depends on who you consider as the user

[jackhererUK (992339)]

I imagine you can silently install this over the air from the BES server. In my current and previous job I am the only IT profesional in the company and the sole administrator of the BES server, if i could roll this out using the BES server to everyones blackberries then only i would know. I would then be able to listen to all of the senior management's mobile phone calls. Ahh the power of being the BOFH

Re:

[by Anonymous Coward]

So what? Most telephony admins can do this already. If you're launching it from BES, it isn't spyware, it an "administration tool".

a rose by any other name

[conspirator57 (1123519)]

This is a tool because it advertises its functionality... How many game/"productivity"/other third party software packages for the BB have extra program content along these lines? It only costs $100 (http://na.blackberry.com/eng/developers/download s /api.jsp) to get a program signed by RIM for distribution... And if you provide some bit of useful functionality, pretty soon your SW gets distributed by the cellular providers...

oh, and in answer to the question below about pushing the content from a BES, ye

Not a good thing

[thomsmith123 (1124627)]

While some heavily regulated industries may like this, it seems to me that the piracy and privacy risks warrant more concern from RIM.

fud ...

[vorwerk (543034)]

Of course, the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices.

huh?! "It would not be surprising"??? Actually, I think that that would be surprising.

The fact that I can install software on my own device which allows calls to be recorded should not really come as a surprise. But if someone else could install said software without my knowledge or touching my device ...

Check your sources - it can't record calls!

[rand0md00d (1124635)]

It is worth pointing out that the program itself doesn't claim to record phonecalls, but rather to use the phone as a 'bug'. It does this by silently answering a telephone call from a defined number. ...from the FAQ...(http://www.flexispy.com/faq.htm) "What is remote monitoring? Remote Listening is for FlexiSPY PRO only. You set a special spy call number in FlexiSPY. When a call comes into FlexiSPY from this number, the microphone will secretly switch on and you will be able to hear whatever the phone hears

Listening through the microphone

[rickthewizkid (536429)]

Well, most people I know keep their blackberry in the holster when they are not talking on them... and if someone holsters it on their right side, its probably rotated forward so the top of the device faces forward. This means that the microphone is pointed toward the person's ass.

Are you sure you *really* want to hear what that microphone picks up? Especially *after* lunch?

-Rick

Actually, that info IS alerting!

[Opportunist (166417)]

"While it's the subject of some debate, I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program," he said. Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

Let's first of all realize that Blackberries and their like are usually used by manager types (or people who want to appear as if they were). Now, if you have ever worked in support, you'll quickly

Re:

[dave562 (969951)]

Other people have pointed this out but maybe you just went ahead and posted before bothering to read the replies. There are policies that can be put in place through the BES server that prevent third party software from being installed. Most of the comments to this article have been pure FUD from people who have obviously never used a BES server or been responsible for Blackberry's in any sort of enterprise environment.

In other words, it doesn't matter how big of a tool the manager type is. I'm completel

Re:

[Opportunist (166417)]

All true and fine, but you appearantly never worked for a boss of the "I pay for this junk and I get to have all rights" kind. Believe me, they do exist, and they are your worst security nightmare.

Re:

[dave562 (969951)]

I've been working in IT for over a decade and recently spent the last seven years as a consultant. As a consultant I ran into every personality in every position possible. When you run into the kind of boss who wants access to everything you just need to CYA. Give them enough rope to hang themselves with and make sure that you've got the safety net in place. In the mean time, start looking for another job. Life is too short to work for worthless bosses.

Re:

[Opportunist (166417)]

As a consultant, you may have that luxury. As the young, aspiring tech that I was, I didn't. I didn't have a name, I didn't have a CV to lean back against. Today, I'd certainly tell him that I'm gonna take the rest of my vacation for the 2 weeks warning and good riddance. Not everyone is in that fortunate situation.

So what those bosses end up with are people straight out of college without a hint of RL experience who can't simply tell them to stuff it. A deadly combo, as you'll hopefully agree.

And those peo

Re:

[dave562 (969951)]

I actually went to work for one of my clients full time and it is starting to seem like it was a bad decision. I just didn't want to spend my life constantly staying on the cutting edge and as a consultant, at least at the firm that I was at, I had to do that. So I took an easy job that wasn't too taxing on my skills so that I can focus on other areas of my life.

But back on topic, I completely agree with you that bad bosses can definitely severely hamper a career. I have a bad boss right now, and he is a

Objection

[C_Kode (102755)]

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

This is speculation. I don't care how good you *think* you are about protecting something. There is no way you can say it will "Never" be compromised. Same goes for Blackberries and any other *thing* of any sort. This statement is nothing more than *spin* or damage control.

Who's bashing here?

[guruevi (827432)]

I wonder why so many people bash on RIM for this like "oh noes, security through obscurity" or "oh noes, the average user is stupid!!!!!111one"

This is actually a good thing, the user can install this program if he wants (and he has the rights to do so), there is no need to block a program to be installed. Or do we all want Microsoft's/RIM's approval for any program that we want to install? No, I do whatever the heck I want on my machine. Maybe Linus Torvalds should also approve all software you run on your

Silently install?

[thePowerOfGrayskull (905905)]

the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices

I would be very surprised, unlike the submitter. You cannot silently auto-install ANY software on a RIM device. And further, any such installed software MUST get permission from the user before it uses network resources.

makes perfect sense

[Some_Llama (763766)]

"Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

That's why spyware is no longer a problem on the Windows platform. Should work well with Blackberries too..

I used to work at a company that managed their own BB server, we had the ability to push software to clients without them needing to approve.. i wonder if this will be used by companies to help track usage by their employees...

(wonder meaning yes of course