Blackberry "Spy" Software Released

Noryungi writes "Maybe the French were on to something after all. It turns out that there is a software available to easily spy on Blackberries, recording voice conversations and all messages (emails or SMS text message) that transmit through the portable device. Of course, the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices. ZDNet reports that RIM isn't concerned: 'Ian Robertson, senior manager of security and research at RIM, said users need not be particularly worried about the capability of FlexiSPY. "While it's the subject of some debate, I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program," he said. Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

Another tool in the corporate toobox

[Trigun]

This is actually good news for corporate IT Departments. Hopefully this can be pushed out via policy at the BES server.

The part should make everyone very concerned

[Pulse_Instance]

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

I'm sure most of you have seen your bosses leave their blackberry, Treo or whatever device they have lying around or just hand it off to the secretary who leaves it on the desk. They really should find some way to alert people if this software or software like this gets on the device as in my humble opinion this is a huge risk for the people who need to have semi-secure communication in most companies I have seen.

They dismiss the risk -- I wouldn't

[Red Flayer]

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

I think Robertson overestimates the average user. Either that, or it's not the "average user" we need to worry about -- it's the singnificant number of below-average users who could pose a problem. I know for certain that the marketroids with company-purchased Blackberrys at my company are the primary source of infections on our network.

Also, I'd like to mention that in my experience, it's often those with the most crucial conversations (ownership/upper management) are the ones who hand off their Blackberry to others for maintenance, etc. A disgruntled/bribed tech could very easily install this.

One other note -- if a user needing to take action to install malware wasn't a problem, we wouldn't see so many compromised machines.

Re:France's reasons not related

[Tack]

Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US.

Why do people insist on perpetuating this myth? It is simply untrue.

Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.

Just as trivial as it is to sniff SSL traffic over the general internet. Trivial, and worthless.

Re:Another tool in the corporate toobox

[Itninja]

In an enterprise level environment, I can see the benefit of tracking corporate email and SMS messages. However, if a corporation uses the ability to 'record a voice conversation' they could find themselves in trouble. I believe (and please correct me if I'm mistaken) the courts had determined that personal email sent via a corporate email system is legally the property of the corporation, but that telephone conversations are still protected as private.

Or at least that's something I read somewhere once (I might have been dreaming).

Re:Depends on who you consider as the user

[Anonymous Coward]

So what? Most telephony admins can do this already. If you're launching it from BES, it isn't spyware, it an "administration tool".

Re:They dismiss the risk -- I wouldn't

[Anonymous Coward]

The article isn't about generic malware but rather about a very specific program which doesn't match the description of a virus (doesn't self propegate) or a trojan (Flexispy makes no secret that this is monitoring software), so this isn't a matter of tricksing a user into loading the software. As it stands, the program is simply a Potentially Unwanted Program. At the end of the day, if a user (and/or their IT dept) takes the basic steps to secure their device, namely using a password, not letting other people use the device and only loading software from known, trusted sources, how is Flexispy going to get loaded?

Re:They dismiss the risk -- I wouldn't

[Red Flayer]

A competent administrator

All admins are competent? All devices are locked-down in most companies? I don't think so.

I'm not saying that the sky is falling -- I'm saying that security on these devices IS a concern, and something we need to be aware of. I'm also saying that it's wrong for Blackberry spokespeople to downplay the risk of malware on the Blackberry, as the risk is real and important (unless of course we take steps to mitigate it, which is the whole point of not downplaying the risk -- to get people to take the necessary precautions).