Blackberry "Spy" Software Released

Noryungi writes "Maybe the French were on to something after all. It turns out that there is a software available to easily spy on Blackberries, recording voice conversations and all messages (emails or SMS text message) that transmit through the portable device. Of course, the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices. ZDNet reports that RIM isn't concerned: 'Ian Robertson, senior manager of security and research at RIM, said users need not be particularly worried about the capability of FlexiSPY. "While it's the subject of some debate, I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program," he said. Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

France's reasons not related

[StewedSquirrel]

France has different reasons for avoiding RIM Blackberries.

Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US. Therefore, it is a virtual guarantee that all Blackberry emails transit US wires... Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.

The fact that one can install software on a modern microprocessor based telephone-slash-computer that can *gasp* RECORD what the telephone-slash-computer happens to be doing shouldn't come as any sort of surprise to anyone at all.

In fact, this particular bit if news is a bit 'ho-hum', though I'm sure a few tech-stupid executives will gasp and throw their "Crackberry" out the window.

Perhaps this article was written by Microsoft or Apple to bolster the sales of their respective Blackberry competitors? :-)

Stew

Depends on who you consider as the user

[jackhererUK]

I imagine you can silently install this over the air from the BES server. In my current and previous job I am the only IT profesional in the company and the sole administrator of the BES server, if i could roll this out using the BES server to everyones blackberries then only i would know. I would then be able to listen to all of the senior management's mobile phone calls. Ahh the power of being the BOFH

a rose by any other name

[conspirator57]

This is a tool because it advertises its functionality... How many game/"productivity"/other third party software packages for the BB have extra program content along these lines? It only costs $100 (http://na.blackberry.com/eng/developers/downloads /api.jsp) to get a program signed by RIM for distribution... And if you provide some bit of useful functionality, pretty soon your SW gets distributed by the cellular providers...

oh, and in answer to the question below about pushing the content from a BES, yes this can be done, but it has to be developed for. You'd have to ask the application provider in question whether their app supports this.

Re:Another tool in the corporate toobox

[Trigun]

Face it, even if it can't be used in court, it is still a great resource. Being able to physically locate a device, record all the conversations, etc. Plus, you could probably argue that the voice conversation is data, the phone was provided as a business resource, etc. You might get a 'fruit from the poison tree' argument, but even still, a lot of these things wouldn't play out in court.

"Bob, we know that you've been leaking secrets to the competitors. You're fired. And if you go quietly, we won't pursue criminal charges."
"Hmmm, I see. I'll clean out my desk."

Re:They dismiss the risk -- I wouldn't

[Red Flayer]

No.

As you point out, anything that runs software carries with it a risk of infection.

Regardless of RiM's security record and staff, there IS risk.

Furthermore, maybe you're a bit out of touch with people in a typical workplace. A Blackberry is not a computer to most people, it's an upgraded cell phone. Even people used to taking precautions when using their PC don't always use the same common sense when using their "cell phone", regardless of what it's capable of, and what it's capable of being infected by.

I am not claiming to know better than the security staff at RiM. What I am claiming to know is that no device that is capable of downloading software is risk-free, and that the below-average user is of concern, particularly to those charged with maintaining security in a corporate setting.

As for your ad hominem, it's not about karma. It's about a statement made by a spokesperson (which is the first tip-off that you need to look a little deeper) that didn't jibe with me. As you've pointed out, there are precautions that can be taken -- but as I've pointed out, they are not always taken.

Maybe I'm wrong, but it seems to me that the point you're trying to make is, "Don't worry about it -- they have very good people taking care of that" along with "Don't worry about it, Blackberrys should be locked down". As to the first, that's ridiculous -- security should be a concern for everyone, from decision-makers at the executive level down to the lowliest user, regardless of how good the scurity staff are at a vendor company. As to the second, you should never forget that a significant segment of users will not take the simplest security precautions if it inconveniences them in any way (including taking the short time necessary to change a configuration).

To make a long post short, are you just trolling, or do you have points to make that really do contradict what I'm saying, or just more ad hominems and red herrings? I'd be glad to be proven wrong, since then we could all rest assured knowing that Blackberrys are inherently secure with a zero risk of compromise.

One other note:

which is the reason they are the only type allowed by some government agencies

This has little to do with the security of Blackberrys as used by the general public. Note that those government agencies also have more staff devoted to security, policies more conducive to security, and employees more receptive to always acting in accordance with those policies.