Blackberry "Spy" Software Released

Noryungi writes "Maybe the French were on to something after all. It turns out that there is a software available to easily spy on Blackberries, recording voice conversations and all messages (emails or SMS text message) that transmit through the portable device. Of course, the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices. ZDNet reports that RIM isn't concerned: 'Ian Robertson, senior manager of security and research at RIM, said users need not be particularly worried about the capability of FlexiSPY. "While it's the subject of some debate, I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program," he said. Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

hm

[nawcom]

Paris Hilton: back in business.

Since when can software only be installed by owner

[alcmaeon]

"Of course, the software has to be installed by the owner of the Blackberry"

If this is true, RIM should go into the software security business and drop this whole phone thing altogether.

Re:

[earnest murderer]

Indeed that some serious delusion right there. Most people wouldn't even notice, much less ask if someone is looking at their phone. If you're paranoid, wait until they're in the can, or busy elsewhere.

In any case, it's something RIM could fix. Rather than deny the problem.

Re:Since when can software only be installed by ow

[memojuez]

Most software and patches can be installed silently and remotely to a BlackBerry Device either from the corporate BlackBerry Enterprise Server (BES) or from the Cell Carrier. The Daylight Savings Time (DST) patch was installed by our BES Administrator to all BlackBerry users and Nextel installed a new GPS product onto all BlackBerrys using them as a carrier.

The only action on my part was to turn the BlackBerry on.

Re:

[memojuez]

ON the former, I had to actually look in Options | Applications to verify that I indeed received the patch. On the Latter, I doubled checked and you are correct that it is a new Icon that invokes the BB Browser.

Another tool in the corporate toobox

[Trigun]

This is actually good news for corporate IT Departments. Hopefully this can be pushed out via policy at the BES server.

Re:

[Itninja]

In an enterprise level environment, I can see the benefit of tracking corporate email and SMS messages. However, if a corporation uses the ability to 'record a voice conversation' they could find themselves in trouble. I believe (and please correct me if I'm mistaken) the courts had determined that personal email sent via a corporate email system is legally the property of the corporation, but that telephone conversations are still protected as private.

Or at least that's something I read somewhere once (I

Re:

[Trigun]

Face it, even if it can't be used in court, it is still a great resource. Being able to physically locate a device, record all the conversations, etc. Plus, you could probably argue that the voice conversation is data, the phone was provided as a business resource, etc. You might get a 'fruit from the poison tree' argument, but even still, a lot of these things wouldn't play out in court.

"Bob, we know that you've been leaking secrets to the competitors. You're fired. And if you go quietly, we won't pur

Re:

[bluekanoodle]

You did read this somewhere, but you probably missed the part where the courts said that there is an "expectation of privacy" in phone calls, but a company can listen in on phone calls if the employee is notified that there is no privacy.

The courts have said that once notification is is given (most companies do it during orientation, or as a disclaimer in he employee handbook they give you when you start) if it is company equipment during work hours, they can listen all they want.

Re:

[davester666]

The courts have said that once notification is is given (most companies do it during orientation, or as a disclaimer in he employee handbook they give you when you start) if it is company equipment during work hours, they can listen all they want.

This might be true for the employee of the company. But in a number of states, it's illegal to record a phone conversation unless all parties know it's being recorded. And then you get into 'off-hours' calls, does the employer still have the right to listen to

Re:

[JPriest]

Valid point, many states don't allow recording calls under single party consent. (ie, guy on other side on phone call may or may not be an employee).

Re:

[Itninja]

All phone contact must be recorded? What country do you live in exactly? I think that's not really enforceable or even possible in the financial industry, except for maybe at the call-center level. My financial adviser (stocks, bonds, etc.) is available via his cell phone, and I doubt his conversations are "prescribo aliquando". My mortgage broker works in a little office of 6 people, and I've spent many hours there. They certainly don't record phone calls.

Null set

[Anonymous Coward]

>an average user that maintains good [gadget] hygiene

SELECT id,name FROM averageusers WHERE good_gadge_hygiene=TRUE;

0 ROW(s) returned.

The part should make everyone very concerned

[Pulse_Instance]

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

I'm sure most of you have seen your bosses leave their blackberry, Treo or whatever device they have lying around or just hand it off to the secretary who leaves it on the desk. They really should find some way to alert people if this software or software like this gets on the device as in my humble opinion this is a huge risk for the people who need to have semi-secure communication in most companies I have seen.

Re:

[afidel]

In a well run operation you wouldn't be ABLE to install this software, BES has policies to prevent you from installing unapproved software available to the BES administrator.

Re:

[Puls4r]

Who modded this insiteful? You're absolutely RIGHT! We should create a program - let's call it a scanner - that checks for this stuff. Then let's invent a program that doesn't allow outbound or inbound connections to the device without our approval. Then let's write a special tool that can remove them if they get on the device. Then lets........ Anyone, and I mean ANYONE, who thinks this isn't an issue is insane. These devices are one step away from a computer, and people seem to think they're magica

Re:

[blhack]

If this gets installed on your blackberry you'll notice your battery life go from about a day and a half, to a few hours. That and you'll see that little data arrow at the top right of your screen (bb users will know what i'm talking about) going crazy. While I agree that this software would might be useful for tracking sortof "low-level" employees (delivery drivers and such that need phones, but aren't really supposed to use them for anything other than emergencies), most high-level manager types that ac

Re:

[gujo-odori]

The waffle-factor of his statement is astonishing. Not only does an average user not practice good device hygiene any more than they follow good email security practices, but he further qualifies it with "...would never see the software loaded..."

I'm sure they wouldn't. That doesn't mean it's not there, just means they'd never see it. This is an average user we're talking about.

They dismiss the risk -- I wouldn't

[Red Flayer]

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

I think Robertson overestimates the average user. Either that, or it's not the "average user" we need to worry about -- it's the singnificant number of below-average users who could pose a problem. I know for certain that the marketroids with company-purchased Blackberrys at my company are the primary source of infections on our network.

Also, I'd like to mention that in my experience, it's often those with the most crucial conversations (ownership/upper management) are the ones who hand off their Blackberry to others for maintenance, etc. A disgruntled/bribed tech could very easily install this.

One other note -- if a user needing to take action to install malware wasn't a problem, we wouldn't see so many compromised machines.

Re:

[Anonymous Coward]

The article isn't about generic malware but rather about a very specific program which doesn't match the description of a virus (doesn't self propegate) or a trojan (Flexispy makes no secret that this is monitoring software), so this isn't a matter of tricksing a user into loading the software. As it stands, the program is simply a Potentially Unwanted Program. At the end of the day, if a user (and/or their IT dept) takes the basic steps to secure their device, namely using a password, not letting other pe

Re:

[Red Flayer]

namely using a password, not letting other people use the device and only loading software from known, trusted sources,

You're ignoring two of my main points, which are:

There is a significant segment of Blackberry users to which these simple steps are not going to be followed, and
A disproportionately large part of that segment consists of those to whom secure communications are most important from a corporate POV.

Re:

[darthflo]

You're ignoring one RIM's most important selling points: BES policies.

Because of that significant segment of users who wouldn't follow these steps, software installs will be prohibited and the use of passwords enforced by the IT department.
So until somebody manages to bypass those security features, I wouldn't consider trojans & co. a serious threat.

Re:

[Red Flayer]

No, the infections typically aren't from their Blackberrys. Usually idiot user + loaded email. Sometimes it's a driveby from a sketchy site.

Using a Blackberry won't eliminate their lack of common sense, so I'm betting they could be easily tricked into installing malware on their Blackberry.

Re:

[0xdeadbeef]

A disgruntled/bribed tech could very easily install this.

ZOMG! I've even heard of these people having access to the boss's desktop PC, even the email server! Imagine what they could do with such power!

A competent administrator would set the security policy of the device to disallow the installation of unapproved software. Oh, but let's not let that get in the way of hysterical FUD.

Re:

[Red Flayer]

A competent administrator

All admins are competent? All devices are locked-down in most companies? I don't think so.

I'm not saying that the sky is falling -- I'm saying that security on these devices IS a concern, and something we need to be aware of. I'm also saying that it's wrong for Blackberry spokespeople to downplay the risk of malware on the Blackberry, as the risk is real and important (unless of course we take steps to mitigate it, which is the whole point of not downplaying the risk -- to get p

Re:

[0xdeadbeef]

I'm saying that security on these devices IS a concern

The security of these devices is the best on the market, which is the reason they are the only type allowed by some government agencies. Research in Motion has security experts with graduate degrees on their payroll, are you claiming to know better than them?

You are a karma whore trying to make an issue of the fact that computers designed to run software can run software.

Re:

[Red Flayer]

No.

As you point out, anything that runs software carries with it a risk of infection.

Regardless of RiM's security record and staff, there IS risk.

Furthermore, maybe you're a bit out of touch with people in a typical workplace. A Blackberry is not a computer to most people, it's an upgraded cell phone. Even people used to taking precautions when using their PC don't always use the same common sense when using their "cell phone", regardless of what it's capable of, and what it's capable of being infected

Re:

[0xdeadbeef]

It's about a statement made by a spokesperson (which is the first tip-off that you need to look a little deeper)

So, what has your expert digging found that contradicts the words of the Global Security Team Manager at RIM?

And if you want to be an effective bullshitter, you might want to employ some consistency in your rhetoric, as you have little else. If your talking point started out as "important people might have important data compromised", you shouldn't change it to "unimportant people don't have a sec

Re:

[Red Flayer]

So, what has your expert digging found that contradicts the words of the Global Security Team Manager at RIM?

Nothing, you're deliberately obfuscating the point. Go back to my OP, and one of the points I made was that the "average" user isn't the concern, it's the sub-average user. The basis for my OP was that the GSTM at RiM downplayed the possible risk of malware, based upon the "average user" -- you shouldn't base your response to potential security threats on the average user. Period. Of course he's

Re:

[0xdeadbeef]

If a password lock is still too complicated, I believe a simpler security device [gizmodo.com] is more appropriate for the level of competence you're supporting. (Yes, I waited all day to safely google that.)

BTW, while you were at work, someone might have broken into your home and installed spying software on your PC. Oh, sure, it's highly unlikely, but the risk is real and you must be warned!

good gadget hygiene.

[morgan_greywolf]

an average user that maintains good [gadget] hygiene

I insist on good gadget hygiene. An unclean gadget really stinks bad! Those aren't going anywhere near my face!

France's reasons not related

[StewedSquirrel]

France has different reasons for avoiding RIM Blackberries.

Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US. Therefore, it is a virtual guarantee that all Blackberry emails transit US wires... Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.

The fact that one can install software on a modern microprocessor based telephone-slash-computer that can *gasp* RECORD what the telephone-slash-computer happens to be doing shouldn't come as any sort of surprise to anyone at all.

In fact, this particular bit if news is a bit 'ho-hum', though I'm sure a few tech-stupid executives will gasp and throw their "Crackberry" out the window.

Perhaps this article was written by Microsoft or Apple to bolster the sales of their respective Blackberry competitors? :-)

Stew

Re:France's reasons not related

[Tack]

Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US.

Why do people insist on perpetuating this myth? It is simply untrue.

Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.

Just as trivial as it is to sniff SSL traffic over the general internet. Trivial, and worthless.

Re:

[Tack]

All messages go through a Canadian server instead of an American one. Not really an improvement.

Are you also so sure it's not the case that when an email is sent from a BlackBerry in Europe to a BES connected in Europe it never leaves Europe?

If a government (France, say) is terribly concerned about this, I have every confidence that RIM would make every effort to allay their doubts.

Re:

[Anonymous Coward]

Actually, neither of you are right, for a number of reasons:

• A government would certainly not be using the free blackberry.net service, but a proper BlackBerry Enterprise Server.
• All of the data is encrypted. Sniff it all you want... but then what?
• European traffic never gets routed to North America, unless it's to contact someone in that region. There is a European data centre as well.

Re:

[RasputinAXP]

Speak for yourself, but all of OUR BlackBerry data goes through our BlackBerry Enterprise Server.

What the end user does with their own personal POP or IMAP accounts through blackberry.net is their decision.

Still a threat

[jshriverWVU]

It's called social engineering.

"Want stock quotes quicker try this new freeware program from JimBob's Stock Warehouse.com"

how is this any different

[SolusSD]

than just about *any* cell phone, pda or laptop? You can write a program that "spies" on someones input into the device for just about any device.

Re:

[arivanov]

Not all have open interfaces for this. iPhone is a prime example in this category. Samsung non-Windows phones closely follow.

Some that have open interfaces do not have enough resources to record all voice traffic (though most can probably manage data sniffing as it is not a realtime task). Early windows mobile are in this category. Most of them have the APIs to sniff, but are likely not to have enough CPU to do so.

iNSA

[Doc Ruby]

I love it when people release these spy tools publicly. Finally "Joe Mousepad" can catch up with the NSA, and spy on his neighbors.

"Suspicion Breeds Confidence [imdb.com]"

Quick

[bryan1945]

Call Homeland Security! We have a Level 5 Fruit Alert!

Depends on who you consider as the user

[jackhererUK]

I imagine you can silently install this over the air from the BES server. In my current and previous job I am the only IT profesional in the company and the sole administrator of the BES server, if i could roll this out using the BES server to everyones blackberries then only i would know. I would then be able to listen to all of the senior management's mobile phone calls. Ahh the power of being the BOFH

Re:

[Anonymous Coward]

So what? Most telephony admins can do this already. If you're launching it from BES, it isn't spyware, it an "administration tool".

a rose by any other name

[conspirator57]

This is a tool because it advertises its functionality... How many game/"productivity"/other third party software packages for the BB have extra program content along these lines? It only costs $100 (http://na.blackberry.com/eng/developers/download s /api.jsp) to get a program signed by RIM for distribution... And if you provide some bit of useful functionality, pretty soon your SW gets distributed by the cellular providers...

oh, and in answer to the question below about pushing the content from a BES, ye

Not a good thing

[thomsmith123]

While some heavily regulated industries may like this, it seems to me that the piracy and privacy risks warrant more concern from RIM.

fud ...

[vorwerk]

Of course, the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices.

huh?! "It would not be surprising"??? Actually, I think that that would be surprising.

The fact that I can install software on my own device which allows calls to be recorded should not really come as a surprise. But if someone else could install said software without my knowledge or touching my device ...

Re:fud ...?? that is the question.

[Cragen]

Is there a way for this software to be installed on BB's that are give to the user by their employer, say, w/o the user being aware the software is there? (I am not a network or hardware type so I don't know.) The more likely scenario, where the user works for a large business or an military organization is that software is being installed willy-nilly whether the user cares or not prior to being issued to the user. I can definitely envision that happening with my boss, the US Army.

Not a problem for properly adminstered devices

[Anonymous Coward]

Which are connected to a BES.

If an administrator does not wish want people installing software on their phones, there is an option in the security profiles to disable this ability.
If an administrator does not want people to run already installed applications on their phones, there are options to disable it.

Re:

[account_deleted]

Comment removed based on user account deletion

What a shocker! :)

[HycoWhit]

So the CEO of RIM says there is nothing to worry about! Anyone surprised? "There is nothing to see here, move along. Oh and buy more Blackberries!!"

Don't ever think any messages you send on Blackberries are secure. Have a friend that wasn't a very good husband. All the messages from his Blackberry, which he thought were private, wound up in court and cost him an additional $2.5million in divorce settlements.

Re:

[SteveWoz]

sounds like openness helped get justice done

Check your sources - it can't record calls!

[rand0md00d]

It is worth pointing out that the program itself doesn't claim to record phonecalls, but rather to use the phone as a 'bug'. It does this by silently answering a telephone call from a defined number. ...from the FAQ...(http://www.flexispy.com/faq.htm) "What is remote monitoring? Remote Listening is for FlexiSPY PRO only. You set a special spy call number in FlexiSPY. When a call comes into FlexiSPY from this number, the microphone will secretly switch on and you will be able to hear whatever the phone hears

Listening through the microphone

[rickthewizkid]

Well, most people I know keep their blackberry in the holster when they are not talking on them... and if someone holsters it on their right side, its probably rotated forward so the top of the device faces forward. This means that the microphone is pointed toward the person's ass.

Are you sure you *really* want to hear what that microphone picks up? Especially *after* lunch?

-Rick

It's not a bug...

[techpawn]

It's a feature.
9 times out of 10 I can't think of a reason to want to hear ANYTHING my users say let alone why anyone else would.

Actually, that info IS alerting!

[Opportunist]

"While it's the subject of some debate, I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program," he said. Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

Let's first of all realize that Blackberries and their like are usually used by manager types (or people who want to appear as if they were). Now, if you have ever worked in support, you'll quickly

Re:

[dave562]

Other people have pointed this out but maybe you just went ahead and posted before bothering to read the replies. There are policies that can be put in place through the BES server that prevent third party software from being installed. Most of the comments to this article have been pure FUD from people who have obviously never used a BES server or been responsible for Blackberry's in any sort of enterprise environment.

In other words, it doesn't matter how big of a tool the manager type is. I'm completel

Re:

[Opportunist]

All true and fine, but you appearantly never worked for a boss of the "I pay for this junk and I get to have all rights" kind. Believe me, they do exist, and they are your worst security nightmare.

Re:

[dave562]

I've been working in IT for over a decade and recently spent the last seven years as a consultant. As a consultant I ran into every personality in every position possible. When you run into the kind of boss who wants access to everything you just need to CYA. Give them enough rope to hang themselves with and make sure that you've got the safety net in place. In the mean time, start looking for another job. Life is too short to work for worthless bosses.

Re:

[Opportunist]

As a consultant, you may have that luxury. As the young, aspiring tech that I was, I didn't. I didn't have a name, I didn't have a CV to lean back against. Today, I'd certainly tell him that I'm gonna take the rest of my vacation for the 2 weeks warning and good riddance. Not everyone is in that fortunate situation.

So what those bosses end up with are people straight out of college without a hint of RL experience who can't simply tell them to stuff it. A deadly combo, as you'll hopefully agree.

And those peo

Re:

[dave562]

I actually went to work for one of my clients full time and it is starting to seem like it was a bad decision. I just didn't want to spend my life constantly staying on the cutting edge and as a consultant, at least at the firm that I was at, I had to do that. So I took an easy job that wasn't too taxing on my skills so that I can focus on other areas of my life.

But back on topic, I completely agree with you that bad bosses can definitely severely hamper a career. I have a bad boss right now, and he is a

Objection

[C_Kode]

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

This is speculation. I don't care how good you *think* you are about protecting something. There is no way you can say it will "Never" be compromised. Same goes for Blackberries and any other *thing* of any sort. This statement is nothing more than *spin* or damage control.

Re:

[account_deleted]

Comment removed based on user account deletion

This isn't the security vulnerability..

[SMS_Design]

..It's the payload. All you need now is a good Bluetooth stack vulnerability that will allow you to associate, push code, and install it. THEN you have a security vulnerability.

To find out if it is on your Blackberry...

[majorxp]

According to Symantec, the program arrives as the following Java application:
net_rim_app_console_pro.cod

Silently install?

[thePowerOfGrayskull]

the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices

I would be very surprised, unlike the submitter. You cannot silently auto-install ANY software on a RIM device. And further, any such installed software MUST get permission from the user before it uses network resources.

makes perfect sense

[Some_Llama]

"Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

That's why spyware is no longer a problem on the Windows platform. Should work well with Blackberries too..

I used to work at a company that managed their own BB server, we had the ability to push software to clients without them needing to approve.. i wonder if this will be used by companies to help track usage by their employees...

(wonder meaning yes of course

FBI taps cell phone mic as eavesdropping tool

[JoshRoss]

Once again, I would like to point to McNealy's Law, which states that you have zero privacy and to get over it. The FBI has done this [zdnet.com] in the past and will likely continue this type of activity.