Re: how do you secure a blackberry

[Aarón Mizrachi <unmanarc () gmail com>]

On Martes 21 Julio 2009 18:26:49 Enquiries @ Globalart 4u escribió:
> How do you secure a blackberry if your provider decides to send an update
> with spyware on it as is the case of the UAE
> http://news.bbc.co.uk/1/hi/technology/8161190.stm ?  How do you secure your
> data ?

The answer:
deciding not to install the update.

---------

But, lets look inside blackberry security:

----

At communication level, blackberry have some improvements on security. But we 
need to differentiate the networks, the telephony network, the rim data 
network, the wifi network,  and others...

1. In the first one, telephony network, SMS and voice data are sent usually 
without crypto or defined by the operator network (Your Telephony Provider).   
What it means? the telephony provider could do what he wants with voice and 
sms data. blackberry does not provide you end to end cryptography on voice or 
SMS.

2. At the rim network (web browsing, PIN related messaging), a SSL with some 
"other" cryptography connection is driven to the RIM communication center, 
then, connections like internet browsing escapes to the internet from RIM. PIN 
Messaging are also encrypted by this way.

3. The third possibility is when you have an APN-TCP and/or BES defined. In 
such case, the telephony service provider could look inside your TCP 
connections, and more. But usually, apn are defined only by rare applications 
who needs tcp directly and can not handle their connections by the http 
system.

4. WiFi Network: This depends on your wifi network and the ISP ruling the WiFi 
Network. 

Communication conclusion: This is never an end-to-end encrypted device. Pin  
based blackberry messenger are encrypted from your handheld to RIM and from 
RIM to others handhelds.... you have to put your trust directly on RIM.

Another conclusion is... some people does not have the capacity to distinguish 
the security over the several communication ways offered by the device, and 
since not all communication way used on handheld are secure... the phrase: 
"blackberry is a secure/uncrackeable/anti-spy device" could dangerously 
generalize it over all the ways. Therefore, you will have people sharing trade 
secrets over common sms thinking that "blackberry are secure".

----

At storage level... blackberry offers a good security mechanism, you have to 
set a key on your phone and there is no known way to crack it, moreover, if 
you try to test more than 10 passwords, you will automatically erase the 
blackberry memory (contacts, messages, etc). BUT... not the SD card. There are 
also some cypher protection for your SD card (personally, i didn't test it...)

When you don't encrypt your SD card, the problem is a bit dangerous... your 
pictures/voicenotes/whateversavedonsd and your deleted 
pictures/voicenotes/whateversavedonsd can be recovered from the SD. Therefore, 
an stolen device could be a serious compromise to your personal security.

My recommendation: don't save anything really important (like a picture of 
your credit card) on your sd cards... 

------------

Application level.... blackberry offers a interesting level of security. RIM 
applications are signed, and applications installed on your handheld device 
will have a set of restrictions. You have to allow some of these restrictions 
by hand...

And something more... blackberry also request for your blackberry password if 
you want to install something from your computer to your blackberry. 

-----------

In conclusion, the blackberry have a lot of security mechanisms, most of the 
attacks comes by phishing and some imprudent behavior.

my recommendations:

- Set a password
- Encrypt the sd
- don't accept to install applications if you really don't trust on the 
developer
- Know what are encrypted and what not. 
- Also know how is encrypted.
- make a complete backup periodically. If someone plays with your blackberry 
and type the password over 10 times, you will have an issue ;-).

-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.