PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Blackberry Theft Pentest

From: Joshua Wright <jwright () hasborg com>
Date: Fri, 22 Apr 2011 11:19:13 -0400
On 4/21/2011 10:07 AM, Tom McCredie wrote:

The company I work for supply a large number of employees with a company
Blackberry - I have been tasked with the job of working on a kind of
disaster scenario involving a user's Blackberry being stolen/lost and
the information that could be recovered from it. They have a security
policy whereby the user has a minimum of a six digit password with a 10
attempts before lockout (not sure if this is handset only or handset and
email account - probably handset only).

Obviously the main object of this scenario is to gain access to the
users corporate mail account / recover email password which is also the
users windows domain login to the corporate network :-/ (not my idea)
and in most cases I'm willing to bet these users will use the same
password for corporate VPN access as they are not all technically savvy.


What are the resources of the adversary you are willing to defend against?

This is an important question that I try to get answered for each
pen-test and vulnerability assessment I do.  If bypassing the PIN
authentication mechanism isn't an option, you might try interfacing with
the BB over USB and see what additional attack mechanisms are available,
or exploit attack options if the device supports Bluetooth or WiFi even
when locked.

Beyond that, you may want to pursue hardware attack options, where you
attempt to interface with IC's and data storage mechanisms on the
device.  Does the BB use traditional flash storage that you could
manipulate and extract without powering on the rest of the system
components?  Are there SoC's that are vulnerable to reset-and-ram-dump
attacks (similar to the Ember and Chipcon vulnerabilities Travis
Goodspeed has published)?

Depending on the security needs of your organization, you might not be
too concerned about the latter attack vehicle, since it would require
significant expertise and time (and tools) to extract the information.
I think it is still a likely attack avenue however, bypassing any of the
"client side security" mechanisms present (e.g. PINs).

-Josh
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: