BlackBerry flaw highlights growing mobile device risks

Mobile security issues have been making waves, and following a recently revealed BlackBerry vulnerability, it's time to take notice.

At the Black Hat conference, a presentation centreed around BBProxy, a hacking program that can take advantage of the trust relationship between a BlackBerry and an enterprise's internal server to hijack network connections.

That, coupled with recent warnings of imminent mobile virus outbreaks, is cause for alarm. recently spoke with George Tuvell and Neil Book, respectively CEO and president of mobile security vendor SMobile Systems, to determine which mobile threats are real and which are myth. The pair also noted the havoc that BBProxy can wreak.

With mobility the way it is today, what do you see as the biggest actual security threat?
George Tuvell: I think the biggest threat … both to the carrier and to the end users is really the fraudulent services charges. We're moving into a mobile commerce world where your phone is becoming your digital identity. Not only is that going to be storing your personal information on your own device or in chips, as they are in Japan today, but also credit card information. You have the ability now to make a payment with your phone by just hovering it over a device; you can also use SMS messaging, text messaging, for payment. I think that now we have that platform, you're going to see more and more threats and attacks toward that, trying to use the phone as a form of payment or [for] fraudulent service charges.

What kind of impact can that have at an enterprise level?
Tuvell: At an enterprise level or a consumer level, you're going to have fraudulent service charges on the users' bills. It's really independent of the end user. Multiple service charges, messaging fees … it has a financial impact if it's directly related to your bank account. I can create a cluster of problems ranging from the consumer to the enterprise.
Neil Book: This creates a huge problem for not just the end user, the enterprise or the consumer, but [for] the carrier as well. For example, when fraudulent charges appear on your bill, the first person [you are] going to be calling is the carrier. That's going to drive up the carrier's support costs; they're going to have to spend more time on customer care. It's going to create customer churn. It's going to create the image that they don't have a (quote-unquote) secure network. Along with a direct impact on the consumer and the enterprise, it can have a tremendous potential impact on the carrier as well.

What do you see as the biggest mobile security myth?
Tuvell: I think the biggest myth is "the world is ending now" theory. Some people out there are saying the threat is so big right now it's an epidemic and everyone has to run and protect themselves. It's not there yet. I think it's happening, it's increasing. We're seeing proof of concepts; we're also seeing the mobile payment types of viruses we're talking about that have hit today, but primarily in the open operating systems platforms. Some other vendors and people today have been over-hyping the threat, saying it's really a major problem today, and it's not. It's not there yet. I think that in the next 18 months, we're going to see a significant increase. We've seen it year over year exponentially already. There is some over-hyping going on and some fear-mongering, and that's something that's just not where we are today.

You mention that fraudulent charge attacks are the biggest threat that's looming right now. What's available to protect against them?
Tuvell: Our products and our solutions are geared toward protecting the user experience and the user identity. When you look at what the operating system vendors and the enhancement vendors are doing today around security, they're trying to do some things like provide basic encryption. Symbian, in the new version of [its] operating system, now has Platform Security, which protects a lot of the core operating system; it restricts third-party access to some of the core functionality, which can be used in a malicious way.

The problem is, the operating system can be secure, but it's really the user's data and the user's information that sits on top of that, and the applications that they're using, which are at risk. It doesn't matter how secure you can make the OS itself. The hackers aren't worried about bringing down Symbian, they're worried about getting your information and manipulating it to their advantage. And that is never going to be protected with a basic operating system. You [will] always … have to have that layer of security to protect the user experience. And that's what we do. That's really where you have to start with mobile security. You have to look at it from a user-experience perspective.

Protecting at the OS level is a nice segue into the BBProxy (a BlackBerry vulnerability revealed at the Black Hat conference). Can you explain what BBProxy is and what it does?
Tuvell: The BlackBerry Proxy [BBProxy] basically allows access to an enterprise network via the BlackBerry. What happens is that the BlackBerry will install this virus -- the BlackBerry Proxy. It's not actually a virus, it's a security tool which has a vulnerability to do this. You install this tool on the device; the tool then can connect to an outside connection, to an external connection -- say, my laptop. It makes a connection over the Internet to my laptop. Now my laptop has a connection with that BlackBerry. I can now access all of the connections that BlackBerry has access to. If that BlackBerry is connected to the corporate network during various functions, I now have access to that network. That's the overall threat. Basically, now you have an entry point from an external source into an enterprise network.

What steps can a company take to prevent against BBProxy?
Tuvell: What [enterprises are] trying to do today is to say we're going to restrict or limit your access. IT security administrators say we'll just eliminate Internet access and not have to worry about it. That type of thought process is really limiting the BlackBerry user experience and the productivity it provides. It's there to provide increased productivity, and if you take away those functions, you're limiting your investment.

So, basically, what we've done is we've provided a security solution at the handset level which still allows the enterprise and the users to get the full access, to get the full capabilities and the full experience [while] at the same time providing protection against these known threats. We have an engine that runs on the BlackBerry that monitors malware [and] illegitimate connections and can provide security around that.

What could a worst-case situation be when dealing with this BBProxy vulnerability?
Tuvell: The worst-case scenario is that it's a proxy, so it allows you access to all of the resources the BlackBerry has access to. As an enterprise, you're allowing your users access to email, which is the No. 1 function today for BlackBerrys -- you basically have access to the email system of an enterprise or corporation. You could send out mass email attacks with worms or viruses from the BlackBerrys. You also have access to their email servers. It depends on what they're allowing access to. Some enterprises allow access to database systems and other proprietary file systems with customer information. It really depends on what level of access you get today. Ninety-nine percent of the people using it will have email access. It's basically a vector of attack into the enterprise email system, which is today where we see most of the viruses on the PC.

What really is the state of mobile security and mobile devices? I've talked to people who have compared it to the PC world in the 1980s in terms of viruses. You mentioned before that there is a lot of fear-mongering going on, but is this threat real?
Book: To use your comparison to the PC world, what we saw in the '80s, it took probably 15 to 20 years before PC viruses began to have a real financial impact on the marketplace. We've seen a much quicker progression in the mobile virus world. I think the first mobile virus was released in 2002 or 2003. Since that time, it's already had a financial impact. I think we've seen a much quicker progression than we did in the PC space….

When we're talking to customers or we're out there talking to carriers, we're constantly telling them it is not an epidemic, not a pandemic today. But we believe it certainly can be tomorrow. Now it's very important as these operators begin to open up their networks -- and their users are going to have the ability to go out, for example, and browse the Internet and start downloading third-party applications -- to provide that protection and put that protection in place today before it does become an epidemic.

I personally believe [that] over the course of the next 10 to 18 months we're going to really start seeing a significant number of viruses being released that have the ability to spread quickly and to have a real financial impact on the marketplace. Today, for example, it's there, particularly in Europe and Asia, but we're seeing new releases coming out all the time.

Is there any specific operating system or platform that seems to be targeted?
Tuvell: The dominant platform today has been the Symbian operating system. It's 70% of the smartphone market. It's an open operating system. And we've seen most of the MMS Trojans, SMS dialing Trojans, these types of attacks, happening on that platform.

Aside from the financial aspect, are there any other negative effects that could come from mobile viruses, such as devices being rendered useless? What are the potential outcomes?
Tuvell: Aside from the charges, like you just said, the devices could be rendered useless. It's an on-demand type of world in mobile. It's all about right now: I want my service, I want my messages. It's real time. The moment you don't have access to that; the moment you can't make a voice call or you can't make a data connection to check your email, it's a big pain point for the end user. That's really on top of what the carrier experiences in terms of loss of revenue for that downtime, you've now lost your access to services. If I'm an enterprise, I've lost my productivity. There's a pain point both from the enterprise/consumer side and at the carrier level just from denial of service.

In Asia, two years ago, the first CommWarrior virus, which was an MMS Trojan [and Bluetooth], went around to 30 different countries around the world. We've seen multiple variants of that today, but when it first came out, it actually took down a phone operator in Brunei … and actually required the operator to recall the handsets and re-flash [them]. It was an enormous cost for them bringing the handsets into the flashing centre, re-flashing them, resetting them and sending them out.

What should really be front of mind for enterprise, mobile operators and the people who are in charge of managing and securing these devices for their mobile workforces?
Tuvell: The plan needs to be, you have to have something in place today to protect yourself. A perfect example of that for the enterprise especially is the BlackBerry Proxy. This is something that came out very quickly and it affects all BlackBerrys, it is not limited. Enterprises have to have a solution in place, but they [haven't deployed a solution] to protect them from that. The point is that it can happen very, very quickly.

Why don't enterprises and companies have any solutions in place?
Book: There are some enterprises that do have something in place. Enterprises really haven't mandated it yet, and that's simply because the financial impact has just not been there, and we haven't seen a huge proliferation of viruses going out and affecting corporate networks and taking down devices. However, we are starting to see in certain parts of the world that once it does enter a market and once the awareness is created, we are going to see enterprises taking steps to remedy this problem. We're starting to see that today. Since the announcement came [this month] about the BlackBerry vulnerability, our phone has been ringing off the hook from enterprises looking to deploy our antivirus solution on that platform. It's all a matter of awareness. As the awareness is created, you're going to start to see the enterprises taking those steps to protect themselves.

Is there anything further you'd like to share with our readers about mobile security?
Tuvell: There used to be a lot of closed systems, and everything was closed off. Feature phones did not have Internet access. What we've seen in a very short period of time [is that] some of them have become very smart and they're very capable of Internet connections and peer-to-peer applications. Basically, what's happening is the Internet is now coming to your mobile phone. And there's really no stopping that. We're going to be there at [the latest] within the next two years in a smartphone-dominated market. Both enterprises and consumers are going to have to do something within the 18-month time frame. They're going to have to do something to keep themselves protected because it's going to be a dominant IP Internet world in terms of mobility, and a slew of new attacks and new threat vectors are going to come with that. We're at the early stages today, but it's going to be a very short ramp-up time.

This article originally appeared on

Read more on IT risk management