We are tied to our worlds, tethered if you will, in many respects by our mobile devices. Our Apple iPhones and RIM Blackberries among others, aid us in keeping up with our professional and personal lives. They provide us a near real time (and in some cases real time depending on the platform and connectivity), window to the world. Information is available as quickly as electric signals are converted to light and back again over terrestrial and non-terrestrial infrastructure. It’s an amazing time to be alive. But for every convenience there is a price to pay. Isn’t that always the case? As the old saying goes there is no such thing as a free lunch and technological advancement is no different in that respect. We pay a price for convenience. We sacrifice aspects of humanity for expedience. We trade willingly many of those commonalities which all mankind shares in order to ensure we can check our email, reply to a twitter posting, conduct online financial transactions, post a photo on facebook or find a movie online.
There is nothing intrinsically wrong with this. In fact, it is quite normal to see some elements of human life become retired as technological advancement occurs. Take for example the written word. Writing letters in centuries past was an art form. Manipulation of language and style enabled individuals and groups to establish identities; voices via pen and paper. With the advent of the telegraph, then the telephone, then data communications etc. the medium and styles seen changed to meet the times. To meet the needs; the urgency of communication and coupled with the ability to provide near real time responses to questions or statements.
In late November I wrote a piece that discussed exploitation of jail broken iPhones and the introduction of worms to the world of Apple handhelds. As a RIM Blackberry user, I took a certain amount of pride in this as I secretly coveted the coolness of the iPhone then yet another mobile vulnerability was announced only this time; it was for the RIM Blackberry platform. This is not the first time malware for RIM platforms has been developed or identified. Back in 2006, Jesse D’Aguanno, director of professional services and research with Praetorian Global LLC. wrote and released what many of us believe was the first Trojan for the RIM platform. At the time, RIM stated that the exploitation was dependent upon whether or not the Blackberry Enterprise Server Administrator enabled the IT policy settings for mitigating such threats. However, this is not where the story ends. On December 1, 2009 RIM released a security advisory that addressed multiple vulnerabilities in the PDF distiller of some released versions of the BlackBerry Attachment Service. Within the advisory RIM stated that the following versions of BlackBerry Enterprise Server running on the following Microsoft Windows platforms were affected:
- BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows version 2003 or 2008
- BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows 2000
- BlackBerry Enterprise Server software versions 4.1.3 through 4.1.7, and BlackBerry Professional Software 4.1.4.
In convincing a user to view a specially crafted PDF file, an attacker might be able to execute arbitrary code or cause a denial-of-service condition on the system that hosts the BlackBerry Attachment Service. This of course is not the first nor will it be the last time we hear and see advisories such as these for mobile device platforms (I suspect that Palm’s WEBOS will be the next victim just as the Android by Google has been). For better than 90% of those who use these devices, what we are discussing will not resonate in the same way as it would with security researchers and analysts. For that percentage of the populace these devices are merely extensions of themselves; windows to the world as mentioned earlier, which allow them to access and be accessed. That access of course runs deep and wide through their lives and sees their worlds become more risk inclined than not.
But are we so different than the 90%? Don’t we use these devices in similar fashion? Certainly we look at the technology differently than do most as our business is the business of security and as a result we are naturally or artificially disposed to being suspicious of that which we do not know intimately or understand. As a result, you and I might conduct analysis on a device prior to using it or examine in an isolated lab environment a sample of malicious code using debuggers and other tools & techniques to assess behavior, payload and net effect of said code on a system or platform. However, corporations find themselves enabled and ready to deal with the advent of the introduction of malicious code and content, who is taking first watch in defense of those who use these devices independent of a corporate IT security program?
