I was speaking with a respected colleague today about the security of Blackberries vs. other mobile devices. The conventional wisdom of the business community, apparently, is that the Blackberry is some form of superhero-grade magical device, impervious to all forms of cybersecurity attack, and hence suitable for handling all levels of sensitive communication (and soon suitable for President Obama).
It’s true that RIM (Research in Motion), Blackberry’s maker, has an excellent marketing department (and, as excellent marketing departments are hard to come by, I at least give them kudos for that). They have spun a fantastic tale about how, by simply installing their superduper-secure Blackberry Enterprise Server (BES) product, you have created a secure channel between the enterprise network and a user’s eyes/ears. As far wireless communications channels go, they have an “ok” solution for securing transport to the Blackberry device itself. The highest security risk of using a Blackberry is NOT that your data is compromised while being transmitted wirelessly. Instead, there really are two high risk scenarios when using a Blackberry in an enterprise:
- End user devices (Blackberries) are not secured with a PIN (password), and fall into the wrong hands. This is quickly and easily solved by setting a policy in the BES product to require a PIN for all users. Without question, every enterprise using Blackberries should do this.
- The BES server creates a channel (vector) between a malicious party and your entire enterprise network. Yes, that’s right, your entire network.
What RIM marketing fails to tell you is that by placing a BES server blindly into your enterprise network, you are exposing your entire organization to compromise. Fiddlesticks you say? That could never happen!
In fact, since July 2008, a series of critical flaws in the PDF distiller of the Blackberry Attachment Service allow a malicious party to send an email containing a specially crafted PDF file, which when opened for viewing on a Blackberry, could lead to arbitrary code execution on the server that hosts the Blackberry Attachment Service. In plain English that says that if any Blackberry user opens an evil attachment, the hacker now has control of the BES server. To add to the pain, most BES servers are inside the enterprise firewall, not segmented from the rest of the network. Let your imagination run wild from here.
Is this level of risk a surprise? It shouldn’t be. Any device/server that handles communications (emails, attachments, files, whatever) from the outside world should always be segmented from the internal enterprise network by at least a packet filtering firewall and probably an IPS. If you’ve deployed a BES server and it’s inside your network, you should both move it behind a firewall and apply the patch from RIM, ASAP. Today would be good time to do this.
I’m not saying that Blackberries expose an organization to more risk than other mobile “smart phone” devices, such as an iPhone, Treo, or the like. Other products also create some form of a vector between the outside world and the enterprise. But I am saying this: folks should stop living in any fantasy world where they believe 1) Blackberries and their supporting platform are inherently secure or 2) Blackberries are more secure than other products in the marketplace. Any system is only as secure as its weakest component.
With any mobile communication platform, along comes risk. Take appropriate steps to secure and protect your enterprise network by keeping your mobile communication platform up-to-date on patches, and properly segmented from the rest of your network.
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
Leave a Comment