Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Blackberry "Spy" Software Released

Zonk posted about 7 years ago | from the pack-a-toothbrush dept.

Security 91

Noryungi writes "Maybe the French were on to something after all. It turns out that there is a software available to easily spy on Blackberries, recording voice conversations and all messages (emails or SMS text message) that transmit through the portable device. Of course, the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices. ZDNet reports that RIM isn't concerned: 'Ian Robertson, senior manager of security and research at RIM, said users need not be particularly worried about the capability of FlexiSPY. "While it's the subject of some debate, I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program," he said. Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

cancel ×

91 comments

Sorry! There are no comments related to the filter you selected.

hm (1, Funny)

nawcom (941663) | about 7 years ago | (#19767351)

Paris Hilton: back in business.

Since when can software only be installed by owner (2, Funny)

alcmaeon (684971) | about 7 years ago | (#19767355)

"Of course, the software has to be installed by the owner of the Blackberry"

If this is true, RIM should go into the software security business and drop this whole phone thing altogether.

Re:Since when can software only be installed by ow (1)

earnest murderer (888716) | about 7 years ago | (#19769769)

Indeed that some serious delusion right there. Most people wouldn't even notice, much less ask if someone is looking at their phone. If you're paranoid, wait until they're in the can, or busy elsewhere.

In any case, it's something RIM could fix. Rather than deny the problem.

Re:Since when can software only be installed by ow (1)

memojuez (910304) | about 7 years ago | (#19769795)

Most software and patches can be installed silently and remotely to a BlackBerry Device either from the corporate BlackBerry Enterprise Server (BES) or from the Cell Carrier. The Daylight Savings Time (DST) patch was installed by our BES Administrator to all BlackBerry users and Nextel installed a new GPS product onto all BlackBerrys using them as a carrier.

The only action on my part was to turn the BlackBerry on.

Re:Since when can software only be installed by ow (0)

Anonymous Coward | about 7 years ago | (#19770143)

A BES administrator can indeed push software out to your device, but I don't believe they can do so without you noticing. At the very least, the device would notify you that it needs to restart, if I understand correctly.

As for Nextel installing something on your device over the air, that is simply not possible. Sure, they can make new icons pop up by pushing a new Service Book, but that doesn't mean anything new is installed. It's typically just a shortcut to a web-app, or enabling an app that was already installed (e.g. even if you aren't paying for web-browsing service, the browser is still installed. If you change rate plans, they can make that icon appear by enabling that Service Book).

Re:Since when can software only be installed by ow (1)

memojuez (910304) | about 7 years ago | (#19772079)

ON the former, I had to actually look in Options | Applications to verify that I indeed received the patch. On the Latter, I doubled checked and you are correct that it is a new Icon that invokes the BB Browser.

Another tool in the corporate toobox (2, Insightful)

Trigun (685027) | about 7 years ago | (#19767367)

This is actually good news for corporate IT Departments. Hopefully this can be pushed out via policy at the BES server.

Re:Another tool in the corporate toobox (2, Insightful)

Itninja (937614) | about 7 years ago | (#19767561)

In an enterprise level environment, I can see the benefit of tracking corporate email and SMS messages. However, if a corporation uses the ability to 'record a voice conversation' they could find themselves in trouble. I believe (and please correct me if I'm mistaken) the courts had determined that personal email sent via a corporate email system is legally the property of the corporation, but that telephone conversations are still protected as private.

Or at least that's something I read somewhere once (I might have been dreaming).

Re:Another tool in the corporate toobox (2, Interesting)

Trigun (685027) | about 7 years ago | (#19767895)

Face it, even if it can't be used in court, it is still a great resource. Being able to physically locate a device, record all the conversations, etc. Plus, you could probably argue that the voice conversation is data, the phone was provided as a business resource, etc. You might get a 'fruit from the poison tree' argument, but even still, a lot of these things wouldn't play out in court.

"Bob, we know that you've been leaking secrets to the competitors. You're fired. And if you go quietly, we won't pursue criminal charges."
"Hmmm, I see. I'll clean out my desk."

Re:Another tool in the corporate toobox (1)

bluekanoodle (672900) | about 7 years ago | (#19768111)

You did read this somewhere, but you probably missed the part where the courts said that there is an "expectation of privacy" in phone calls, but a company can listen in on phone calls if the employee is notified that there is no privacy.


The courts have said that once notification is is given (most companies do it during orientation, or as a disclaimer in he employee handbook they give you when you start) if it is company equipment during work hours, they can listen all they want.

Re:Another tool in the corporate toobox (1)

davester666 (731373) | about 7 years ago | (#19769225)

The courts have said that once notification is is given (most companies do it during orientation, or as a disclaimer in he employee handbook they give you when you start) if it is company equipment during work hours, they can listen all they want.
This might be true for the employee of the company. But in a number of states, it's illegal to record a phone conversation unless all parties know it's being recorded. And then you get into 'off-hours' calls, does the employer still have the right to listen to those calls? Only George Bush knows for sure!

Re:Another tool in the corporate toobox (1)

JPriest (547211) | about 7 years ago | (#19771697)

Valid point, many states don't allow recording calls under single party consent. (ie, guy on other side on phone call may or may not be an employee).

Re:Another tool in the corporate toobox (0)

Anonymous Coward | about 7 years ago | (#19768117)

In an enterprise level environment, I can see the benefit of tracking corporate email and SMS messages. However, if a corporation uses the ability to 'record a voice conversation' they could find themselves in trouble. I believe (and please correct me if I'm mistaken) the courts had determined that personal email sent via a corporate email system is legally the property of the corporation, but that telephone conversations are still protected as private.

Nice try, but no.

In fact, in some industries (like finance) all contact with clients (phone/fax/email/sms) must be recorded by law.

Now, in your country, in your industry, the laws may differ, but for some, this is an obligation.

Re:Another tool in the corporate toobox (1)

Itninja (937614) | about 7 years ago | (#19770255)

All phone contact must be recorded? What country do you live in exactly? I think that's not really enforceable or even possible in the financial industry, except for maybe at the call-center level. My financial adviser (stocks, bonds, etc.) is available via his cell phone, and I doubt his conversations are "prescribo aliquando". My mortgage broker works in a little office of 6 people, and I've spent many hours there. They certainly don't record phone calls.

Re:Another tool in the corporate toobox (0)

Anonymous Coward | about 7 years ago | (#19771065)

All phone contact must be recorded? What country do you live in exactly?

USA.

I think that's not really enforceable or even possible in the financial industry, except for maybe at the call-center level.

Maybe, but that doesn't change the law.

My financial adviser (stocks, bonds, etc.) is available via his cell phone, and I doubt his conversations are "prescribo aliquando". My mortgage broker works in a little office of 6 people, and I've spent many hours there. They certainly don't record phone calls.

Retail finance is a little different (your mortgage doesn't fall under the SEC). But everything at Goldman Sachs or Merril Lynch (email, phone, instant messaging, fax, etc) is recorded.

Null set (4, Funny)

Anonymous Coward | about 7 years ago | (#19767375)

>an average user that maintains good [gadget] hygiene

SELECT id,name FROM averageusers WHERE good_gadge_hygiene=TRUE;

0 ROW(s) returned.

Re:Null set (0)

Anonymous Coward | about 7 years ago | (#19767675)

good_gadge_hygiene
All of the syntactic correctness in the world won't save you from a semantic boo-boo, Hot Rod. Next time don't query the ronngg table.

Unsolvable problem (0)

Anonymous Coward | about 7 years ago | (#19768213)

<PROBLEM type="unsolvable" reason="mutually exclusive goals">
      <GOAL priority="required">
            Convenience
      </GOAL>
      <GOAL priority="required">
            Security
      </GOAL>
</PROBLEM>

The part should make everyone very concerned (4, Insightful)

Pulse_Instance (698417) | about 7 years ago | (#19767379)

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

I'm sure most of you have seen your bosses leave their blackberry, Treo or whatever device they have lying around or just hand it off to the secretary who leaves it on the desk. They really should find some way to alert people if this software or software like this gets on the device as in my humble opinion this is a huge risk for the people who need to have semi-secure communication in most companies I have seen.

Re:The part should make everyone very concerned (2, Informative)

afidel (530433) | about 7 years ago | (#19768161)

In a well run operation you wouldn't be ABLE to install this software, BES has policies to prevent you from installing unapproved software available to the BES administrator.

Re:The part should make everyone very concerned (1)

Puls4r (724907) | about 7 years ago | (#19768357)

Who modded this insiteful? You're absolutely RIGHT! We should create a program - let's call it a scanner - that checks for this stuff. Then let's invent a program that doesn't allow outbound or inbound connections to the device without our approval. Then let's write a special tool that can remove them if they get on the device. Then lets........ Anyone, and I mean ANYONE, who thinks this isn't an issue is insane. These devices are one step away from a computer, and people seem to think they're magically secure. Probably the same folks who brag about OSX never having a virus....

Re:The part should make everyone very concerned (1)

blhack (921171) | about 7 years ago | (#19768701)

If this gets installed on your blackberry you'll notice your battery life go from about a day and a half, to a few hours. That and you'll see that little data arrow at the top right of your screen (bb users will know what i'm talking about) going crazy. While I agree that this software would might be useful for tracking sortof "low-level" employees (delivery drivers and such that need phones, but aren't really supposed to use them for anything other than emergencies), most high-level manager types that actually need a blackberry would not tolerate this sort of intrusion.

Re:The part should make everyone very concerned (1)

gujo-odori (473191) | about 7 years ago | (#19770573)

The waffle-factor of his statement is astonishing. Not only does an average user not practice good device hygiene any more than they follow good email security practices, but he further qualifies it with "...would never see the software loaded..."

I'm sure they wouldn't. That doesn't mean it's not there, just means they'd never see it. This is an average user we're talking about.

Governments aren't stopped by technical obstacles (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#19767403)

A small technical obstacle such as "requiring physical access" is hardly enough to stop a government from spying. Remember that:

1. The US government covertly installed a spying system on the entire AT&T network.

2. Software can be sent through a network by the provider to the end-user.

3. Laws don't seem to be obstacles to government efforts to "protect us." Especially not this millennium.

4. Data storage is so cheap now that anything and everything can be archived for later mining.

Paranoid much? Well, heck yeah. There is a "War on Terror," which suspends our liberties... just until all the terrorists are dead. That is to say, they managed to find a simple way to completely suspend liberties forever. Why should that make me nervous?

If you really want to have freedom from government intrusion, your only hope is an open source government:
http://en.wikipedia.org/wiki/Open_source_governanc e [wikipedia.org]
http://www.metagovernment.org/ [metagovernment.org]
After all, it's about time we thought for ourselves, isn't it?

Re:Governments aren't stopped by technical obstacl (0)

Anonymous Coward | about 7 years ago | (#19767525)

If the government is spying on us, are they really going to let us replace them with open source governance?

Re:Governments aren't stopped by technical obstacl (0)

Anonymous Coward | about 7 years ago | (#19767669)

and I am finally gonna get that bitch!

Re:Governments aren't stopped by technical obstacl (0)

Anonymous Coward | about 7 years ago | (#19771539)

Does the government care what I do?

They dismiss the risk -- I wouldn't (5, Insightful)

Red Flayer (890720) | about 7 years ago | (#19767415)

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"
I think Robertson overestimates the average user. Either that, or it's not the "average user" we need to worry about -- it's the singnificant number of below-average users who could pose a problem. I know for certain that the marketroids with company-purchased Blackberrys at my company are the primary source of infections on our network.

Also, I'd like to mention that in my experience, it's often those with the most crucial conversations (ownership/upper management) are the ones who hand off their Blackberry to others for maintenance, etc. A disgruntled/bribed tech could very easily install this.

One other note -- if a user needing to take action to install malware wasn't a problem, we wouldn't see so many compromised machines.

Re:They dismiss the risk -- I wouldn't (1, Insightful)

Anonymous Coward | about 7 years ago | (#19768095)

The article isn't about generic malware but rather about a very specific program which doesn't match the description of a virus (doesn't self propegate) or a trojan (Flexispy makes no secret that this is monitoring software), so this isn't a matter of tricksing a user into loading the software. As it stands, the program is simply a Potentially Unwanted Program. At the end of the day, if a user (and/or their IT dept) takes the basic steps to secure their device, namely using a password, not letting other people use the device and only loading software from known, trusted sources, how is Flexispy going to get loaded?

Re:They dismiss the risk -- I wouldn't (1)

Red Flayer (890720) | about 7 years ago | (#19768733)

namely using a password, not letting other people use the device and only loading software from known, trusted sources,
You're ignoring two of my main points, which are:

There is a significant segment of Blackberry users to which these simple steps are not going to be followed, and
A disproportionately large part of that segment consists of those to whom secure communications are most important from a corporate POV.

Re:They dismiss the risk -- I wouldn't (1)

darthflo (1095225) | about 7 years ago | (#19770249)

You're ignoring one RIM's most important selling points: BES policies.

Because of that significant segment of users who wouldn't follow these steps, software installs will be prohibited and the use of passwords enforced by the IT department.
So until somebody manages to bypass those security features, I wouldn't consider trojans & co. a serious threat.

Re:They dismiss the risk -- I wouldn't (0)

Anonymous Coward | about 7 years ago | (#19768501)

I know for certain that the marketroids with company-purchased Blackberrys at my company are the primary source of infections on our network.
Are you saying that it is through the BlackBerry that the infections reach the network, or just that people at your company who end up infecting your network also carry BlackBerries, and would thus be vectors for a real virus on a BlackBerry?

Re:They dismiss the risk -- I wouldn't (1)

Red Flayer (890720) | about 7 years ago | (#19768807)

No, the infections typically aren't from their Blackberrys. Usually idiot user + loaded email. Sometimes it's a driveby from a sketchy site.

Using a Blackberry won't eliminate their lack of common sense, so I'm betting they could be easily tricked into installing malware on their Blackberry.

Re:They dismiss the risk -- I wouldn't (1)

0xdeadbeef (28836) | about 7 years ago | (#19768599)

A disgruntled/bribed tech could very easily install this.

ZOMG! I've even heard of these people having access to the boss's desktop PC, even the email server! Imagine what they could do with such power!

A competent administrator would set the security policy of the device to disallow the installation of unapproved software. Oh, but let's not let that get in the way of hysterical FUD.

Re:They dismiss the risk -- I wouldn't (2, Insightful)

Red Flayer (890720) | about 7 years ago | (#19769013)

A competent administrator
All admins are competent? All devices are locked-down in most companies? I don't think so.

I'm not saying that the sky is falling -- I'm saying that security on these devices IS a concern, and something we need to be aware of. I'm also saying that it's wrong for Blackberry spokespeople to downplay the risk of malware on the Blackberry, as the risk is real and important (unless of course we take steps to mitigate it, which is the whole point of not downplaying the risk -- to get people to take the necessary precautions).

Re:They dismiss the risk -- I wouldn't (1)

0xdeadbeef (28836) | about 7 years ago | (#19769295)

I'm saying that security on these devices IS a concern

The security of these devices is the best on the market, which is the reason they are the only type allowed by some government agencies. Research in Motion has security experts with graduate degrees on their payroll, are you claiming to know better than them?

You are a karma whore trying to make an issue of the fact that computers designed to run software can run software.

Re:They dismiss the risk -- I wouldn't (2, Interesting)

Red Flayer (890720) | about 7 years ago | (#19770109)

No.

As you point out, anything that runs software carries with it a risk of infection.

Regardless of RiM's security record and staff, there IS risk.

Furthermore, maybe you're a bit out of touch with people in a typical workplace. A Blackberry is not a computer to most people, it's an upgraded cell phone. Even people used to taking precautions when using their PC don't always use the same common sense when using their "cell phone", regardless of what it's capable of, and what it's capable of being infected by.

I am not claiming to know better than the security staff at RiM. What I am claiming to know is that no device that is capable of downloading software is risk-free, and that the below-average user is of concern, particularly to those charged with maintaining security in a corporate setting.

As for your ad hominem, it's not about karma. It's about a statement made by a spokesperson (which is the first tip-off that you need to look a little deeper) that didn't jibe with me. As you've pointed out, there are precautions that can be taken -- but as I've pointed out, they are not always taken.

Maybe I'm wrong, but it seems to me that the point you're trying to make is, "Don't worry about it -- they have very good people taking care of that" along with "Don't worry about it, Blackberrys should be locked down". As to the first, that's ridiculous -- security should be a concern for everyone, from decision-makers at the executive level down to the lowliest user, regardless of how good the scurity staff are at a vendor company. As to the second, you should never forget that a significant segment of users will not take the simplest security precautions if it inconveniences them in any way (including taking the short time necessary to change a configuration).

To make a long post short, are you just trolling, or do you have points to make that really do contradict what I'm saying, or just more ad hominems and red herrings? I'd be glad to be proven wrong, since then we could all rest assured knowing that Blackberrys are inherently secure with a zero risk of compromise.

One other note:

which is the reason they are the only type allowed by some government agencies
This has little to do with the security of Blackberrys as used by the general public. Note that those government agencies also have more staff devoted to security, policies more conducive to security, and employees more receptive to always acting in accordance with those policies.

Re:They dismiss the risk -- I wouldn't (1)

0xdeadbeef (28836) | about 7 years ago | (#19770915)

It's about a statement made by a spokesperson (which is the first tip-off that you need to look a little deeper)

So, what has your expert digging found that contradicts the words of the Global Security Team Manager at RIM?

And if you want to be an effective bullshitter, you might want to employ some consistency in your rhetoric, as you have little else. If your talking point started out as "important people might have important data compromised", you shouldn't change it to "unimportant people don't have a security policy" when shown that those risks have simple solutions.

Re:They dismiss the risk -- I wouldn't (1)

Red Flayer (890720) | about 7 years ago | (#19771487)

So, what has your expert digging found that contradicts the words of the Global Security Team Manager at RIM?
Nothing, you're deliberately obfuscating the point. Go back to my OP, and one of the points I made was that the "average" user isn't the concern, it's the sub-average user. The basis for my OP was that the GSTM at RiM downplayed the possible risk of malware, based upon the "average user" -- you shouldn't base your response to potential security threats on the average user. Period. Of course he's going to downplay the threat -- but this is one example of malware on the Blackberry, the threat in general is there and people need to be aware of it.

if your talking point started out as "important people might have important data compromised", you shouldn't change it to "unimportant people don't have a security policy" when shown that those risks have simple solutions.
You're making an invalid assumption, that the set of important people does not intersect the set of below-average (from a security standpoint) users. There is an intersection, and it's not negligible. Of course, "important" is a relative term, but to a small home-grown business, the owner may be extremely important.

Nice try, but still not there. Let me know when you come up with something that contradicts my points, OK? It's getting tiresome deflating your red herrings, and like I said, I'd welcome the knowledge that Blackberrys truly are secure for all users.

Re:They dismiss the risk -- I wouldn't (1)

0xdeadbeef (28836) | about 7 years ago | (#19775021)

If a password lock is still too complicated, I believe a simpler security device [gizmodo.com] is more appropriate for the level of competence you're supporting. (Yes, I waited all day to safely google that.)

BTW, while you were at work, someone might have broken into your home and installed spying software on your PC. Oh, sure, it's highly unlikely, but the risk is real and you must be warned!

good gadget hygiene. (1)

morgan_greywolf (835522) | about 7 years ago | (#19767423)

an average user that maintains good [gadget] hygiene


I insist on good gadget hygiene. An unclean gadget really stinks bad! Those aren't going anywhere near my face!

France's reasons not related (2, Interesting)

StewedSquirrel (574170) | about 7 years ago | (#19767443)

France has different reasons for avoiding RIM Blackberries.

Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US. Therefore, it is a virtual guarantee that all Blackberry emails transit US wires... Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.

The fact that one can install software on a modern microprocessor based telephone-slash-computer that can *gasp* RECORD what the telephone-slash-computer happens to be doing shouldn't come as any sort of surprise to anyone at all.

In fact, this particular bit if news is a bit 'ho-hum', though I'm sure a few tech-stupid executives will gasp and throw their "Crackberry" out the window.

Perhaps this article was written by Microsoft or Apple to bolster the sales of their respective Blackberry competitors? :-)

Stew

Re:France's reasons not related (0)

Anonymous Coward | about 7 years ago | (#19767505)

You're mostly right. The servers themselves that the msgs move through are located in Canada....

Re:France's reasons not related (5, Insightful)

Tack (4642) | about 7 years ago | (#19767521)

Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US.

Why do people insist on perpetuating this myth? It is simply untrue.

Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.

Just as trivial as it is to sniff SSL traffic over the general internet. Trivial, and worthless.

Re:France's reasons not related (0)

Anonymous Coward | about 7 years ago | (#19768139)

Your right, it isn't true.

All messages go through a Canadian server instead of an American one.

Not really an improvement.

Re:France's reasons not related (1)

Tack (4642) | about 7 years ago | (#19770019)

All messages go through a Canadian server instead of an American one. Not really an improvement.

Are you also so sure it's not the case that when an email is sent from a BlackBerry in Europe to a BES connected in Europe it never leaves Europe?

If a government (France, say) is terribly concerned about this, I have every confidence that RIM would make every effort to allay their doubts.

Re:France's reasons not related (0)

Anonymous Coward | about 7 years ago | (#19770829)

Are you also so sure it's not the case that when an email is sent from a BlackBerry in Europe to a BES connected in Europe it never leaves Europe?

It doesn't matter. The messages are strongly encrypted with AES. Whether the encrypted message transits the USA makes no difference. I assure you that the USA and the Russians have spy satellites/antennas throughout the world. What makes the email secure is the AES encryption, not the physical location.

If a government (France, say) is terribly concerned about this, I have every confidence that RIM would make every effort to allay their doubts.

Yes, RIM has a large department for government sales. BES has been audited, tested and certified [blackberry.com] by the United States, Canada, the United Kingdom, Austria, Australia and New Zealand, among others.

IE, the french politicians who annouced the blackberry ban have no fucking clue what they are talking about.

Re:France's reasons not related (1, Informative)

Anonymous Coward | about 7 years ago | (#19770269)

Actually, neither of you are right, for a number of reasons:
  • A government would certainly not be using the free blackberry.net service, but a proper BlackBerry Enterprise Server.
  • All of the data is encrypted. Sniff it all you want... but then what?
  • European traffic never gets routed to North America, unless it's to contact someone in that region. There is a European data centre as well.

Re:France's reasons not related (0)

Anonymous Coward | about 7 years ago | (#19772383)

Also, there is no data centre in the US.

What if attackers collude with RIM? (0)

Anonymous Coward | about 7 years ago | (#19778171)

All of the data is encrypted. Sniff it all you want... but then what?

You are making the assumption the attackers are not colluding with RIM (*). If they are, then the fears are valid. It makes no difference where the data center is, or if the data is encrypted, merely using a Blackberry device would end up being a very high security risk. This is why the French banned it.

(*) For example, despite being supposedly killed, the still on-going TIA project, or some other project run by a governmental 3-letter agency.

Re:France's reasons not related (0)

Anonymous Coward | about 7 years ago | (#19768717)

...not if you make Shuttleworth rich just in order to be able to have full control (MIMA) through your favourite pets (VeriSign, ICAN)

Re:France's reasons not related (0)

Anonymous Coward | about 7 years ago | (#19768101)

It resides in Canada. Not the US. Why would a Canadian company have their infrastructure in the US?

Re:France's reasons not related (0)

Anonymous Coward | about 7 years ago | (#19768277)

Specifically, all email data transferred to/from a Blackberry goes through RIM's "blackberry.net" service, which resides in the US. Therefore, it is a virtual guarantee that all Blackberry emails transit US wires... Very specific US wires and it would be trivially easy to sniff ALL Blackberry.net traffic with a few properly placed protocol analyzers.

Like too many on slashdot, you have no fucking clue what you are talking about, and are too lazy to look it up.

The blackberry system is a well-designed, end-to-end system that uses VERY STRONG (AES) encryption. It has been analyzed, tested and audited [blackberry.com] by many goverentments and non-governmental organizations.

It has been certified by NATO, the governments of United States, Canada, the United Kingdom, Austria, Australia and New Zealand. The German Fraunhofer Institute for Secure Information Technology also likes it.

Are all these people wrong? Or are you a lazy idiot?

Re:France's reasons not related (1)

RasputinAXP (12807) | about 7 years ago | (#19770681)

Speak for yourself, but all of OUR BlackBerry data goes through our BlackBerry Enterprise Server.

What the end user does with their own personal POP or IMAP accounts through blackberry.net is their decision.

Still a threat (1)

jshriverWVU (810740) | about 7 years ago | (#19767489)

It's called social engineering.

"Want stock quotes quicker try this new freeware program from JimBob's Stock Warehouse.com"

Re:Still a threat (0)

Anonymous Coward | about 7 years ago | (#19768281)

SE is generic problem that transcends any given technology - the flesh is weak. This does not point to a specific threat from Flexispy. Any useful platform is going to have functionality that can be used to do questionable things - is the threat the program or the user?

how is this any different (1)

SolusSD (680489) | about 7 years ago | (#19767493)

than just about *any* cell phone, pda or laptop? You can write a program that "spies" on someones input into the device for just about any device.

Re:how is this any different (1)

arivanov (12034) | about 7 years ago | (#19767557)

Not all have open interfaces for this. iPhone is a prime example in this category. Samsung non-Windows phones closely follow.

Some that have open interfaces do not have enough resources to record all voice traffic (though most can probably manage data sniffing as it is not a realtime task). Early windows mobile are in this category. Most of them have the APIs to sniff, but are likely not to have enough CPU to do so.

iNSA (3, Funny)

Doc Ruby (173196) | about 7 years ago | (#19767527)

I love it when people release these spy tools publicly. Finally "Joe Mousepad" can catch up with the NSA, and spy on his neighbors.

"Suspicion Breeds Confidence [imdb.com] "

Quick (2, Funny)

bryan1945 (301828) | about 7 years ago | (#19767545)

Call Homeland Security! We have a Level 5 Fruit Alert!

Depends on who you consider as the user (3, Interesting)

jackhererUK (992339) | about 7 years ago | (#19767555)

I imagine you can silently install this over the air from the BES server. In my current and previous job I am the only IT profesional in the company and the sole administrator of the BES server, if i could roll this out using the BES server to everyones blackberries then only i would know. I would then be able to listen to all of the senior management's mobile phone calls. Ahh the power of being the BOFH

Re:Depends on who you consider as the user (1, Insightful)

Anonymous Coward | about 7 years ago | (#19767839)

So what? Most telephony admins can do this already. If you're launching it from BES, it isn't spyware, it an "administration tool".

a rose by any other name (2, Interesting)

conspirator57 (1123519) | about 7 years ago | (#19767649)

This is a tool because it advertises its functionality... How many game/"productivity"/other third party software packages for the BB have extra program content along these lines? It only costs $100 (http://na.blackberry.com/eng/developers/downloads /api.jsp) to get a program signed by RIM for distribution... And if you provide some bit of useful functionality, pretty soon your SW gets distributed by the cellular providers...

oh, and in answer to the question below about pushing the content from a BES, yes this can be done, but it has to be developed for. You'd have to ask the application provider in question whether their app supports this.

Not a good thing (1)

thomsmith123 (1124627) | about 7 years ago | (#19767723)

While some heavily regulated industries may like this, it seems to me that the piracy and privacy risks warrant more concern from RIM.

fud ... (1)

vorwerk (543034) | about 7 years ago | (#19767823)

Of course, the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices.

huh?! "It would not be surprising"??? Actually, I think that that would be surprising.

The fact that I can install software on my own device which allows calls to be recorded should not really come as a surprise. But if someone else could install said software without my knowledge or touching my device ... well, then we would have a problem.

This article (and its segue) would best be labelled as anti-Blackberry FUD.

Re:fud ...?? that is the question. (1)

Cragen (697038) | about 7 years ago | (#19768695)

Is there a way for this software to be installed on BB's that are give to the user by their employer, say, w/o the user being aware the software is there? (I am not a network or hardware type so I don't know.) The more likely scenario, where the user works for a large business or an military organization is that software is being installed willy-nilly whether the user cares or not prior to being issued to the user. I can definitely envision that happening with my boss, the US Army.

Not a problem for properly adminstered devices (1, Informative)

Anonymous Coward | about 7 years ago | (#19768267)

Which are connected to a BES.

If an administrator does not wish want people installing software on their phones, there is an option in the security profiles to disable this ability.
If an administrator does not want people to run already installed applications on their phones, there are options to disable it.

the owner (1)

syrinx (106469) | about 7 years ago | (#19768287)

"Of course, the software has to be installed by the owner of the Blackberry"

I guess this is opposed to something running Windows, where software needs to be installed by the pwner of the device?

What a shocker! :) (1)

HycoWhit (833923) | about 7 years ago | (#19768349)

So the CEO of RIM says there is nothing to worry about! Anyone surprised? "There is nothing to see here, move along. Oh and buy more Blackberries!!"


Don't ever think any messages you send on Blackberries are secure. Have a friend that wasn't a very good husband. All the messages from his Blackberry, which he thought were private, wound up in court and cost him an additional $2.5million in divorce settlements.

Re:What a shocker! :) (1)

SteveWoz (152247) | about 7 years ago | (#19769283)

sounds like openness helped get justice done

failz0Rs (-1, Troll)

Anonymous Coward | about 7 years ago | (#19768643)

bloc I_n order to

Check your sources - it can't record calls! (2, Informative)

rand0md00d (1124635) | about 7 years ago | (#19768679)

It is worth pointing out that the program itself doesn't claim to record phonecalls, but rather to use the phone as a 'bug'. It does this by silently answering a telephone call from a defined number. ...from the FAQ...(http://www.flexispy.com/faq.htm) "What is remote monitoring? Remote Listening is for FlexiSPY PRO only. You set a special spy call number in FlexiSPY. When a call comes into FlexiSPY from this number, the microphone will secretly switch on and you will be able to hear whatever the phone hears. If the phone is in use, or the user presses a key, the spy call will be disconnected Can I listen to phone conversations? When PRO-X is released, this will be possible" Announceware doesn't count.

Listening through the microphone (3, Funny)

rickthewizkid (536429) | about 7 years ago | (#19768889)

Well, most people I know keep their blackberry in the holster when they are not talking on them... and if someone holsters it on their right side, its probably rotated forward so the top of the device faces forward. This means that the microphone is pointed toward the person's ass.

Are you sure you *really* want to hear what that microphone picks up? Especially *after* lunch?

-Rick

It's not a bug... (1)

techpawn (969834) | about 7 years ago | (#19768709)

It's a feature.
9 times out of 10 I can't think of a reason to want to hear ANYTHING my users say let alone why anyone else would.

Does he mean what he says? (0)

Anonymous Coward | about 7 years ago | (#19769191)

>Robertson said an average user that maintains good [gadget] hygiene would never see the software >loaded onto their device without their knowledge.'"

Exactly. If it's loaded onto my device without my knowledge, i couldn't have seen it. Doh. Perhaps he's intentionally avoiding the question.

Actually, that info IS alerting! (1)

Opportunist (166417) | about 7 years ago | (#19769215)

"While it's the subject of some debate, I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program," he said. Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

Let's first of all realize that Blackberries and their like are usually used by manager types (or people who want to appear as if they were). Now, if you have ever worked in support, you'll quickly learn that this species usually shows 3 traits:

1. Needs always the coolest, newest gadgets and knickknacks.
2. Has not the foggiest idea about those gadgets.
3. Will never admit that they might have done anything wrong.

This combination is in the presence of spyware a surefire way to get it onto any device coming close to such a person. Yes, it would require "conscientious effort" (though how "conscientious" a manager is in the vicinity of a tech device is debatable). But as we've all learned with Vista, "click allow every time, or it won't work".

Re:Actually, that info IS alerting! (1)

dave562 (969951) | about 7 years ago | (#19769567)

Other people have pointed this out but maybe you just went ahead and posted before bothering to read the replies. There are policies that can be put in place through the BES server that prevent third party software from being installed. Most of the comments to this article have been pure FUD from people who have obviously never used a BES server or been responsible for Blackberry's in any sort of enterprise environment.

In other words, it doesn't matter how big of a tool the manager type is. I'm completely inclined to agree with all three of the points you made. However, none of them matter when your BES server policies are setup right. The manager type can be the type of person who clicks on everything that pops up onto the screen, but it won't matter because the server policy will prevent the install.

Re:Actually, that info IS alerting! (1)

Opportunist (166417) | about 7 years ago | (#19797651)

All true and fine, but you appearantly never worked for a boss of the "I pay for this junk and I get to have all rights" kind. Believe me, they do exist, and they are your worst security nightmare.

Re:Actually, that info IS alerting! (1)

dave562 (969951) | about 7 years ago | (#19802815)

I've been working in IT for over a decade and recently spent the last seven years as a consultant. As a consultant I ran into every personality in every position possible. When you run into the kind of boss who wants access to everything you just need to CYA. Give them enough rope to hang themselves with and make sure that you've got the safety net in place. In the mean time, start looking for another job. Life is too short to work for worthless bosses.

Re:Actually, that info IS alerting! (1)

Opportunist (166417) | about 7 years ago | (#19807695)

As a consultant, you may have that luxury. As the young, aspiring tech that I was, I didn't. I didn't have a name, I didn't have a CV to lean back against. Today, I'd certainly tell him that I'm gonna take the rest of my vacation for the 2 weeks warning and good riddance. Not everyone is in that fortunate situation.

So what those bosses end up with are people straight out of college without a hint of RL experience who can't simply tell them to stuff it. A deadly combo, as you'll hopefully agree.

And those people usually also don't have the skills, experience and guts to build up a shelter against the fallout that will eventually come down. It will strike the tech, not the manager. He'll be the one hanging for the damage.

You could view it as the process of "weeding out" the techs that can't survive the trials of securing a hopelessly insecure environment. Call it natural selection if you want. Generally, though, a lot of careers have been ruined before they started. I just hope that, as a consultant, you manage to tell a few managers that less rights also means less rensponibility. Because, well, if it blows up and you couldn't have been liable for it, lacking rights, you sure ain't the one to blame.

Re:Actually, that info IS alerting! (1)

dave562 (969951) | about 7 years ago | (#19807849)

I actually went to work for one of my clients full time and it is starting to seem like it was a bad decision. I just didn't want to spend my life constantly staying on the cutting edge and as a consultant, at least at the firm that I was at, I had to do that. So I took an easy job that wasn't too taxing on my skills so that I can focus on other areas of my life.

But back on topic, I completely agree with you that bad bosses can definitely severely hamper a career. I have a bad boss right now, and he is actually my first one. Luckily for me I have enough experience that I can have his job if he keeps up what he is doing. Truth be told though, I don't want his job.

Objection (1)

C_Kode (102755) | about 7 years ago | (#19769829)

Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

This is speculation. I don't care how good you *think* you are about protecting something. There is no way you can say it will "Never" be compromised. Same goes for Blackberries and any other *thing* of any sort. This statement is nothing more than *spin* or damage control.

Gimme a break! (0)

Anonymous Coward | about 7 years ago | (#19770301)

I don't consider it a virus nor a Trojan, as it does require conscientious effort from the user to load the program[...]
Um... it took conscious effort for the original Trojans to load the Greek's Trojan Horse, too. Something deceptive that you install yourself is the very definition of a trojan horse. They don't call it the freakn' "self-propelled automatic city-wall-circumventing horse", now do they?

Who's bashing here? (1)

guruevi (827432) | about 7 years ago | (#19772591)

I wonder why so many people bash on RIM for this like "oh noes, security through obscurity" or "oh noes, the average user is stupid!!!!!111one"

This is actually a good thing, the user can install this program if he wants (and he has the rights to do so), there is no need to block a program to be installed. Or do we all want Microsoft's/RIM's approval for any program that we want to install? No, I do whatever the heck I want on my machine. Maybe Linus Torvalds should also approve all software you run on your box... no, Linus Torvalds is like: oh, this virus/trojan/spyware/whatever doesn't run well, let's fix the kernel.

The real problem is: in a managed (business) environment to let users run whatever the heck they like and that's what Microsoft is so bad in, to secure their machines against UNAUTHORIZED access. If a user decides to install something as their user, they should be able to do so, just like on Linux/Unix, not a 100 warnings, but if their user logs out, the program better be gone too, also (a large problem in Windows) a standard user shouldn't be able to run any programs that could b0rk the system or have direct access to hardware (raw sockets), they can only fsck their own profile. What I don't like is when backdoors are installed in my system (Microsoft likes to do so) that either report any activity to anyone (even if it's only the vendor through an anonymous service) or that allow people to come in without my knowledge. If anyone attempts to, it should be blocked by default unless I allow it. That's what a problem is in most security frameworks these days: the user is too dumb to activate something, so when somebody ELSE asks (whether that is a program or an external user), the operating system doesn't block it, but just asks a question if it's allowed, most users don't know/don't care or are just too friendly to deny anything.

This isn't the security vulnerability.. (1)

SMS_Design (879582) | about 7 years ago | (#19772959)

..It's the payload. All you need now is a good Bluetooth stack vulnerability that will allow you to associate, push code, and install it. THEN you have a security vulnerability.

To find out if it is on your Blackberry... (1)

majorxp (1064626) | about 7 years ago | (#19773213)

According to Symantec, the program arrives as the following Java application:
net_rim_app_console_pro.cod

Silently install? (1)

thePowerOfGrayskull (905905) | about 7 years ago | (#19773401)

the software has to be installed by the owner of the Blackberry, but it would not be surprising to find out that someone has found a way to silently auto-install that software on RIM devices
I would be very surprised, unlike the submitter. You cannot silently auto-install ANY software on a RIM device. And further, any such installed software MUST get permission from the user before it uses network resources.

makes perfect sense (1)

Some_Llama (763766) | about 7 years ago | (#19773431)

"Robertson said an average user that maintains good [gadget] hygiene would never see the software loaded onto their device without their knowledge.'"

That's why spyware is no longer a problem on the Windows platform. Should work well with Blackberries too..

I used to work at a company that managed their own BB server, we had the ability to push software to clients without them needing to approve.. i wonder if this will be used by companies to help track usage by their employees...

(wonder meaning yes of course they will).

FBI taps cell phone mic as eavesdropping tool (1)

JoshRoss (88988) | about 7 years ago | (#19773663)

Once again, I would like to point to McNealy's Law, which states that you have zero privacy and to get over it. The FBI has done this [zdnet.com] in the past and will likely continue this type of activity.

Re:FBI taps cell phone mic as eavesdropping tool (0)

Anonymous Coward | about 7 years ago | (#19777507)

Any company with a Blackberry Enterprise Server (BES) that cares about security will have disabled the ability to install new software via the BES. This enforces the rule for all devices. No matter how dumb the user is, they can't install any new software on their Blackberrry - whether they want to or they just are too stupid to realise that is what they are doing.

My company has this rule. If you want "Authorised, previously vetted by security" software installed on your Blackberry eg Reuters or Bloomberg market data applications, Google Earth or whatever, you must get the IT department to install it. Your Blackberry is temporarily moved to a different profile which allows software installation but not network access. The software is installed via USB connection to a PC, then the device is moved back to the default profile which doesn't allow software to be installed.

Same goes for Bluetooth - you can't attack the device via Bluetooth if the Bluetooth is disabled by the administrator.

Security control like this is why the Blackberry is loved by both the users and the administrators. Users get their addiction, their must have gadget, their email anywhere - admins have no incoming ports they need to open, encrypted data from the BES to the device, control from the server of everything that happens on the device and one company to deal with globally.

Just my 2c as the Blackberry admin of a company with about 3500 of these devices around the globe.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>