// you’re reading...

BlackBerry

Remote Listening for the BlackBerry

bugs

I first blogged about PhoneSnoop, a component of Bugs, a few days ago.  PhoneSnoop demonstrates how a BlackBerry can be used to spy on its owner.  It cannot listen into phone conversations or conduct phone taps on BlackBerry handhelds at the moment.  It is, however, possible to add a feature that makes phone taps work.  I have written more on how to tap phone calls here.  FlexiSpy is offering this service in its new version.  Incidentally, I took apart FlexiSpy and wrote a brief post on it.  While the BlackBerry remains one of the more secure devices out there, user awareness and education is paramount to remaining completely safe from spyware.  I tweaked the application since my first post now allowing anyone to download, install and try it.  PhoneSnoop now has the ability for a user to customize the ‘trigger number’; rather than me having to give out customized versions.

Download PhoneSnoop and take a look at the User Guide

Share this on:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Reddit
  • StumbleUpon
  • Tumblr
  • Twitter
  • Slashdot

Discussion

Comments for “Remote Listening for the BlackBerry”

  • guttz
    Hey Question for you.
    Did you modify the Spyware that SS8 created for Etisalat to make phonesnoop?
  • Ch0pstick
    No, PhoneSnoop was written from scratch. The SS8 interceptor only collected outgoing email. PhoneSnoop turns the BlackBerry into a remote listening device by answering calls from a certain 'trigger' number. I'd suggest you read the whitepaper I wrote at http://chirashi.zensay.com/whitepapers for more information on the SS8 interceptor.
  • rico2
    Hi,

    is there a way to bypass the Blackberry Security Policies for BES Users for PhoneSnoop? If not so really not a real security problem. Works as designed.

    For BIS Users of course that could be a problem. BES Users can be secured via Application and User Policies.

    For example Application Policies or User Policies on BES 4.1.6 MR7 or BES 5.0 MR3 can controll what application can be do. If BES Admin set correct permissions the user is not able to download or install Third Partie Applications on his device or applications can be denied to use radio, email or sms and so on. ...

    How can you bypass this. It is not a design problem of the Blackberry Topology it is still a user problem. The biggest Security Issue is still the human!
  • Ch0pstick
    Hi there,

    As of now, NOTHING can beat the mighty BES and its IT Security Policies ;). Thus, if you're on BES and your admin has turned off third party apps, then you're safe. Similarly if your admin has disabled Key Injection or limits you from changing Application Permissions, your safe.

    This cannot be bypassed. If you're on BIS, however, its a different story. The BlackBerry is quickly moving into a consumer space and gaining more popularity among regular users. They all use BIS. This mostly affects them.
  • orron112
    I guess I'm not all that impressed with this tool. FlexiSpy has been able to remotely turn on the microphone in order to listen to ambient room conversation for some time. The difference...this one is free...and not discrete, like FlexiSpy is.
  • Ch0pstick
    I appreciate your input. I wonder, though, if you actually read my post. I mention that it is Proof of Concept code that shows how potential spyware works to eavesdrop. In this regard, I purposely made it visible so that people cannot abuse it.

    Hope you managed to sell your pool table. :)
  • orron112
    I did read it, and I don't mean to be flippant or standoff-ish. I have read several reports about this tool, as it's kind of my responsibility to do so, and was quite disappointed, not with your tool, but with the reporting surrounding the tool. There were several reputable tech news outlets that parroted the fact that it could allow an attacker to "eavesdrop on phone conversations". Hearing that was immediately of concern, considering no one has been able to do that with BB's yet..that we know of. I completely understand the point you are trying to make with this tool, as we are currently doing the same type of work with P.O.C code. I'm glad that someone is looking at BB's, as they have been dismissed until recently, as a true security threat, especially in the Enterprise. And yes, I did manage to sell it. ; )
  • Ch0pstick
    Like I said, I value constructive criticism because it lets me know what people out there are thinking. The BlackBerry is a very secure platform; provided a healthy mix of awareness and paranoia exists amongst its users. I want to bring out the fact that wetware is more often the cause for the failure in its security. Have you also checked out the hidden program and process detector Kisses? Its here: http://kisses.zensay.com

    Glad you sold it; if I'm ever Stateside, I'll look you up. Maybe play a game or three. :)
  • orron112
    No, I have not looked at that tool yet, but will. We have a similar tool here as well. I completely agree that awareness is the key, as it is with all things infosec related. Users are the weak link. Are you specifically dedicated to BlackBerry? I've moved on, personally from BB to Android.

    Yep, got it sold this weekend and installed. 1 1/4" slate is heavy. Easily 300+ lbs a piece. My back still hurts from carrying them up the stairs. I'd love to play, if you ever make it out here. Bring your money...and your game. haha
  • Ch0pstick
    Yeah, I'm focusing only on the BB. Didn't touch the iPhone or Android yet.

    Pfff, surely, sir, I would never bring my game without my money!
  • orron112
    Quick question for you. Since you are in this space as well, and I did make the comment that your tool was not actually intercepting and allowing attackers to listen to calls, have you seen any tools out there that are capable of doing that with BB? We know that FlexiSpy does intercept calls, via conference call capabilities, but they do not offer a version that supports BlackBerry's.

    Also, as an FYI, I'm doing a writeup about your tool and the goal it attempts to achieve (as well as the mis-reporting by some news outlets of the capabilities). I'll share the link when it's published if you're interested...
  • Ch0pstick
    Dude, do you work for FlexiSpy or something? LOL, just kidding. I'm not fully aware of what it does from an interception point, but from what you mention, if a user has conference calling enabled as a service from his provider, then it shouldn't be difficult to have the BB initiate a call and patch it in as a conference call. The only problem with that would be the fact that the call is outgoing and the victim will see it on his phone bill. Alternatively, if the app detects when the victim is on the phone and notifies a server to call in, this can be avoided. The problem then is that the victim can hear the call waiting tone.

    I'd like to see your article, so yes, please let me know when you're done.
  • orron112
    haha, no I definitely don't work for FlexiSpy, just using it as an example, since it's really the leader in public spying applications and makes no attempts at pretending it is anything other than what it is. Just using it as a baseline for what is generally considered possible...at least at this point. As I've said, we are also working on some proof-of-concept stuff as well. In the business I am in, it's always good to share information about what type of malware is out there. We can't always find everything ourselves. Sometimes we need tips from fellow researchers.
  • orron112
  • Ch0pstick
    Aha! It all makes sense now! SMobile Systems!! LOL!

    Nice article by the way. Very well done.
  • orron112
    Glad it's a little clearer now ; )
  • kinsk
    hey, good job.
    I want test this on my own BB 7130 OS V4.1.0 and i have systematic "907 invalid COD".
    Is phonesnoop requierd specific OS version?
    Thx.
  • Ch0pstick
    Yes, you need to have at least version 4.3, although I think I would recommend 4.5+ because these are the platforms I tested on.
  • profbad
    I tried unsuccessfully to download the software OTA. Any ideas as to why?
  • Ch0pstick
    Can you give me an idea of the following information?

    Your Operating System/Platform Version: Go to Options->About
    Your BlackBerry model number
    The link you were following to download the application.
    Are you on BIS or BES?
  • Mike
    Looks like there is a bug in the app. If the blackberry is locked then when it picks up, it puts the caller on hold instead of picking up the phone and putting it on speaker.
  • Ch0pstick
    Thanks for the feedback. I'll take a look at it.
  • moe
    any word on the bb lock prpblem that mike posted? it puts caller on hold
  • Ch0pstick
    Mike, Moe, I have tested this and verified that it is indeed the case. When the handheld is locked with a password, the most you can do programatically is to answer the call and put it in speakerphone mode. There is no way that the Home Screen can be invoked. This is a security feature of the BlackBerry when it is locked.
  • nope
    I read all your post on phonescoop, kisses, tapping phones ,"researching into how to hack phones"and the use of the words "victims",and "attackers" and that throws up plenty of red flags to avoid such programs of yours the regiure an installation by the owner who may be guilable to a deveoplers "fast talk"< as well as a warning from Homeland security
  • sneeker
    Where can I download PhoneSnoop.jar / .cod ? They don't seem to be there...
  • Ch0pstick
    Browse to http://www.zensay.com/PhoneSnoop.jad from your BlackBerry.
  • Hightower
    Hello,
    I've downloaded PhoneSnoop on my Curve 8310 with OS v 4.2 but app. won't work error message:
    "Error starting PhoneSnoop: Symbol 'EventInjector $KeyCodeEvent.<init>' not found"

    Can anybody give me information please, what's the matter?
    Thank you very much in advance
  • Ch0pstick
    Hi there,

    For the moment OS 4.2 is not supported. I am working on adding support for it. Check back soon.
  • Hightower
    Hi Ch0pstick,

    thank you very much for your quick answer, I'll look for it, maybe meanwhile I'll udate to OS 4.5

    Hightower
  • Hightower
    Hello Ch0pstick,

    so I'm back again, I've updated my Curve 8310 to OS v. 4.5, the software is working without error message, I've setted the permissions as shown in your guide.

    I'm adding a number and activate it, then the correct message appears, but if I try to call the phone it works standard and phone is ringing as usual.

    So my question, how do i have to format the phone numbers for GERMANY T-Mobile net.

    For example: +49(08586)123456 or maybe 00498586123456 or maybe +498586123456

    Can you give me any information about the format of calling numbers?

    Thank you very much.
  • Ch0pstick
    Hi there,

    Congratulations on the upgrade :) The number matching on PhoneSnoop works as follows: When you enter a trigger number, PhoneSnoop will compare it with the incoming caller ID and match any number -ending- with the trigger number. So if your trigger number is "456" it will match all incoming calls ending in 456. If you want to match an incoming number exactly, you first have to find out what its format looks like. To do this, just call your phone and see how the number appears. Is it a flat number like +4912345678 or does it have a specific format like +49(123)45678? Whatever it is, you need to make the trigger number look exactly like that. Hope this helps.
  • concerned wife
    I would like to know if the phone snoop would work for corporate configured and adm (to the corporate server outlook) without being detected ...BES
  • Ch0pstick
    If the BES admin has locked down his policy by denying access to permissions like "Phone" and "Input Simulation" then PhoneSnoop will not work. Additionally, if the BES admin applies the policy where no Third Party applications can be installed, then PhoneSnoop will not install on the BlackBerry. Otherwise, PhoneSnoop will function as normal.
  • stucker1
    I downloaded and installed PhoneSnoop on my 8320 running 4.5, which does go through a BES. I could not get this to work. I enabled all available permissions, including key injection. Yet when I make the call, the phone rings normally, with no indication that PhoneSnoop has done anything at all.

    Any ideas?
  • Jamie
    this happens to me as well! Somethimes it works, and other times it just rings like norma, almost as if it is undependable. Unless I am doing this wrong:

    i download phonesnoop onto the persons phone of who i would like toe avsdrop (lol) - at this point we are jsut figuring it for fun but hey!

    then i type in my last four digits of my phone number as a trigger on that phone and hit activate

    and then i call from my phone and bob is my uncle?
  • Ch0pstick
    The fact that the ringing is intermittent depends a lot on the current CPU
    load of the BlackBerry. Typically, I designed the program to ring. Of
    course it also depends on your ring tone. If you have a second or two of
    silence in the beginning it won't ring.

    The steps you describe to activate PhoneSnoop are correct.
  • Ch0pstick
    I've not had the opportunity to test the program on BES. It could depend on
    the trigger number that you have activated. Can you check that the number
    you entered is the same as the one that appears in the caller ID when a call
    is received?
  • stucker1
    It is the same number. I did try another test. I entered only the last four digits of the trigger number instead of ten digits. Now it works, but the phone rings once first, and displays the caller info, then answers on its own, then goes back to the home screen and leaves the call up. That's an improvement, but I'll certainly know whenever the trigger number calls!
  • moebl
    I installed Phonesnoop correctly but sometimes phone ring and no longer auto answers though trigger number is still there and need to be reactivated.
    And when the BB is restarted trigger number disappears.
    Any ideas?
  • Ch0pstick
    When the phone is restarted, PhoneSnoop is reset and does not listen. This
    is by design. Occasionally you will experience that the phone will not pick
    up. I have come across this behavior on a few rare occasions. The program
    is experimental and may have bugs such as this. I have no immediate plans
    to fix it.
blog comments powered by Disqus