The thread demonstrates some of the ways in which people formulate opinions and it highlighted something very important; to me at least.  Its a trait that I have seen with so many developers of applications as well.  It would appear to me that people are always looking to “play” within a certain set of distinct boundaries.

I’ll give you an example of a web application developer.  In one banking application I tested, I was able to do a “negative transfer”.  It worked like this, if Alice were to transfer -$1000 to Bob, the logic of the application made Bob do a transfer of $1000 to Alice.  So by Alice initiating a negative transfer, she was able to pull money out of Bob’s account.  When confronted with this, the developer simply stated “yes, but a user is not supposed to do this.”  Well of course he’s not supposed to do this, but isn’t it your job as a developer to check for it?  An attacker is not going to play nice; he’s going to find any way he can to own you.  If he can’t hack your systems, he’ll come at you with a knife or a gun.  To him, the end goal is getting what he wants.  He’s not going to stop doing something just because “a user is not supposed to do this”.

If you take the case of what happened in the forums above, it seems very similar.  Here goes:

The forum users and moderators that did reply, seem to be under the impression that just because I released PhoneSnoop, I am trying to infect them by pushing Kisses (in their minds a malicious app) as a cure.  So to me, at least, it appears that their “boundary” or “sandbox” is the fact that I should have released one or the other but not both.  I’ll cover why this is not a very sound way of thinking later, but first, some fun.  Here are some of the things said in the forum post if you didn’t bother reading the whole thing.

• I was asked if now that I had raised awareness how long I will make PhoneSnoop available for.
• I was compared to a fox guarding a hen house
• I was compared to a pharmaceutical company
• I was wished with “Kisses of death”
• I was threatened with being sent back to Sri Lanka in a box.
• I was called a lovely set of names ranging from “super-spy”, “spy-master” and compared with mid-eastern terrorists
• I asked for donations to help get my hands of copies of FlexiSpy and MobileSpy (mostly because I was writing Kisses for free and was not in a position to pay over $200 for them) and thanks to some members of the phone community out there, I was able to get my hands on copies.  I was questioned as to why I asked for donations and they stated that even free anti-virus product companies don’t ask for donations.
• One of them thinks my Kim Jong Il avatar (taken from Team America; very apt in this case I must say ) on my twitter page makes me look very shady.

So I now am going to dub these wonderful people who are protectors of the BlackBerry community as Team BlackBerryForums.

I have to admit, though, that I respect them very much.  The are very dedicated and I hope that most of what they say comes from some place inside them where they want to protect other users.  For this, yes, I have to bow down and say that I’m impressed.

Right, now onto the reason why this sort of behavior is not very helpful.  First, I really don’t care if users don’t download and use my Kisses application.  I put it up there, because I wanted to give something back to users for free to help them protect themselves.  This was my only intention.

By making it appear to other users that I am evil because I wrote PhoneSnoop and now I’m writing Kisses, Team BlackBerryForums are not being helpful to their users.  Its like in Green Eggs and Ham – a pre-conceived notion before investigating things further. It would have been far more helpful to their users if they had verified things first before seemingly writing off the app as spyware.  To their credit, however, they did ask a lot of questions.  CrackBerry Forums just shut down the thread.  If they had researched what I presented in the Hack In The Box security conference, they would known that there are far more creative ways of infecting BlackBerry users.  I tried to stress this point in my replies, but I guess their minds were already made up.

Lets hypothetically take the situation where I am someone evil and my only job is to spy on BlackBerry users.  I think I would have a far better chance of being stealthy.  I would certainly not highlight the fact that I can bug peoples phones and I surely would not release a proof-of-concept application.  This removes the element of stealth from my plan.  This is how I would do it, again, hypothetically.

I think Team BlackBerryForums believes that by releasing a proof-of-concept tool makes me a terrorist of sorts.  They seem to think that nothing I do from now on can be trusted and is not well-intentioned.  Now I can see how they would think that.  But surely, they should be aware that if I had a serious need to read people’s email or tap their phone calls, I would find a way to do it?  And do it quietly?

Looking at my latest log file, I have 489 distinct downloads of Kisses.  I have had numerous emails from people asking me to support older versions of their BlackBerries and I have had lots of emails thanking me for releasing the free app.  I’m very happy that some people out there perceive the app as useful.  I think that’s enough for me.  So for the sake of those people out there, I will continue to develop Kisses and release it.  A big thanks go out to you guys.

Knowing the APIs of the BlackBerry, I can confirm that this will work only if and when a target has conference calling enabled.  The theory is simple again.  The application hooks the “callConnected” method on the PhoneListener class.  Then when it detects a specific number that has been specified, it sends an SMS to a pre-defined number.  Once that same pre-defined number calls in during an active call, the phone automatically answers and adds the user into a three-way conference.  So its dependent on the target and his phone plan.  Thus this feature is not a guaranteed one.  One thing I plan to try out is to see if the target will actually hear the call-waiting tone before the third call is connected.  Here’s a graphic that explains how it works:

Bob calls Alice on her bugged phone

Alice's phone sends an SMS to Charlie

Charlie calls Alice's phone & is added to the conversation

In the scene above, Bob is a friend who calls Alice.  Alice has had her phone bugged by Charlie.  Charlie wants to listen into conversations between Bob and Alice.  For this to work, Alice needs to have the ability to make conference calls.  This is typically a value-added service from the mobile network operator.  Thus this attack is dependent on Alice having subscribed to such services.

Like all the other things, I’ve written about, I need to conduct some more research on it.  I’ve been busy these days with the day job and my research is taking a back seat.  Sad really.  Maybe its time to look for a job that pays me to do this stuff??  If you want the tool that lets you test out how you can remotely listen in on ambient noise and conversations, look here.

Once a buyer parts with his $300, he will receive a user manual that provides information on how the application can be installed on a target’s phone.  I examined the version for the BlackBerry.  When going through the user manual, one of the first things that jumped out at me was this: explicit instructions to set the Default Permissions of the BlackBerry handheld to Allow All. This means that not just FlexiSpy, but every single application the target installs on his phone after this can gain full control (within the scope of the programming interface or API) over his handheld.  Obviously user protection is not a high priority in this case.

At this point, I haven’t installed the app yet.  I begin to do so.  By using the phone’s built-in browser, I am asked to visit the site http://djp.cc.  I need to enter my activation key here and then I am presented with a download dialog.  This download dialog is simply a JAD file.  The contents of which are listed below:

Manifest-Version: 1.0
MIDlet-Version: 3.02.04
MIDlet-Jar-Size: 232073
RIM-COD-URL-2: net_rim_app_console_pro-2.cod
MicroEdition-Configuration: CLDC-1.1
MIDlet-Jar-URL: net_rim_app_console_pro.jar
RIM-COD-Module-Dependencies: net_rim_cldc,net_rim_bbapi_mailv2,net_rim_os,net_rim_bbapi_phone,
net_rim_locationapi
RIM-COD-SHA1-2: 49 d9 a2 9c 2e 55 c2 fc da b4 2d 96 01 67 ef 7a 89 26 25 ac
RIM-COD-URL-1: net_rim_app_console_pro-1.cod
RIM-COD-SHA1-1: ab 26 1a 63 7c e9 e4 83 bc 04 2b 69 22 c7 54 5b 73 02 13 ce
RIM-COD-Size-2: 31304
RIM-COD-Size-1: 87268
RIM-COD-Module-Name: net_rim_app_console_pro
MIDlet-Name: net_rim_app_console_pro
RIM-COD-Size: 78756
RIM-COD-Creation-Time: 1246442605
RIM-COD-URL: net_rim_app_console_pro.cod
RIM-Library-Flags: 3
RIM-COD-SHA1: c9 33 b8 05 92 d8 08 e0 03 a6 21 e3 56 e7 70 0a f8 42 63 b5
MicroEdition-Profile: MIDP-2.0
MIDlet-Vendor: <unknown>

This tells a BlackBerry where to go to get the actual binary or COD file.  In this case its http://djp.cc/net_rim_app_console_pro.cod and http://djp.cc/net_rim_app_console_pro-1.cod.  Generally, if a COD file exceeds size limitations or consists of several pre-compile external libraries, there will be a need to download more than 1 file.  This is interesting because the first thing I did after installing it is look for it in my Applications screen.  It turns out that FlexiSpy is never hidden on your BlackBerry.  It remains in plain sight, but with an obscure name that looks very similar to a RIM native library.  The application is also tagged as a library.

How FlexiSpy looks when installed

FlexiSpy is installed as a library

So there it is, if you want to look for the latest version of FlexiSpy on your BlackBerries, go to Options->Advanced Options->Applications and look for “net_rim_app_console_pro“.  One thing very interesting is that if something is marked as a Library, in theory at least, you should be able to access some of the classes and methods within.  Curious, I did a “strings” on each of the COD files.  True enough, there was a list of package names, classes and methods visible – at least their names.  Since I’ve given out the URL, I’ll leave this exercise up to the reader.  I will explore possibilities of how this can be done and if indeed other applications can make use of FlexiSpy’s libraries.

Behavior

FlexiSpy requires activation before it can begin to spy on a target.  To do this, a user has to dial the number *#900900900 and then a hidden screen is activated.  On this screen, a user is prompted to enter the activation code.  Never one to leave home without my Wireshark, I sniffed the traffic that went through during the activation process.  Here is the information that went across the wire:

POST /t4l-mcli/cmd/productactivate?mode=0&ver=0302&pid=FSP_BB_V4.2&actcode=[Activation Code]
&hash=[IMEI]&phmodel=8300(4.5.0.44) HTTP/1.1

This request is made to a server with second level domain “aabackup.info” It resolves to the same IP Address as the host djp.cc listed above.  As you can see, the phone’s IMEI is being sent back to FlexiSpy HQ.  Also visible is the Activation Code.  What is returned is a hash value which I didn’t look into very closely yet.  Presumably the phone calculates a similar algorithm and waits for a matching hash.  Once the correct hash is received the app is activated.

From this point out, its a case of configuring the application to intercept SMS messages, email messages, call logs, etc.  The application has a command channel through SMS.  Thus, you have a list of about 8 commands which do the following:

• Start Capture – Begin capturing events like email, sms, location, etc
• Stop Capture – Stop an already started capture
• Send Immediate – Send all collected events to the central logging host
• Send Diagnostics – Send diagnostic info
• Start SIM Monitor – Watch for any attempt at changing the SIM
• Stop SIM Monitor – Stop
• Start Mic Monitor – Wait for calls from a trigger number
• Stop Mic Monitor – Stop

The funny thing is that the command channel SMS messages cannot be deleted, so the manual advises a user to select short phrases like “Good morning” or some such to begin capturing information.  The phrases should be chosen so as not to arouse the target’s suspicion.

Detection

FlexiSpy relies very heavily on Listeners.  Even to bring up its secret screen, it adds a PhoneListener to wait for a specific number to be dialed.  This ensures that no running applications exist on the phone.  It uses these built-in features of the BlackBerry to remain cloaked.  It sits in plain sight in your applications directory and FlexiSpy can choose to constantly change its name whenever they release a new version.  I am incorporating the detection of both FlexiSpy and Mobile-Spy in my Kisses app.  I have a few ideas on how I can write a one time detector for FlexiSpy and Mobile-Spy.  The theories are on the drawing board at the moment.  I have to find a way to bring it into the code.

I expect to do a much more detailed write up on both FlexiSpy and Mobile-Spy and a much needed paper on what BlackBerry users can do to protect themselves.

Acknowledgments

Special thanks go out to Spyphoneguy for all his help!

Before I released the tool, I had a lot of people asking me if it will detect the FlexiSpy program.  While I didn’t want to spend close to $200 just to find out if it does, I am very certain that Kisses can detect it.  How do I know? Because Kisses will probe 2 areas of your handheld:  1) All running processes belonging to all applications on your handheld 2) All installed applications regardless of whether they are hidden or not.  This gives you an idea of exactly what is running on your handheld at any one time.  By letting you drill down further, you can discover more details of each application module.  With these capabilities, you’re bound to find not only FlexiSpy, but other bits of spyware  or suspicious applications as well (provided an undiscovered variant exists).

This is a project I’m very keen in and will be actively pursuing its upkeep.  I have a whole list of enhancements and features to add to it.  You can check the website for updates.  Alternatively subscribing to this blog, following me on twitter or LinkedIn will also keep you updated.

I took a look at the new BlackBerry version 5.0.0 Operating System API.  RIM is offering the simulator and development kit as a Beta release and I think the OS has already been leaked online.  One excellent feature that RIM have added is the CodeModuleListener.  This interface allows a developer to design an application that knows when applications or modules are installed, deleted or scheduled for deletion on the handheld.  Its got three methods:

1. moduleDeletionsPending()
2. modulesAdded()
3. modulesDeleted()

Once implemented correctly, you can look at it like a security guard that sits in front of a room, guarding the door.  Nothing is allowed into or out of the room without the guard knowing.  Once the guard knows somethings coming in, he can call up central that tells him what to do next: block the entry, for example.

I plan on implementing this interface in my Kisses application; most likely in a later release as most of my code is ready to go and I’m only testing things out right now.  Once completed, Kisses will not only be able to detect hidden processes and programs, but it will also be able to warn you when something is either being installed or removed from your handheld (that is, only if you have 5.0.0).  You can jury rig a similar set of functionality, but you’d have to write a lot of code for it and even then, it won’t be as real-time as using CodeModuleListener so I’m not going in that direction.

The trick is, that it can be a double-edged sword, though.  If an application can use this feature for good, then an application might be able to use this feature for evil purposes as well.  It requires a bit more research and I’ll share the results here.

I first blogged about PhoneSnoop, a component of Bugs, a few days ago.  PhoneSnoop demonstrates how a BlackBerry can be used to spy on its owner.  It cannot listen into phone conversations or conduct phone taps on BlackBerry handhelds at the moment.  It is, however, possible to add a feature that makes phone taps work.  I have written more on how to tap phone calls here.  FlexiSpy is offering this service in its new version.  Incidentally, I took apart FlexiSpy and wrote a brief post on it.  While the BlackBerry remains one of the more secure devices out there, user awareness and education is paramount to remaining completely safe from spyware.  I tweaked the application since my first post now allowing anyone to download, install and try it.  PhoneSnoop now has the ability for a user to customize the ‘trigger number’; rather than me having to give out customized versions.

Download PhoneSnoop and take a look at the User Guide

I promised everyone at the conference that I’d have a working application that can spy on the audio of other users who own a BlackBerry.  I am ready to deliver on that promise today.  This post is a prelude to the release of the tool.  I’ve so far not packaged it with Bugs.  Its a separate program that I named PhoneSnoop.  Please note that PhoneSnoop is not an application that does Phone Taps or give you the ability to listen into phone calls.  It can be done, however, and you can read more on that how to tap calls here.  I’d like to have some volunteer beta testers  to see how well the application works You can now download PhoneSnoop directly from here by using your BlackBerry (be sure to read the guide and also make sure to set your input language to English US for the app to work correctly).  You will be able to configure your own phone number.  If you’re interested, please mail me on zen.chopstick@gmail.com For the chickens out there, here’s a video of the app in action (I’ve not got audio on it, but it has closed captioning so make sure you turn it on).  I’m working on a video that shows the app on a real handheld with commentary, but for now, make do with this :p

PhoneSnoop – BlackBerry Bugging Application

Here’s how it works:

You install and run PhoneSnoop on a victims’ BlackBerry.  PhoneSnoop sets up a PhoneListener and waits for an incoming call from a specific number.  Once it detects a call from that specific number, it automatically answers the victims’ phone and puts the phone into SpeakerPhone mode.  This way, the attacker that called can now hear whats going on at the victims end.  Pretty simple right?  In the video above, I have setup PhoneSnoop to listen in for calls originating from +12120031337.  I first make a call from +12120031336 to show that there’s no effect.  Then, I show what happens when a call is made from the expected number.  The demo is on the BlackBerry simulator for now, but I’m working on bringing you a video that demonstrates the application on a real BlackBerry Bold.

Installation Instructions:

1. Grab your friend’s BlackBerry
2. Download PhoneSnoop from the URL I mail you
3. Once installed, go to Options->Advanced Options->Applications->PhoneSnoop->Edit Permissions and change the “Input Simulation/Event Injection” to “Allow”
4. Run PhoneSnoop

Checking the bugging capabilities:

1. Call the victims phone number
2. Listen

I will need to give you a customized version of PhoneSnoop hence there’s no download.  If you’re interested in trying it, mail me at zen.chopstick@gmail.com.  Include your phone number so that I can code it into the application.  I’m not doing a general release at the moment because of the implications of this tool.  I’m mainly looking for feedback so that I can refine the tool and write a paper on it. The tool is now available for general release.  Anyone can download it.  Go here to read more.