Attacking BlackBerry
                           for phun and profit




                                                y3d...
y3dips

                   • A Bandwidth Hunter ... A Renegade
                   • IT Security fans for more than 7 year
...
BlackBerry

                   • Push Email
                   • Wireless
                           Messaging System
    ...
BlackBerry

                   • Photos
                   • Emails
                   • Sms
                   • Phone lo...
BlackBerry


                   • BlackBerry Enterprise Server (BES)
                   • BlackBerry Internet Service (BIS...
Diagram




                           http://smartphone.nttdocomo.co.jp/english/blackberrybold/blackberryservice/img/inde...
BB Proxy

                   • Attack BES network
                   • Defcon 2006 presented by Jesse D’aguanno
          ...
Attacking Anatomy

                            Server      Apps Server               BB User
                             ...
Attacking Anatomy

                            Server      Apps Server                               BB User
             ...
Attacking Anatomy
                                                 Connecting into App Server


                          ...
Attacking Anatomy
                                                        Connecting into App Server                  Devi...
Our Approach

                   • Attacking Wifi Network
                   • DNS Spoofing
                   • Ssl Tunneli...
DNS Spoofing


                   • Spoof dns entry into router/dns server
                    # echo “133.7.133.7 rcp.ap.b...
DNS Spoofing




Sunday, November 8, 2009
Stunnel

                   • Setup 2 SSL connection
                    • SSL Connection from BB device to
              ...
Stunnel


               • Setup 2 SSL connection
                # stunnel -d 443 -r localhost:8888
                # stu...
BlackBag


                   • Glue the tunnel back
                    # bkb replug -b localhost:8889@8888




Sunday, N...
BlackBag




Sunday, November 8, 2009
Attacking Anatomy


                            search rcp.ap.blackberry.com
                                             ...
Attacking Anatomy

                                                                        rcp.ap.blackberry.com
         ...
Attacking Anatomy

                                                                        rcp.ap.blackberry.com
         ...
Viewable




Sunday, November 8, 2009
Viewable




Sunday, November 8, 2009
Result




Sunday, November 8, 2009
Result

                   • Clear Text Sender PIN
                   • Clear Text Recipient PIN
                   • Clea...
Impact

                   • Spam? until DDOS
                   • PIN abuse; such as cloning
                   • Blackma...
Next

                   • More Data to analyze (different type)
                   • Attack the Encryption?
             ...
Confession




Sunday, November 8, 2009
Raw Data




Sunday, November 8, 2009
Mal(Spy)ware

                   • The Most Famous Etisalat Issue
                   • Firmware Update
                   ...
Mal(Spy)ware




Sunday, November 8, 2009
POC
                   • Provided by Sheran Gunasekera @HITB
                           2009
                   • Bugs - F...
Bugs




Sunday, November 8, 2009
Summary

                   • 0wned a blackberry with $20 (USD)
                   • Social Engineering rulez!
           ...
Case Stories




Sunday, November 8, 2009
Case Stories




Sunday, November 8, 2009
Case Stories




Sunday, November 8, 2009
Mitigation
                   • Password Your Device
                   • Turn On Firewall
                   • Encrypt yo...
References
                   •       Attack Surface Analysis of Blackberry Devices - symantec

                   •      ...
Greetz

                   • Hermis Consulting
                   • Sheran Gunasekera
                   • staff@echo.or.i...
Upcoming SlideShare
Loading in...5
×

Attacking Blackberry For Phun and Profit

1,912

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,912
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
50
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Attacking Blackberry For Phun and Profit

  1. 1. Attacking BlackBerry for phun and profit y3dips[et]echo.or.id Sunday, November 8, 2009
  2. 2. y3dips • A Bandwidth Hunter ... A Renegade • IT Security fans for more than 7 year • http://google.com/search?q=y3dips Sunday, November 8, 2009
  3. 3. BlackBerry • Push Email • Wireless Messaging System • Phone, SMS, Cameras, Browsing Sunday, November 8, 2009
  4. 4. BlackBerry • Photos • Emails • Sms • Phone log • Contact Sunday, November 8, 2009
  5. 5. BlackBerry • BlackBerry Enterprise Server (BES) • BlackBerry Internet Service (BIS) Sunday, November 8, 2009
  6. 6. Diagram http://smartphone.nttdocomo.co.jp/english/blackberrybold/blackberryservice/img/index/dgm_diagram.gif Sunday, November 8, 2009
  7. 7. BB Proxy • Attack BES network • Defcon 2006 presented by Jesse D’aguanno • Making a Blackberry Device as a gateway to internal Network Sunday, November 8, 2009
  8. 8. Attacking Anatomy Server Apps Server BB User INTERNAL LAN Firewall INTERNET Attacker Sunday, November 8, 2009
  9. 9. Attacking Anatomy Server Apps Server BB User INTERNAL LAN Connecting into Attacker Computer Firewall INTERNET Attacker Sunday, November 8, 2009
  10. 10. Attacking Anatomy Connecting into App Server Server Apps Server BB User INTERNAL LAN Connecting into Attacker Computer Firewall INTERNET Attacker Sunday, November 8, 2009
  11. 11. Attacking Anatomy Connecting into App Server Device as a proxy Server Apps Server BB User INTERNAL LAN Connecting into Attacker Computer Firewall Attacker 0wned Internal Network INTERNET Attacker Sunday, November 8, 2009
  12. 12. Our Approach • Attacking Wifi Network • DNS Spoofing • Ssl Tunneling - http://stunnel.org • BlackBag - http://matasano.com Sunday, November 8, 2009
  13. 13. DNS Spoofing • Spoof dns entry into router/dns server # echo “133.7.133.7 rcp.ap.blackberry.com” >> /etc/hosts Sunday, November 8, 2009
  14. 14. DNS Spoofing Sunday, November 8, 2009
  15. 15. Stunnel • Setup 2 SSL connection • SSL Connection from BB device to Attacker machine • SSL Connection from Attacker machine to BB Real Server Sunday, November 8, 2009
  16. 16. Stunnel • Setup 2 SSL connection # stunnel -d 443 -r localhost:8888 # stunnel -c -d 8889 -r 216.9.240.88:443 Sunday, November 8, 2009
  17. 17. BlackBag • Glue the tunnel back # bkb replug -b localhost:8889@8888 Sunday, November 8, 2009
  18. 18. BlackBag Sunday, November 8, 2009
  19. 19. Attacking Anatomy search rcp.ap.blackberry.com DNS Server rcp.ap.blackberry.com 216.9.240.88 WIFI RIM Network Attacker - 133.7.133.7 Sunday, November 8, 2009
  20. 20. Attacking Anatomy rcp.ap.blackberry.com 133.7.133.7 search rcp.ap.blackberry.com DNS Server rcp.ap.blackberry.com 216.9.240.88 WIFI RIM Network Attacker - 133.7.133.7 Sunday, November 8, 2009
  21. 21. Attacking Anatomy rcp.ap.blackberry.com 133.7.133.7 search rcp.ap.blackberry.com DNS Server rcp.ap.blackberry.com 216.9.240.88 Tcp/443 WIFI Tcp/8888 Tcp/443 RIM Network Tcp/8889 Attacker - 133.7.133.7 Sunday, November 8, 2009
  22. 22. Viewable Sunday, November 8, 2009
  23. 23. Viewable Sunday, November 8, 2009
  24. 24. Result Sunday, November 8, 2009
  25. 25. Result • Clear Text Sender PIN • Clear Text Recipient PIN • Clear Text Message type • Encrypted Data Sunday, November 8, 2009
  26. 26. Impact • Spam? until DDOS • PIN abuse; such as cloning • Blackmail; identity thief, logs • Email and PIN Mapping Sunday, November 8, 2009
  27. 27. Next • More Data to analyze (different type) • Attack the Encryption? • Another Infrastructur attacking Scenario Sunday, November 8, 2009
  28. 28. Confession Sunday, November 8, 2009
  29. 29. Raw Data Sunday, November 8, 2009
  30. 30. Mal(Spy)ware • The Most Famous Etisalat Issue • Firmware Update • Reverse by some researcher • 100% Spyware Sunday, November 8, 2009
  31. 31. Mal(Spy)ware Sunday, November 8, 2009
  32. 32. POC • Provided by Sheran Gunasekera @HITB 2009 • Bugs - Forwarding Emails • PhoneSnoop - Turn your BB into Spy devices • http://chirashi.zensay.com Sunday, November 8, 2009
  33. 33. Bugs Sunday, November 8, 2009
  34. 34. Summary • 0wned a blackberry with $20 (USD) • Social Engineering rulez! • BlackBerry User awareness Sunday, November 8, 2009
  35. 35. Case Stories Sunday, November 8, 2009
  36. 36. Case Stories Sunday, November 8, 2009
  37. 37. Case Stories Sunday, November 8, 2009
  38. 38. Mitigation • Password Your Device • Turn On Firewall • Encrypt your Data/Media Card • Controlling downloded application • Protecting GPS location • Connect to Legitimate Wifi Network Sunday, November 8, 2009
  39. 39. References • Attack Surface Analysis of Blackberry Devices - symantec • BlackBerry: Call to Arms, some provided - Ftr & FX of Phenoelit • BlackJaking:0wning the Enterprise via BlackBerry - x30n • Bugs & Kissess: Spying on Blackberry User for Fun - Sheran Gunasekera • Seberapa Amankah Infrastruktur WIFI Blackberry device anda - y3dips & chopstick Sunday, November 8, 2009
  40. 40. Greetz • Hermis Consulting • Sheran Gunasekera • staff@echo.or.id • Info Komputer Sunday, November 8, 2009
  1. ¿Le ha llamado la atención una diapositiva en particular?

    Recortar diapositivas es una manera útil de recopilar información importante para consultarla más tarde.

×