2. [ Yury Chemerkin ]
www.linkedin.com/in/yurychemerkin
http://sto-strategy.com
Experienced in :
Reverse Engineering & AV
Software Programming & Documentation
Mobile Security and MDM
Cyber Security & Cloud Security
Compliance & Transparency
and Security Writing
Hakin9 Magazine, PenTest Magazine, eForensics Magazine,
Groteck Business Media
Participation at conferences
InfoSecurityRussia, NullCon, AthCon, PHDays
CYBERCRIME FORUM, Cyber Intelligence Europe/Intelligence-Sec
ICITST, CyberTimes, ITA, I-Society
yury.chemerkin@gmail.com
3. BLACKBERRY SECURITY ENVIRONMENT
BLACKBERRY EVALUATESEVERY REQUEST THAT AN APPLICATION MAKES TO ACCESS A CAPABILITY
BLACKBERRY ENTERPRISE SERVICE HELPS MANAGE AND PROTECT BLACKBERRY, IOS, AND ANDROID DEVICES.
UNIFIED COMMUNICATION AND COLLABORATION SOFTWARE
DESIGNED TO HELP PROTECT DATA THAT IS IN TRANSIT AT ALL POINTS AS WELL IS IN MEMORY AND STORAGE
ENHANCED BY A CONTROL OF THE BEHAVIOR OF THE DEVICE
PROTECTION OF APPLICATION DATA USING SANDBOXING
MANAGEMENT OF PERMISSIONS TO ACCESS CAPABILITIES
BB EVALUATES EVERY REQUEST THAT APP MAKES – BUT LEAD AWAY FROM ANY DETAILS AND APIs
4. KNOWN ISSUES
MALWARE BOUNDSBECOME UNCLEAR…
BLACKBERRY HANDLES SEVERAL TECHNOLOGIES
NATIVE
BLACKBERRY 10, BLACKBERY PLAYBOOK
OLD BLACKBERRY DEVICES
THIRD PARTY
ADOBE AIR FOR NEW BB DEVICES
ANDROID APPLICATIONS & DEVICES
IOS DEVICES
ALL CONTROLLED OBJECTS ARE LIMITED BY
SANDBOX
PERMISSIONS
SECURITY FEATURES ON DEVICEs & MDMs
COMPLIANCE BRINGS USELESS RECOMMENDATIONS
USER-MODE MALWARE
SPYWARE
ROOTKITS
EXPLOTS & ATTACKS
REVERSING NETWORK LAYER
PARTIALLY RECOVERING DATA VS. SANBOX
MDM vs. COMPLIANCE
A FEW RECOMMENDATIONS
SET IS LESSER THAN SET OF MDM FEATURES
YOUNG STANDARDS
FIRST REVISIONS
DRAFT REVISIONS
5.
6. BLACKBERRY CAPABILITES - ANDROID
CONTROLLEDFOUR GROUPSONLY by BlackBerry
CAMERA AND VIDEO
HIDE THE DEFAULT CAMERA APPLICATION
PASSWORD
DEFINE PASSWORD PROPERTIES
REQUIRE LETTERS (incl. case)
REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERS
DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
INCORRECT PASSWORD ATTEMPTS
DEVICE PASSWORD
ENABLE AUTO-LOCK
CONTROLLED 74 OUT 200 APIs ONLY by Android
LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENGTH
MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
ENCRYPTION
APPLY ENCRYPTION RULES
ENCRYPT INTERNAL DEVICE STORAGE
TOUCHDOWN SUPPORT
MICROSOFT EXCHANGE SYNCHRONIZATION
EMAIL PROFILES
ACTIVESYNC
7.
8. BLACKBERRY CAPABILITES - iOS
CONTROLLED16 GROUPS ONLY by BlackBerry
BROWSER
that‘s QUITE SIMLIAR to APPLE MDM SOLUTIONS
DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
MESSAGING (DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHARING
ONLINE STORE
CAMERA, VIDEO, VIDEO CONF
CERTIFICATES (UNTRUSTED CERTs)
MESSAGING (DEFAULT APP)
CLOUD SERVICES
PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
PHONE AND MESSAGING (VOICE DIALING)
CONNECTIVITY
OUTPUT, SCREEN CAPTURE, DEFAULT APP
BACKUP / DOCUMENT / PICTURE / SHARING
ONLINE STORES , PURCHASES, PASSWORD
DEFAULT STORE / BOOK / MUSIC APP
PROFILE & CERTs (INTERACTIVE INSTALLATION)
NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING
SOCIAL (DEFAULT APP)
CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
CONTENT
DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
STORAGE AND BACKUP
SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT (DEFAULT APP)
9.
10. BLACKBERRY CAPABILITES – BLACKBERRY (QNX)
CONTROLLED7 GROUPS ONLY by BlackBerry
that‘s NOT ENOUGH TO MANAGE ALL APIs
GENERAL
MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD
PASSWORD (THE SAME WITH ANDROID, iOS)
BES MANAGEMENT (SMARTPHONES, TABLETS)
SOFTWARE
OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
SECURITY
CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY PARAMS
TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
WI-FI PROFILES
WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION
EMAIL PROFILES
NETWORK ACCESS CONTROL FOR WORK APPS
PERSONAL APPS ACCESS TO WORK CONTACTS
SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
PROXY PASSWORD/PORT/SERVER/SUBNET MASK
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PARAMS
11.
12. BLACKBERRY CAPABILITES – BLACKBERRY (OLD)
INCREDIBLE AMOUNT OF GROUPS, UNITS AND PERMISSIONS ARE CONTROLELD BY MDM AND DEVICE
THERE 55 GROUPS CONTROLLED IN ALL
EACH GROUP CONTAINS FROM 10 TO 30 UNITS ARE CONTROLLED TOO
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs INSTEAD OF A WAY ‘DISABLE/ENABLED & HIDE/UNHIDE’
EACH EVENT IS
CONTROLLED BY CERTAIN PERMISSION
ALLOWED TO CONTROL BY SIMILAR PERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME MORE THAN OTHER DOCUMENTS
EACH UNIT CAN’T CONTROL ACTIVITY UNDER ITSELF
‘CREATE, READ, WRITE/SAVE, SEND, DELETE’ ACTIONS IN REGARDS TO MESSAGES LEAD TO SPOOFING
BY REQUESTING A ‘MESSAGE’ PERMISSION ONLY
SOME PERMISSIONS AREN’T REQUIRED (TO DELETE ANY OTHER APP)
SOME PERMISSIONS ARE RELATED TO APP, WHICH 3RD PARTY PLUGIN WAS EMBEDDED IN, INSTEAD OF
THAT PLUGIN
14. ISSUES : USELESS SOLUTIONS - I
USERFULL IDEASAT FIRST GLANCE
BUT INSTEADMAKE NO SENSE
OLD BB: MERGING PERMISSIONS INTO GROUPS
‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ SEPARATED (PREVIOUS BB)
‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ MERGED INTO ONE UNIT (LATEST BB)
QNX-BB: SCREEN CAPTURE
IS ALLOWED VIA HARDWARE BUTTONS ONLY
NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES
LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS
OLD BB: NO SANBOX HAS NEVER BEEN ANNOUNCED
ALL DATA ACCESSIBLE EXCEPT APP & SYSTEM DATA DUE TO GENERAL PERMISSION
QNX-BB: OFFICIALLY ANNOUNCED SANDBOX
MALWARE IS A PERSONAL APPLICATION SUBTYPE IN TERMS OF BLACKBERRY’s SECURITY
SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS
15. ISSUES : USELESS SOLUTIONS - II
USERFULL IDEASAT FIRST GLANCE
BUT INSTEADMAKE NO SENSE
OLD BB: SECURE & INSECURE IM CHATS IN THE SAME TIME
HAS ENCRYPTED COMMUNICATION SESSIONS
STORE CHAT COVERSATION IN PLAIN TEXT WITHOUT ENCRYPTION (EVEN BBM)
INACCESSIBLE FROM THE DEVICE BECAUSE OF UNKNOWN FILE TYPE (.CSV)
UPGRADE FEATURE AFFECT EVERYTHING
UPDATE APP THAT CALLS THIS API – USE GENERAL API
REMOVE APP THAT CALLS THIS APPS – USE GENERAL API
REMOVE ANY OTHER APP UNDER THE SAME API WITHOUT NOTIFICATION
HANDLE WITH PC TOOLS ON OLD BB DEVICES WITHOUT DEBUG / DEVELOPMENT MODE
OLD BB: CLIPBOARD (HAS NEVER EXISTED ANYWHERE AND MIGHT HAVE EVER)
REVEAL THE DATA IN REAL TIME BY ONE API CALL
NATIVE WALLETS PROTECTS BY RETURNING NJULL
WHILE THE ON TOP || JUST MINIMIZE OR CLOSE IT TO GET FULL ACCESS
EVERY USER CASE MUST MINIMIZE APP TO PASTE A PASSWORD
16.
17. ISSUES : USELESS SOLUTIONS – III
THE GUI EXPLOITATION (OLD BB) –NATIVE APPs
INITIALLY BASED ON AUTHORIZED API COVERED
ALL PHYSICAL & NAVIGATION BUTTONS
TYPING TEXTUAL DATA, AFFECT ALL APPs
SECONDARY BASED ON ADDING THE MENU ITEMS
INTO THE GLOBAL / “SEND VIA” MENU
AFFECT ALL NATIVE APPLICATIONS
NATIVE APPs ARE DEVELOPED BY BLACKBERRY
WALLETS, SOCIAL, SETTINGS, IMs,…
GUI EXPLOITATION
REDRAWING THE SCREENS
GRABBING THE TEXT FROM ANY FIELDs (INCL. PASSWORD
FIELD)
ADDING, REMOVING THE FIELD DATA
ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED
ADDING GUI OBJECTS BUT NOT SHUFFLING
3RD PARTY SECURE SOLITUINS RUIN THE SECURITY
KASPERSKY MOBILE SECURITY PROVIDES
FIREWALL, WIPE, BLOCK, INFO FEATURES
NO PROTECTION FROM REMOVING.CODs & UNDER
SIMULATOR
EXAMING THE TRAFFIC, BEHAVIOUR
JUST SHOULD CHECK API “IS SIMULATOR” ONLY
SMS MANAGEMENT VIA “QUITE” SECRET SMS
PASSWORD IS 4–16 DIGITS,AND MODIFIED IN REAL-TIME
SMS IS A HALF A HASH VALUE OF GOST R 34.11-94
IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT
TABLES (VALUEHASH) ARE EASY BUILT
OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY
NOTIFICATION, BECAUSE KMS DELETE THE SENT MESSAGES
OUTCOMING SMS BLOCK/WIPE THE SAME/ANOTHERDEVICE
18.
19.
20.
21. CONCLUSION - I
PRIVILEGEDGENERAL PERMISSIONS
OWN APPs, NATIVE & 3RD PARTY APPs FEATURES
DENIAL OF SERVICE
GENERAL PERMISSIONS
REPLACING/REMOVING EXEC FILES
DOS’ing EVENTs, NOISING FIELDS
GUI INTERCEPT
INFORMATION DISCLOSURE
INSTEAD OF SPECIFIC SUB-PERMISSIONS
A FEW NOTIFICATION/EVENT LOGs FOR USER
BUILT PER APPLICATION INSTEAD OF APP SCREENs
CONCRETE PERMISSIONS
CLIPBOARD, SCREEN CAPTURE
GUI INTERCEPT
DUMPING .COD FILES, SHARED FILES
MITM (INTERCEPTION / SPOOFING)
MESSAGES
GUI INTERCEPT, THIRD PARTY APPs
FAKE WINDOW/CLICKJACKING
BUT COMBINED INTO GENERAL PERMISSION
A SCREENSHOT PERMISSION IS PART OF THE
CAMERA
GENERAL PERMISSIONS
INSTEAD OF SPECIFIC SUB-PERMISSIONS
A FEW NOTIFICATION/EVENT LOGs FOR USER
BUILT PER APPLICATION INSTEAD OF APP SCREENs
22. CONCLUSION - II
THE VENDOR SECURITY VISION
HAS NOTHING WITH REALITY
AGGRAVATEDBY SIMPLICITY
SIMPLIFICATION AND REDUCING SECURITY CONTROLS
MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER
NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY
ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL
A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS
THE SANDBOX PROTECT ONLY APPLICATION DATA
USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE
APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY
MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY
THE NATIVE SPOOFING AND INTERCEPTION FEATURES
BLACKBERRY ENTERPRISE SOLUTION / BLACKBERRY MOBILE FUSION IS NOT EFFECTIVE MUCH
THE BEST SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES
PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST