This is the video of the presentation titled "Bugs and Kisses: Spying on BlackBerry Users for Fun
" given by Sheran Gunasekera at HITB 2009
The BlackBerry has always enjoyed a reputation of being a secure platform. Without having a single vulnerability reported on it for the past two years, it has quickly moved from Enterprise environments into a consumer one. It is characterized by its end-to-end encryption that exists between the user and the Research In Motion (RIM) servers in Canada. Considered virtually sniff-proof, until now.
This talk explores other means of how BlackBerry handhelds can be compromised to sniff user’s email (and optionally instant messages, web browsing traffic, and SMS messages). It will show why the BlackBerry is an ideal target to Trojan, by exploring its rich programming interface and how to make use of core functionality to stay invisible. It also focuses on techniques that can be adopted to circumvent the high-grade, end-to-end encryption by targeting wetware. The talk takes a real world example of the recent Etisalat BlackBerry spyware that was rolled out in the UAE to its subscribers to conduct legal interception.
A live demo involving BlackBerry handhelds will be provided, so all of those who like to get pwned, please bring your BlackBerries! The talk will also see the release of the “Bugs & Kisses” toolkit. Bugs, the interceptor can be deployed on BlackBerry handhelds to sniff emails, while Kisses the detector can be used on the handhelds to detect the presence of Bugs or other Bugs-like applications.References
The Register: http://www.theregister.co.uk/2009/07/21/etisalat_blackberry_snooping_again/
Wired: Threat Level: http://www.wired.com/threatlevel/2009/07/blackberry-spyware/About Sheran Gunasekera
Sheran Gunasekera (chopstick) has been in the security industry for the past 7 years. He has spent the past 11 years in the Middle East where he has worked on security projects with telecommunications providers, governments and many large local banks in the region. He is the founder and Head of Research for ZenConsult, a technology consulting firm based in the Asia Pacific region. His core areas of focus are in Web Application Security, Mobile Security and Forensics. Disliked by Banking software vendors and now, possibly telcos, Sheran sees no need to sugar-coat findings from a pentest. Always an optimist, he publishes his research for free in the hopes that many others can benefit from it.
Tags: fun ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.