A LABORAL Mínimo

Any device connected to the Internet has an IP address. Anyone from any- where in the world can access data anywhere the device is located through that IP address, as long as both the user and the hacker are connected to the Internet (and there isn’t anything in place to stop the hacker from getting to the data).

When attempting a direct attack via IP address, it is important to get the actual IP address of the device. That IP address provides a means to connect to the device and run an exploit against it. With traditional computer devices, that is pretty easy to do. If you are on your laptop connected to an EvDO net- work, you are given an IP address. That address is actually assigned to your device and represents a direct connection to your device. This is an important concept to grasp, as it differs when dealing with BlackBerrys. At my home lab, I have a Sierra Wireless AirCard 580 EvDO card with service through Verizon Wireless. I use this card extensively. Being able to check email and surf the

Internet from practically anywhere in the world is invaluable, especially if you’re riding in a car. (Drivingwhile surfing is not recommended.)

When I want to connect to the Internet with my EvDO card, I launch the Sierra Wireless AirCard 580 Watcher, a connection program that allows me to control connections with the card. Figure 3.11 shows me connected to the Ver- izon EvDO network.

Figure 3.11: Sierra Wireless Aircard 580 Watcher

When connected, I can run an ipconfigcommand to see what IP address

Verizon has given me. The following are the results of that command: Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\dhoffman>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Media State . . . : Media disconnected

Ethernet adapter {DB3A1545-0769-4F82-BB59-0FFEC13ED88A}:

Connection-specific DNS Suffix . :

IP Address. . . : 0.0.0.0 Subnet Mask . . . : 0.0.0.0 Default Gateway . . . :

Ethernet adapter Network Connect Adapter:

Media State . . . : Media disconnected

PPP adapter - 3G (High Speed):

Connection-specific DNS Suffix . :

IP Address. . . : 70.208.174.76 Subnet Mask . . . : 255.255.255.255

Default Gateway . . . : 70.208.174.76

C:\Documents and Settings\dhoffman>

You can see that the IP address Verizon gave me is 70.208.174.76. Another computer in my lab is connected to my wireless LAN. That wireless LAN is connected to the Internet via a broadband connection. Though my computers are sitting right next to each other, they are on completely separate networks. For all intents and purposes, one machine could be in Chicago and the other could be Thailand.

If I ping my system connected via EvDO from my broadband-connected machine, I get the following output:

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\mmgill>ping 70.208.174.76

Pinging 70.208.174.76 with 32 bytes of data:

Reply from 70.208.174.76: bytes=32 time=3126ms TTL=105 Reply from 70.208.174.76: bytes=32 time=177ms TTL=105 Reply from 70.208.174.76: bytes=32 time=184ms TTL=105 Reply from 70.208.174.76: bytes=32 time=222ms TTL=105

Ping statistics for 70.208.174.76:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:

Minimum = 177ms, Maximum = 3126ms, Average = 927ms

If I disconnect my EvDO card from my EvDO-connected system, I should not be able to ping that IP address from my broadband-connected computer. The reason for this is that my device, which has the 70.208.174.76 IP address, is no longer connected to the network. If I try to ping, it will fail:

C:\Documents and Settings\mmgill>ping 70.208.174.76

Pinging 70.208.174.76 with 32 bytes of data:

Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 70.208.174.76:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

By this time, you are probably saying, “Duh!” If you disconnect a device from the network you shouldn’t be able to ping. But there is a reason I’m going through this. Let’s see how the BlackBerry works in a similar scenario.

In my home lab, I have my BlackBerry 8703e. This device has a built-in EvDO card and Verizon Wireless provides the service for this device. Unlike a PC, the BlackBerry doesn’t have MS-DOS or another command-line utility installed where I can do an ipconfig or ping command. That’s OK. I can

check the host routing table and determine what the IP address actually is. I can also use the Internet-browsing capabilities of the BlackBerry and go to

www.whatsmyip.com to determine what the rest of the world sees as my IP

address. In doing so, I see that the IP address is 206.51.26.162.

From my broadband-connected PC I pinged 206.51.26.162, the IP address of my EvDO-connected BlackBerry. The results are as follows:

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\dhoffman>ping 206.51.26.162

Pinging 206.51.26.162 with 32 bytes of data:

Reply from 206.51.26.162: bytes=32 time=30ms TTL=112 Reply from 206.51.26.162: bytes=32 time=31ms TTL=112 Reply from 206.51.26.162: bytes=32 time=29ms TTL=112 Reply from 206.51.26.162: bytes=32 time=30ms TTL=112

Ping statistics for 206.51.26.162:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:

Minimum = 29ms, Maximum = 31ms, Average = 30ms

C:\Documents and Settings\dhoffman>

This probably doesn’t surprise you — if you find out the IP address of a device on the Internet you can ping it. So what’s the big deal? Well, what hap- pens if I turn off the BlackBerry device? (This can be done by shutting down the device entirely, or just shutting down the wireless EvDO connection. For the purposes of this demonstration, I shut down the device entirely.)

After shutting off the device, I tried to ping it. The results are as follows: Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\dhoffman>ping 206.51.26.162

Reply from 206.51.26.162: bytes=32 time=37ms TTL=112 Reply from 206.51.26.162: bytes=32 time=50ms TTL=112 Reply from 206.51.26.162: bytes=32 time=47ms TTL=112 Reply from 206.51.26.162: bytes=32 time=48ms TTL=112

Ping statistics for 206.51.26.162:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:

Minimum = 37ms, Maximum = 50ms, Average = 45ms

C:\Documents and Settings\dhoffman>

After completely shutting off the BlackBerry, I’m still able to ping it! How is that possible? It’s not. A device that is powered off won’t reply to pings.

However, Research in Motion (RIM) acts as a proxy between the BlackBerry device and the Internet. The IP address of my BlackBerry device, 206.51.26.162, is actually notthe IP address of my BlackBerry device. It’s the IP address of the BlackBerry Internet Service servers in Canada. So why is this a big deal?

If you are going to attack a device directly by its IP address, you need to actually connect to the device with that IP address. In the case of the PC with EvDO connectivity, that IP address was attached to the PC itself. When the PC was connected, I could ping it. When the PC was disconnected, I couldn’t ping it.

In the case of the BlackBerry, the IP address wasn’t for that of the actual BlackBerry device. The BlackBerry device connected to the EvDO network and the Internet connectivity was supplied and accessed via the BlackBerry infra- structure. Figure 3.12 shows a visual trace route going to the IP address that was believed to be the BlackBerry device, 206.51.26.162, (the BlackBerry device was off when I ran this).

As you can see, that trace route ends up going to a server registered to RIM in Waterloo, Ontario, Canada. This is true even though the BlackBerry was powered off. You may asking yourself, Who cares?

Well, youshould care. The topology that RIM has put into place is pretty smart and actually offers some protection against direct attacks that attempt to utilize IP connectivity. If the rest of the world sees the IP address of the Black- Berry device as something that is not the actual BlackBerry device, that is a good thing, even if it were to just be Network Address Translation being used. As we went to press, there were no publicly known exploits that used direct attacks and IP addresses to exploit BlackBerry devices. In addition, the topol- ogy for Internet access that RIM offers is better than just connecting the devices directly to the Internet. Does that mean that BlackBerrys are immune to direct attacks? I wouldn’t say that any computer system, including a BlackBerry, is immune to anything.

Figure 3.12: A visual traceroute going to the BlackBerry’s IP Address

You may know that BlackBerrys come equipped with a firewall. Per Black- Berry, “The firewall option is designed to prevent third-party applications from transmitting without your knowledge.” Basically, it firewalls what third- party applications can do on the BlackBerry device. This is certainly a good thing, but it should not be confused with a network-type firewall that protects the device from someone or something trying to attack it at a network layer. Let’s talk about that.

At the time this book was written (I’m sure you’re getting tired of this dis- claimer!), there were no known third-party personal firewalls for BlackBerry devices. But I wouldn’t be surprised if we start seeing them before long. Again, we have to look at mobile devices, such as BlackBerrys, the same way we look at PCs and any other types of computer systems. This really comes down to best security practices. Any device that has the potential to connect to the Internet and other networks should have security software installed that can control external access to the computer. Currently, that’s not the case with BlackBerrys. That’s not to say that the BlackBerry firewall is worthless — it certainly is not. However, understanding that there isn’t a security component controlling access at layer 2 and layer 3 is important. That doesn’t mean you should be frightened. It does, however, mean that you should be aware.

Being aware means that you should be on the lookout for vulnerabilities and exploits that have the potential to attack BlackBerrys at these layers. You should also be on the lookout for future products and services that will pro- vide this functionality. Again, security is an ongoing process. Just because there aren’t a bunch of publicly known methods to attack BlackBerrys directly

today, don’t be naïve enough to think that they won’t be around tomorrow.

Attacking via Malware

You learned about direct attacks via IP addresses on BlackBerrys; now you’ll learn how malware can lead to a direct attack. Malware can do things such as allow a hacker

■■ _{Remote control over your system} ■■ Access to every file on your system

■■ _{The ability to see what is happening on your system} ■■ A way to capture every keystroke entered on your system

■■ _{Silent, undetected access to all of the above}

Whether it’s a PC, a BlackBerry, or any computer system, having any of these things happen is very dangerous. This is especially true for enterprises that have millions of dollars (and, potentially, lives) at stake should a person with malicious intent gain this kind of access.

As mentioned in Chapter 1, “Understanding the Threats,” there are a few standard ways to protect against direct attacks coming from malware:

■■ _{Ensure antimalware applications are installed on the computer system} ■■ Ensure an enterprise-grade firewall with IPS/IDS capability is installed

on the system

■■ Ensure the system has the latest security patches

■■ _{Educate end users about actions that can potentially put their computer}

systems at risk

Let’s look at each of these options individually, starting with antimalware applications.