Just received a nice email from Aaron Searle at Symantec. There is a good write-up about a proof of concept tool called PhoneSnoop that targets Blackberry devices.
The Symantec write-up can be found here and the full write-up of the BlackBerry attack surface can be found here. The PhoneSnoop application is very interesting because it can turn the speakerphone on automatically when a call is received from a specific number.
We often get questions about how someone can get involved and make a difference in computer security. Personally, I see the smart-phone attack surface as one that has not been reviewed enough. While I think the write-up from Symantec is great (thanks Aaron), I think there are other things we need to address as well.
Sometimes malware is not "malware," rather it may be sold as something else entirely. For example, MobileSpy They also have a version called iPhone Spy. Currently, this product works with the iPhone (of course), Symbian OS and Windows Mobile. That is pretty good coverage of the existing market of phones. While these tools are marketed towards parents who want to monitor their teen's smart-phone usage, it could be used in a variety of other "interesting" attack scenarios.
Now currently, these tools require an attacker to have physical access to the phones and that they demonstrate the capabilities of smart-phone malware. When you couple this with the relatively weak security models of the underlying Operating Systems of many of these phones, this area becomes an excellent one for more study.
The reason I am harping on this is because there are some very solid security researchers working on this issue. Just look at the work of Charlie Miller and Collin Mulliner at the last Black Hat.
The thing that gets me is that while the attacks have been cool, I have seen very little from most organizations to try and mitigate the risks associated with these devices. Also, many of our customers have stated, very clearly, that attacking their employee’s phones is off limits for our penetration tests.
This is where the concepts of traditional penetration testing fail. An attacker does not have limitations. As Dave from Immunity said recently, it is hard to model obsession. It is also hard to be a white-hat hacker when there are a number of attack vectors that only black-hats would go after.
So I propose this to most organizations, any device that has any organizational data on it needs to be under the control that organization. The organizational policies also need to reflect that its data does not reside on any non-organizational device.
For all penetration testers out there, we need to start explicitly requesting that these devices be in scope. If the organization says "no" that is okay. We need to document the fact that these devices pose a risk to the organization and the customer requested that they not be tested. I fear that as we progress as a profession, we will be held accountable for what we don't find. In some ways that is okay. However, when the customer ties our hands and we do not discover a risk we need some level of protection.