As stated in last week?s WAR Report, it is widely believed that applications for mobile devices, such as cell phones and PDAs, will become an attractive target for cyberattack in 2006. According to McAffe, the anti-virus software vendor, malware created to attack mobile devices will grow from a reported 226 incidents in 2005 to more than 700 in 2006.
The newly announced vulnerability of BlackBerry mobile devices, no less than one week into the New Year, is an example of the growing threat against mobile devices. According to Research In Motion, the manufacturer of the BlackBerry device, an attacker can exploit a vulnerability in the BlackBerry Enterprise Server through the use of a malicious TIFF attachment. Should a BlackBerry user open a malicious TIFF attachment, s/he will cause a heap overflow in the attachment service on the server and prevent the attachment service from being used until the server is restarted. According to Research In Motion, a successful attack will only affect BlackBerry users’ ability to view attachments, and it will not effect other Enterprise Server services such as sending and receiving messages, making phone calls, browsing the Internet, and running BlackBerry wireless device applications.
While this flaw may not sound serious, it may only represent part of the story. According to Brian Krebs of the Washington Post, a more serious vulnerability in BlackBerry servers.is related to the manner in which the BlackBerry servers process PNG images. According to Krebs, this flaw is present in all versions from 4.0 to 4.0.1.9 of BlackBerry Enterprise Server and could be used by an attacker to take control of the server. Specifically, if an unsuspecting BlackBerry user clicked on a corrupt PNG image, malicious code could be passed to the BlackBerry server. This malicious code could be used by an attacker to control the server and intercept e-mails or to segue to attack the rest of the network.
This flaw is significant in that it illustrates how a mobile device can be used as an avenue for attack. In this case, the attack could use the BlackBerry device to gain control of a server within an otherwise protected network. It is likely that attackers will continue to pursue poorly secured handheld devices as a way to attack the internal network of an organization.