Fraunhofer SIT presents initial results of their BlackBerry study
The Darmstadt based Fraunhofer Institute for Secure Information Technology (SIT) has been commissioned by Research in Motion (RIM) to examine the security of the BlackBerry mobile communications solution. At the IDC Security Conference in Frankfurt, Markus Schumacher of SIT has presented the methods and results of the first phase of this three part project.
- The first part of the project looked at communication between the BlackBerry device and BlackBerry Enterprise Server. The study looked at cryptographic procedures, security of key exchange, access protection and authentification and protection from manipulation.
- The second part of the project is to look at the BlackBerry Enterprise Server and integration with Microsoft Exchange. This will look at key generation and the security of interfaces, protocol levels and the environment.
- The third part of the project will look at the BlackBerry device itself. This will look at protection of saved content, application security, device-side key generation and protection from attacks at the network level.
Only after completion of the third phase will SIT, if the required level of security is achieved in all areas, certify the BlackBerry communications solution and release two white papers on the security of the BlackBerry device and the use of the BlackBerry Enterprise Server.
With the completion of the first part of the project, SIT has not to date published a white paper, so that the initial results are only available from the IDC presentation and a corporate statement by RIM. SIT states, "So far we have found no buffer overflow vulnerabilities, no possibility to read encrypted mail communications and could not gain knowledge about long- and short-term secrets transmitted during key-exchange procedures." In other words, SIT has, despite a careful search, been unable to find any vulnerabilities in these areas.
Nevertheless, the test institute has issued a series of recommendations. They have requested that RIM institute better protection against denial of service attacks on the device, key protection for cable activation and improvements to SRP authentication. SIT recommends that customers use AES encryption, extended IT policies and install any future updates. In addition customers should distribute the Blackberry Enterprise Server by function (e.g. MDS, Attachment Server). They also recommend dividing the intranet into different security zones.
According to current SIT estimates, the BlackBerry communications solution offers good security for general use within companies and organisations; there are, however, other factors which also influence this security. They cite examples such as secure network configuration, server hardening and administrator and user behaviours. Where a higher level of security is required, SIT recommends additional end-to-end security, for instance e-mail encryption with S/MIME or PGP, local encryption on the BlackBerry device or the implementation of security policies and strict procedures for end device function.