A new threat that could make BlackBerry devices vulnerable to attack requires "several reaching assumptions", according to Research In Motion.
The BBProxy attack, demonstrated by security specialist Jesse D'Aguanno, opens a back channel bypassing the organisation's gateway security mechanisms between the hacker and the inside of the victim's network.
"The scenario depicted makes several reaching assumptions about a BlackBerry Enterprise Server deployment," said RIM in a statement.
The attack is only possible if the built-in security policies of the BlackBerry Enterprise Server are not enabled, the company claimed.
"The ability to load and run any third-party software on a BlackBerry device is controlled by an IT policy setting on the BlackBerry Enterprise Server, which would have to be allowed by the administrator," said RIM.
"Furthermore, the ability for a third-party application to make an external connection from a BlackBerry device is also controlled by an IT policy setting in BlackBerry Enterprise Server and would have to be allowed by the administrator.
"In addition, the ability for the BlackBerry Mobile Data System to have access to systems on an internal network is also controlled by an IT policy setting in BlackBerry Enterprise Server, which would also have to be allowed by the administrator."
RIM also stated that it would not be possible to infect a handheld by emailing the malware to an unsuspecting user as an attachment, since the BlackBerry Enterprise Server does not allow users to download attachments to the device.
The company has published two PDF documents outlining the security measures users should take:
RIM plays down BlackBerry hack threat
By Will Head on Aug 15, 2006 2:13PM