I was just reading a recap article on SearchSecurity by Patrick Gray who is attending the Kiwicon security conference in the land down under. He just reported about a presentation from Graeme Neilson of Aura Software Security about how easy it is to load a Trojan on a BlackBerry device.
Kiwicon day two got off to a cracking start on November 18 with a presentation by Graeme Neilson from Aura Software Security. He showed delegates precisely how easy it is to Trojan BlackBerrys.
But all code that runs on BlackBerrys is signed, right?
Yes, Neilson says, but the maker of the portable device, Research in Motion (RIM), isn’t too fussy about who it sells certs to. If you want to get your Trojan code signed to run on a Blackberry, just go to the Research In Motion Web-site, plug in your details, pay a fee and voila! You’re in business.
Keep in mind that this company would first have to convince you to download their application and get past you clicking on all of those “allow access to” prompts but this is still surprising. The idea behind certificates with RIM is that application developers need them to access certain modules on your BlackBerry. The problem is that now that these certificates are so easy to get…you get the point