A new proof-of-concept (PoC) application enables an attacker to remotely activate a BlackBerry microphone and listen in on surrounding sounds and conversations.
The application, called PhoneSnoop, was released last week on the blog of security researcher Sheran Gunasekera. To download and install the application, an attacker would need physical access to a BlackBerry device and to know a PIN, if the owner uses one to lock his or her device.
After PhoneSnoop is installed on a device, when a call is received from a preconfigured number, the BlackBerry automatically answers the phone, allowing an attacker to listen in, Marc Fossi, senior researcher at Symantec Security Response told SCMagazineUS.com on Thursday. Once the call is connected, the BlackBerry is set to speakerphone, increasing the microphone's sensitivity to pick up sound from far distances.
“First and foremost, the most important thing about this is it's a proof of concept, Fossi said. "It's not something you need to worry about right now."
There are a few tipoffs that the application was not designed with malicious intent but as a means to illustrate that an attack of this nature is possible, he said. For one, the program makes no attempts to hide from the user – the application would be listed under the user's installed programs and a small icon for the application would be visible on the BlackBerry.
“It's not like if you had some trojan running on your computer in the background and you couldn't see it,” Fossi said.
Also, the attack would be fairly obvious to the user, he added. To launch the attack, a call would have to come in, and the phone would indicate a call was in progress. So, to launch a successful attack, users would have to not notice the incoming call or the fact that a call was in session on their phone.
There are a number of built-in security features available to BlackBerry users that can help protect against malicious applications, Scott Totzke, vice president of the smartphone maker's security group, told SCMagazineUS.com in an email Thursday.
“BlackBerry smartphones include a firewall that can be set to prevent an application from making external connections," Totzke said. "Passwords can be used for not only unlocking the device. They can also be required to authorize downloading an application to the device."
On Tuesday, US-CERT issued an advisory about the application, urging BlackBerry users to only download trusted applications and to password-protect their devices.