Sheran Gunasekera (Head of Research & Development, ZenConsult)

Presentation Title Bugs and Kisses: Spying on BlackBerry Users for Fun
Presentation Abstract

The BlackBerry has always enjoyed a reputation of being a secure platform. Without having a single vulnerability reported on it for the past two years, it has quickly moved from Enterprise environments into a consumer one. It is characterized by its end-to-end encryption that exists between the user and the Research In Motion (RIM) servers in Canada. Considered virtually sniff-proof, until now.

This talk explores other means of how BlackBerry handhelds can be compromised to sniff user’s email (and optionally instant messages, web browsing traffic, and SMS messages). It will show why the BlackBerry is an ideal target to Trojan, by exploring its rich programming interface and how to make use of core functionality to stay invisible. It also focuses on techniques that can be adopted to circumvent the high-grade, end-to-end encryption by targeting wetware. The talk takes a real world example of the recent Etisalat BlackBerry spyware that was rolled out in the UAE to its subscribers to conduct legal interception.

A live demo involving BlackBerry handhelds will be provided, so all of those who like to get pwned, please bring your BlackBerries! The talk will also see the release of the “Bugs & Kisses” toolkit. Bugs, the interceptor can be deployed on BlackBerry handhelds to sniff emails, while Kisses the detector can be used on the handhelds to detect the presence of Bugs or other Bugs-like applications.


The Register:

Wired: Threat Level:

About Sheran Gunasekera

Sheran Gunasekera (chopstick) has been in the security industry for the past 7 years. He has spent the past 11 years in the Middle East where he has worked on security projects with telecommunications providers, governments and many large local banks in the region. He is the founder and Head of Research for ZenConsult, a technology consulting firm based in the Asia Pacific region. His core areas of focus are in Web Application Security, Mobile Security and Forensics. Disliked by Banking software vendors and now, possibly telcos, Sheran sees no need to sugar-coat findings from a pentest. Always an optimist, he publishes his research for free in the hopes that many others can benefit from it.