BlackBerry Misinformation and the Smartphone Security Crisis

Rob Enderle
Slide Show

How to Protect Your Organization from Ransomware

I’m getting kind of tired of reading that BlackBerry is getting out of the hardware business; BlackBerry isn’t getting out of the hardware business. It stands alone as the only smartphone company exclusively focused on business, security and traditional communication. Until someone else steps up to meet this need, there continues to be a market for its hardware and, as a BlackBerry Priv user myself, I’d hate to see the company go.  What caused this latest group of articles was that BlackBerry is discontinuing the Classic phone. But suggesting that it is getting out of the business because it’s eliminating one phone would be like saying Apple is going to discontinue iPhones because it no longer intends to build and sell the iPhone 3. Most consumer-focused companies stop building a model after six to 12 months; business-focused companies have to hang on to designs longer, but you have to admit that the BlackBerry Classic was getting a little long in the tooth.

Let’s talk about why we need a company like BlackBerry to carry the business focus torch.

Smartphone Malware

The first big reason we need a business/security-focused platform is that there is a ton of malware focused on both iOS and Android platforms. Currently, 10 million, yes that is 10 million, Android phones are compromised by a family of auto-rooting viruses. The worst currently being tracked is called HummingBad. This is a nasty piece of work. It is sourced from a Chinese ad-based company (yep, an actual identified company has produced this nasty beast). Right now, it appears to mostly generate massive ad profits by swiping the revenues that otherwise would flow to other firms.

It is as much an attack on Google as it is an attack on you because, while in does infiltrate command and control servers, it installs promoted apps automatically, defrauds mobile advertisers, and corrupts the statistics inside the Google Play Store.  This is generating something like $300,000 a month in revenue for the firm that created it.

This class of product takes control of the phone and copies out the information on it,including pictures. It is not only capable of turning on the cameras and microphones remotely but McAfee demonstrated years ago that it could cause the phones to catastrophically fail by generating excessive heat. We don’t have direct evidence yet of a phone being made to combust but it is theoretically possible and when a phone burns up, it automatically destroys the evidence.

As you’d expect, most of the phones compromised are in China (about 1.6M) but the U.S. count is rising and is already at 286,000. The really scary part is that while it used to be that you’d get one of these things by being tricked into installing it, now it can be placed on the phone by just going to a compromised site. These are mostly porn sites, so an infection on a business phone would lead to a conversation with IT and a manager that I doubt most employees want to have. Even if the phone was infected by another site, you’d never know.

Since this is a rootkit, it survives a factory reset, it has super-user permissions so you can’t get rid of it easily, and it can access sandboxed content. So while this initial instance doesn’t appear to be doing anything particularly bad, this is China we are talking about. What a Chinese firm has, the government has, and it is capable of literally taking over the phone.

The scary stuff doesn’t stop there.

More Smartphone Attacks: Things Are Potentially Much Worse

For some time, we’ve been using phones as a major part of multi-factor authentication, thinking that this was relatively safe. Apparently, it isn’t. In a known exploit, the authentication information sent to the phone was intercepted and sent to the attacker. This comes to us care of Russia.

And hackers have been busy, because now just syncing your smartphone with your PC can compromise the phone’s ability to provide that critical second-factor authentication reliably. Some researchers are now reporting that using a phone as part of a two-factor authentication program simply may not provide the security benefits promised. Even the commonly used “call-back” method of two-factor authentication may now be compromised, according to The Register. It has actually gotten to the point that the banks using smartphones for multi-factor authentication are notifying customers of the problem and providing advice on how to observe and fix it. In fact, the banking industry began reporting the malware problem three years ago.

Wrapping Up: Why We Need BlackBerry’s Business Focus

Consumer phones are simply no longer safe enough for much of what we use them for, and for companies and governments, where the need for security is extremely high, they are not a safe option. As long as that is the case, we need at least one company where security is paramount and with which we can be better assured that these security processes actually work; otherwise, we are likely go back to removing the authorization for smartphones for business use and forcing employees to go back to using flip phones. Hey, if we have to go that way, at least Motorola is ramping the flip phone form factor up. You know, I’m told it is currently the fastest growing phone segment. Go figure.

Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm.  With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+

Add Comment      Leave a comment on this blog post
Jul 9, 2016 4:45 PM KIA Investment Research KIA Investment Research  says:
Rob, A sensational and frightening tale of smartphone security, but your gross error is presupposing the BlackBerry's Android is *more* secure than everyone else's and immune to these attacks. It's not. Both Google and Samsung have infinitely more resources than BlackBerry and can attract the world's best computer scientists to fight malware attacks like those described above. BlackBerry was once a security powerhouse, but they abandoned OS7 long ago. They then developed BB10 OS which was a catastrophic failure in the market place. Today, BlackBerry is a mere pipsqueak comparatively and cannot compete with the likes of Google and Samsung where security (or anything else) is concerned. The fatal flaw of your article is that you presuppose BlackBerry's Android is magically better than Googles and Samsung's, and you have zero information to backup that claim. Reply
Jul 11, 2016 1:42 PM Rob Enderle Rob Enderle  says: in response to KIA Investment Research
Actually I didn't really focus on the Priv at all and just on security. However this latest malware is a root kit which resides under the OS and is nasty to identify and remove on virtually any phone but something like the Priv which doesn't put Android on bare metal. The Priv loads a Blackberry kernel first, authenticates, then loads Android which means Blackberry can see that a Priv has been rooted because the root kit would reside above the Blackberry kernel arguably making it, at least with regard to root kits, far more secure. This has little to do with engineer resources but how the OS is loaded and protected on the phone. Reply
Sep 29, 2016 4:58 AM DarelRex DarelRex  says:
Less than three months later: BlackBerry is getting out of the hardware business. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.