The U.S. Computer Emergency Readiness Team is warning BlackBerry users about new software that could be used by hackers to turn the smartphone into a listening device.
An application called PhoneSnoop can configure the phone's speakerphone function to enable a hacker to listen to surrounding conversations remotely. The software uses a BlackBerry API to intercept incoming calls. Once the software is downloaded and installed, the software is triggered by a simple phone call, placing the device into speakerphone mode.
Sheran Gunasekera, the developer of the snooping application, wrote on his blog that he wanted to shed light on the threats posed by careless use of BlackBerry smartphones. Gunasekera said the application can be easily detected and is visible in the BlackBerry user interface.
"While the BlackBerry remains one of the more secure devices out there, user awareness and education is paramount to remaining completely safe from spyware," Gunasekera wrote.
Gunasekera posted a YouTube video demonstrating how PhoneSnoop works. He introduced the tool on Oct. 19, but only made the software available for download Oct. 23, tweaking it to allow users to create a customized trigger number.
The US-CERT warned BlackBerry users to password protect their devices and only download software from trusted sources.
"This software allows an attacker to call a user's BlackBerry and listen to personal conversations," the US-CERT said. In order to install and setup the PhoneSnoop application, attackers must have physical access to the user's device or convince a user to install PhoneSnoop."
Eric Chien, technical director at Symantec Corp.'s security technology and response division said he considered the software software a proof-of-concept and not a major threat to BlackBerry users. Writing in the Symantec blog, Chien said the snooping software raises awareness about other types of BlackBerry attack scenarios documented by researchers such as spoofing, data theft and service abuse.
The Apple iPhone is not immune to remote snooping. In 2007, security researchers Charlie Miller, Jake Honoroff and Joshua Mason demonstrated a proof-of-concept vulnerability that enabled an attacker to take full control of the iPhone including its camera and speaker. A demonstration showed the vulnerability's ability to make phone calls and send all stored data to any remote server.