6

A friend's work Blackberry is configured so that phone and Internet access are disabled while the device is charging. I assumed this was a fault, but apparently it's a deliberate security policy.

Has anyone encountered this kind of policy before? And does anyone know what the security benefits are supposed to be?

this.josh
  • 8,843
  • 2
  • 29
  • 51
D. Evans
  • 163
  • 3

3 Answers3

6

Has anyone encountered this kind of policy before?

And does anyone know what the security benefits are supposed to be?

The security benefit is that the devices exposure is greatly reduced with little cost in terms of availability.

In security the risk to a given asset is described by three factors: threats, vulnerabilities and exposure.

The Blackberry is exposed to a wider threat environment whenever it is remotely accessible. That is whenever the network capabilities of the device are active; a threat (person) could attempt to remotely gain unauthorized access to the device. If the network capabilities of the device are inactive then a thread (person) must be physically adjacent to the device in order to gain access. Generally users do not like to lose network access, but when the user is charging the device, they are typically not using it. Most mobile devices get charged over night when their users are sleeping.

Additionally, if a threat was to attempt to access the device remotely and the user was interacting with the device they may notice some odd behavior. If the user is not interacting with the device they would not be able to observe any anomalies due to a remote threat.

this.josh
  • 8,843
  • 2
  • 29
  • 51
  • 1
    Thanks, that makes some sort of sense; although I'd question the "little cost in availability" given how annoying it is for the person in question! I also wonder how much reduction in attack exposure you really get from being connected 16hrs a day vs 24. It's certainly not going to be linear (attackers can wait for times when the device is very likely to be connected) and if your device is being specifically targeted it's not going to make much difference at all. But anyway, not my policy and not my device so I should probably let it go... ;) – D. Evans Oct 21 '11 at 09:13
  • Security theatre. Most blackberry exploits are client side, not really an issue if the user isn't using the device. – devnul3 Oct 22 '11 at 10:00
4

I've come across various policies like this, but not specifically for Blackberries. The only theory I've seen is that while the device is charging it's in a potentially vulnerable spot where notbody is watching it, therefore it's easier to attack.

I'm sure there are crazier and/or more sane reasons. In some cases it made sense.

In this particular case I call BS on it because it's no more vulnerable plugged in than in ones pocket.

Steve
  • 15,155
  • 3
  • 37
  • 66
  • Well - I think your first point is correct: in your pocket it is 'safe' as it is with you. Plugged in to a wall it is further away from you and possibly unmonitored. – Rory Alsop Oct 21 '11 at 14:20
  • True, but I would still weight both at the same risk. Certainly a high-ish risk, but equal. – Steve Oct 21 '11 at 16:04
3

I would assume this type of policy would be put into place to help safeguard data on the device as well as that within their corporate network. It is more than likely connected to a BES (Blackberry Enterprise Server), custom APN, or VPN or all of the above provided by the carrier.

My guess is their IT don't want people meddling around on a device via USB. Such policies would more or less prohibit tethering as well as any backdoor attempts to reload or issue commands to the device while it is connected to the network.

If you require a way to charge the device while using it and without losing network access you might consider attaching something to charge the battery directly without the use of USB ports. Some models of berries include contacts on the back for use with charging docks while others have pack panels that are exchangeable for non-OEM products like charge mats.

Squeak
  • 271
  • 1
  • 5
  • ...which will tell the OS that the battery is charging and trigger the policy. – devnul3 Oct 22 '11 at 10:02
  • Yeah, the prevention of USB access did cross my mind as a possible reason. But the device itself is perfectly capable of detecting when it's just drawing power over USB and when it's actually connected to a host. And in any case, why would you disable radio connectivity? If you wanted to discourage fiddling around over USB, wouldn't you just disable USB connectivity? – D. Evans Oct 22 '11 at 23:07
  • Realistically there is limited data available on the device itself. Many large corporations and commissions use these devices to communicate sensitive information which is controlled (you know this.) From another perspective: would a thief do better stealing a single ATM for the limited cache+cash+logs or would the thief be better with the ATM purely for the details needed to infiltrate the network? Speaking purely from experience many providers offer customized networks to anyone who's willing to front the cash. They're just trying to build security in layers. Props to them for trying! – Squeak Oct 25 '11 at 03:20