BlackBerry8217;s armor has cracks: Security experts

India,Lebanon,Saudi Arabia and the United Arab Emirates say they need RIM8217;s cooperation so they can decode messages scrambled with BlackBerry8217;s proprietary technology. They have threatened to restrict RIM8217;s operations if the company won8217;t meet their demands,which they say are driven by national security concerns.

But if RIM doesn8217;t back down,the governments themselves could instead choose to hack into the BlackBerry network.

8220;I could design a good hundred ways to gain access,8221; said Bruce Schneier,a security expert who is chief security technology officer for BT.

Officials with Canada8217;s RIM did not respond to a request for comment.

Security experts say they8217;d almost certainly attack at the network8217;s most vulnerable points: the BlackBerry smartphone itself and the BlackBerry server. Those two pieces of equipment sit at either end of the network where they offer would-be hackers access to unscrambled data.

Last year8217;s attack in the UAE is a good example of how a hacker might work. It employed spyware created by SS8,a closely held U.S. security firm,RIM says.

Emirates Telecommunications Corp,the UAE8217;s largest telecoms operator,sent the program to its BlackBerry disguised as a software update. It told its customers that the it would enhance the performance of their equipment,but RIM says it was mainly intended to tap into their communications.

The telecom declined comment at the time.

RIM said it quickly discovered the so-called 8220;malware8221; because of a glitch in its implementation,and told users not to install it on their phones. But hackers might go undetected,experts say.

To prove the point,a security researcher named Tyler Shields released a spyware program earlier this year for attacking BlackBerries via the handset. It allows hackers to intercept messages that reach the device and use its microphone to tap conversations in the immediate vicinity of the phone.

8220;I wanted to demonstrate that BlackBerry handhelds are susceptible to spyware,8221; said Shields,who works for the Burlington,Massachusetts-based security firm Veracode Inc.

The program,dubbed TXSBBSpy,did not include installation software as Shields never intended it to be used. He only wanted to show the BlackBerry was not unhackable.

A successful attack on a Blackberry Enterprise Server could prove even more devastating because each server manages data for hundreds of users.

Hackers could write code to take advantage of vulnerabilities in the software that runs those servers,said Chet Wisniewski,senior security adviser at Sophos,anti-virus software maker. Such a program would allow outsiders to view messages from all the users hooked up to the computer via their handsets.