BlackBerry update bursting with spyware
An update pushed out to BlackBerry users on the Etisalat network in the United Arab Emirates appears to contain remotely-triggered spyware that allows the interception of messages and emails, as well as crippling battery life. Sent out as a WAP Push message, the update installs a Java file that one curious customer decided to …
surprise surprise.
also:
ss8.com/company-management.php
Derek G. Roga
Sr. Vice President, Business Development
Derek joined SS8 in January of 2009 as part of the acquisition of OCI Mobile. As founder and owner of OCI Mobile Derek successfully developed technology for smart phone interception. In 2005 Derek began developing the Middle East region to introduce the BlackBerry solution; he was the founder and CEO of EMS Mobile which became RIM’s Strategic Channel Partner for the region. Previous positions within the wireless and mobility industry include; founder and CEO of Wall Street Communications which started in 1998 to specifically launch the product that has now taken the world by storm – BlackBerry. Wall Street Communications which then merged with Outercurve Technologies in 2000 became RIM’s most successful and prolific partner. Derek was the Chief Operating Officer and then went on to become the Chief Executive Officer of Outercurve Technologies. Derek started his career with what is now Morgan Stanley and holds a Bachelor of Science in Management from Saint Francis University.
All the post on the offical Blackberry forum are gone.
BB seem to have suppressed the thread in the official forums quite sharpish. A bit remains in the Google cache, but not the link to the removal program. Poor sods.
http://209.85.229.132/search?q=cache:45E-rtUFacwJ:supportforums.blackberry.com/rim/board/message%3Fboard.id%3DBlackBerryDeviceSoftware%26thread.id%3D5504+http://supportforums.blackberry.com/rim/board/message%3Fboard.id%3DBlackBerryDeviceSoftware%26thread.id%3D5504&cd=1&hl=en&ct=clnk&gl=uk
'Intelligence' agencies have been after RIM for access, and likely have been monitoring traffic for quite a while, despite RIM's claims to the contrary. RIM's a honey-pot. Recall that last year India was forcing access to data to allow continued sales.
http://supportforums.blackberry.com/rim/board/message?board.id=BlackBerryDeviceSoftware&thread.id=5504&view=by_date_ascending&page=2
The post to which the article links has already been deleted.
Anyone on the planet can send a WAP push to any mobile device. No reason it has to be the operator doing this. There are so many holes with WAP push that I am surprised it has taken so long for an exploit.
With DPI in the core network this is simply not necessary unless there's issues with end-to-end encryption which can be circumvented on the handset by parsing and logging the content before it gets encrypted and sent on by the underlying application
I installed this app after checking it was signed by Etisalat. My thoughts having previously worked in the lawful interception 'industry':
(1) I should have realised something was up when Etisalat said it was "to ensure continuous service quality" - this bunch of hapless jokers are long way off providing a quality service let alone continuing it!
(2) There is only one other UAE mobile provider (Du - it's a state-owned duopoly) who's coverage is so poor I doubt anyone is able to send emails and texts, so interception would probably be fruitless.
(3) Given that the majority of large firms in the UAE are state-owned, the temptation to abuse interception capabilities for commercial gain must be enormous. It is difficult to find copies of UAE laws written in English (it's difficult to find anything on UAE government websites) but I wonder if they have the concept of collateral intrusion/legal privilege, judicial oversight or even warrants for that matter! It is all so incestuous in high-office that getting your father/brother/cousin who also happens to sit on the board of lots of state-owned commercial interests to approve a warrant or make something happen illegally within an interception-capable department is probably not out the realms of possibility.
"and it will be interesting to see if a similar application appears on competing UEA operators"
The other one, which is also part owned by the gov!
It's getting to the point where we will all have to run our own mail servers and voip systems to avoid being bent over and taken from behind by our government masters and corporate overlords.
Thank god for open source software!
Don't tell our new Home Secretary... of this will become mandatory in all mobile communication devices
***"That's assuming anyone notices - the application could have been missed entirely."***
I doubt that. It only take *one* curious person. It may not have been spotted as quickly, but I'm fairly sure that there would have been at least *one* person who would have had the thought "what does that update actually do"? And the knowledge to find out regardless of other factors.
If you deploy your spyware to enough people the probability that *someone* will spot it approaches 1. A bit like the lottery. 14,000,000:1 chance that a *particular* person will win, but very likely that *someone* will win.
Big Brother, because he *is* watching you (or, at least, he's *trying* to).
what a great way to ruin your customer base !!!!
i wonder how many people will be trusting their blackberry from now on.
RE: Detecting if the "Interceptor software" has been installed on a BB device.
Any idea of how to check whether a device is "clean" or not? Would it simply show in the applications list with all other apps?
Unfortunately asking the end user "Did you agree to install something?" is not going to yield an accurate assessment...
You can't stop the signal Mal.....
http://supportforums.blackberry.com/rim/board/message?board.id=BlackBerryDeviceSoftware&thread.id=5632
I lived in the UAE from 81 to '05....etisalat are the freakin stasi..crippling spyware on everything, they charged extortionate rates for calls, while blocking ALL voip including skype to keep thier revenue. It's a monopoly. You think BT was bad? These guys *banned* WiFi in the country. it was illegal till 2001, because it let you 'share' internet connections which reduced thier revenue...They basically banned ethernet by only allowing a firmware-crippled USB modem to run thier broadband, so people wouldn't share net connections. They blocked all extra ports, put the entire country behind a proxy blocking any 'un-islamic' websites, or those that critisize etisilat. they're as bad, or worse than china/iranian proxies....counless blogs are censored....
It's no secret that all emails to etisalat are monitored and you have about as much privacy as posting your emails in a blog....
/com/ss8/interceptor/app
Of course it's only the wrongdoers that have anything to fear from this patch supplied by a merkin company that supplies "Interception and Surveillance" products…
Like the Emirates airline executives when they are thinking of replacing their Boing 777 aircraft with more Airbus Aircraft.
Draw your own conclusions as to the suitability of blackberries for senior executives
They don't have to worry about their customer base since, as has been mentioned above, they are one of two state-controlled companies. Mind you, from what I understand in Dubai all the information in the country belongs to the ruler and his family.
Can someone not write a firewall app that runs on the device which will alert users when rogue apps do something unexpected ?
It's not perfect but I wouldn't run my desktop PC without such a firewall running. I'm often bemused when the 'Linux fan club' tells me their OS is secure because by default it only lets unsolicited traffic out not in; total fail once your device is infected.
Of course this case is technology fail on so many levels, that snooping can be done, that it's allowed by the device, that it can go unnoticed, to the stupid choice of classname and ease of decompiling classfiles.
it did not work when I clicked the link in the article, but I typed Etisalat in the search field and got to the thread.
I applied the solution proposed by Tbilisoft. Don't know if it changes anything, time will tell.
http://supportforums.blackberry.com/rim/board/message?board.id=BlackBerryDeviceSoftware&thread.id=5632&view=by_date_ascending&page=1
AC cut&pasted: "Derek started his career with what is now Morgan Stanley and holds a Bachelor of Science in Management from Saint Francis University."
Is management a science now?
I can't recall any process of experimentation.
All management types seem to do is get in my fucking way and increase the stupid amount of paperwork I have to create
>" Anyone on the planet can send a WAP push to any mobile device. "
Yes, but nobody in the world except for the holder of the network's private keys can sign the update so that it'll actually be installed. It's either them or someone doing it with their direct collaboration.
Another website states that only Etisalats Blackberry subscribers got this program pushed onto their devices.
But what about users of foreign networks, that used Etisalats network while travelling to the UAE? Are they also affected?
Marek
It's interesting to me that it has taken this long for a "legitimate" signing certificate to be used for nefarious purposes. This is always a danger when a central authority like RIM or Verisign authorize someone to sign code/sites on their behalf without any oversight. This reminds me of how we used to tell users not to open .scr or .exe attachments, and now the baddies are using PDF and .ppt to infect via email. Now we can't simply inspect a file for an appropriate signature, we need to decide if we trust the publisher, and whether we need the update. We had published a blog article (http://www.sophos.com/blogs/sophoslabs/v/post/428) instructing users on being vigilant regarding signatures, perhaps this calls for an update.
I hope RIM takes some action regarding this abuse of trust...
Chet Wisniewski
www.sophos.com
"Now we can't simply inspect a file for an appropriate signature"
SSL Certs have never purported to verify the "goodness" of data. This is a common misunderstanding amongst the plebs but I am shocked, shocked I say, that someone posting on behalf of Sophos would also labour under such a basic misconception.
You should know that digital signatures are no different at all from traditional signatures. All they do is confirm that the signer is who they say they are. They do not have any bearing whatsoever on the quality or veracity of the signed material.
There is no reason whatsoever that Osama Bin Laden himself couldn't sign his latest jihad orders just as George W Bush signed his documents declaring that Waterboarding is AOK and should be actively applied at GitMo.
In neither case do their signatures qualify the ethical validity of the orders, they just confirm that the orders were signed by the person who has the authority to make such orders.
If part of Sophos "security scan" included a "scan for an appropriate signature" then all I can say is I'm glad I don't use Sophos products for security.
Anyone can get a code signing certificate and sign the app. Sure - not with the networks operators private key but it will do exactly the same thing. BB devices don't make a distinction between an operator or third party certificate.
Were the users on a BES? Did the BES IT Policy disallow 3rd party downloads? Sounds more like consumer devices, than corporate BES users.
I was not suggesting that people simply trust anything that is digitally signed, and clearly that is not the recommendation of Sophos, nor the manner in which our products are designed. The intent of the comment was directed towards users who are taught to look for the padlock in their browsers and consider that as some sort of validation that a website is secured. Clearly readers of El Reg are more sophisticated than most, and you are correct in pointing out that blindly trusting signed content means nothing.
Sign up, sign up for The Register's weekly IT security newsletter - click here
