back to article BlackBerry update bursting with spyware

An update pushed out to BlackBerry users on the Etisalat network in the United Arab Emirates appears to contain remotely-triggered spyware that allows the interception of messages and emails, as well as crippling battery life. Sent out as a WAP Push message, the update installs a Java file that one curious customer decided to …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Big Brother

    Rim thread deleted

    surprise surprise.

    also:

    ss8.com/company-management.php

    Derek G. Roga

    Sr. Vice President, Business Development

    Derek joined SS8 in January of 2009 as part of the acquisition of OCI Mobile. As founder and owner of OCI Mobile Derek successfully developed technology for smart phone interception. In 2005 Derek began developing the Middle East region to introduce the BlackBerry solution; he was the founder and CEO of EMS Mobile which became RIM’s Strategic Channel Partner for the region. Previous positions within the wireless and mobility industry include; founder and CEO of Wall Street Communications which started in 1998 to specifically launch the product that has now taken the world by storm – BlackBerry. Wall Street Communications which then merged with Outercurve Technologies in 2000 became RIM’s most successful and prolific partner. Derek was the Chief Operating Officer and then went on to become the Chief Executive Officer of Outercurve Technologies. Derek started his career with what is now Morgan Stanley and holds a Bachelor of Science in Management from Saint Francis University.

  2. Anonymous Coward
    Big Brother

    Hmm

    All the post on the offical Blackberry forum are gone.

  3. Anonymous Coward
    Anonymous Coward

    Friends in high places?

    BB seem to have suppressed the thread in the official forums quite sharpish. A bit remains in the Google cache, but not the link to the removal program. Poor sods.

    http://209.85.229.132/search?q=cache:45E-rtUFacwJ:supportforums.blackberry.com/rim/board/message%3Fboard.id%3DBlackBerryDeviceSoftware%26thread.id%3D5504+http://supportforums.blackberry.com/rim/board/message%3Fboard.id%3DBlackBerryDeviceSoftware%26thread.id%3D5504&cd=1&hl=en&ct=clnk&gl=uk

  4. Darling Petunia

    RIM

    'Intelligence' agencies have been after RIM for access, and likely have been monitoring traffic for quite a while, despite RIM's claims to the contrary. RIM's a honey-pot. Recall that last year India was forcing access to data to allow continued sales.

  5. Ian Court
    Black Helicopters

    "Seventh message down"

    http://supportforums.blackberry.com/rim/board/message?board.id=BlackBerryDeviceSoftware&thread.id=5504&view=by_date_ascending&page=2

    The post to which the article links has already been deleted.

  6. c 1

    it may not be the operator doing this

    Anyone on the planet can send a WAP push to any mobile device. No reason it has to be the operator doing this. There are so many holes with WAP push that I am surprised it has taken so long for an exploit.

  7. Jay Jaffa
    Boffin

    Why bother ...

    With DPI in the core network this is simply not necessary unless there's issues with end-to-end encryption which can be circumvented on the handset by parsing and logging the content before it gets encrypted and sent on by the underlying application

  8. Anonymous Coward
    Anonymous Coward

    Everthing we complain about but take for granted...

    I installed this app after checking it was signed by Etisalat. My thoughts having previously worked in the lawful interception 'industry':

    (1) I should have realised something was up when Etisalat said it was "to ensure continuous service quality" - this bunch of hapless jokers are long way off providing a quality service let alone continuing it!

    (2) There is only one other UAE mobile provider (Du - it's a state-owned duopoly) who's coverage is so poor I doubt anyone is able to send emails and texts, so interception would probably be fruitless.

    (3) Given that the majority of large firms in the UAE are state-owned, the temptation to abuse interception capabilities for commercial gain must be enormous. It is difficult to find copies of UAE laws written in English (it's difficult to find anything on UAE government websites) but I wonder if they have the concept of collateral intrusion/legal privilege, judicial oversight or even warrants for that matter! It is all so incestuous in high-office that getting your father/brother/cousin who also happens to sit on the board of lots of state-owned commercial interests to approve a warrant or make something happen illegally within an interception-capable department is probably not out the realms of possibility.

  9. Stephen Mullan 1
    Terminator

    There only are two operators

    "and it will be interesting to see if a similar application appears on competing UEA operators"

    The other one, which is also part owned by the gov!

  10. Goat Jam
    Big Brother

    Welcome to the 21st Century

    It's getting to the point where we will all have to run our own mail servers and voip systems to avoid being bent over and taken from behind by our government masters and corporate overlords.

    Thank god for open source software!

  11. Mat

    Ssshhhhh!

    Don't tell our new Home Secretary... of this will become mandatory in all mobile communication devices

  12. Eponymous Cowherd
    Big Brother

    Somone will *always* notice.

    ***"That's assuming anyone notices - the application could have been missed entirely."***

    I doubt that. It only take *one* curious person. It may not have been spotted as quickly, but I'm fairly sure that there would have been at least *one* person who would have had the thought "what does that update actually do"? And the knowledge to find out regardless of other factors.

    If you deploy your spyware to enough people the probability that *someone* will spot it approaches 1. A bit like the lottery. 14,000,000:1 chance that a *particular* person will win, but very likely that *someone* will win.

    Big Brother, because he *is* watching you (or, at least, he's *trying* to).

  13. Lionel Baden

    Wow

    what a great way to ruin your customer base !!!!

    i wonder how many people will be trusting their blackberry from now on.

  14. r0g3r

    Detection...

    RE: Detecting if the "Interceptor software" has been installed on a BB device.

    Any idea of how to check whether a device is "clean" or not? Would it simply show in the applications list with all other apps?

    Unfortunately asking the end user "Did you agree to install something?" is not going to yield an accurate assessment...

  15. Chris Harden
    Black Helicopters

    here it is.......

    You can't stop the signal Mal.....

    http://supportforums.blackberry.com/rim/board/message?board.id=BlackBerryDeviceSoftware&thread.id=5632

  16. George Oommen

    huh?

    I lived in the UAE from 81 to '05....etisalat are the freakin stasi..crippling spyware on everything, they charged extortionate rates for calls, while blocking ALL voip including skype to keep thier revenue. It's a monopoly. You think BT was bad? These guys *banned* WiFi in the country. it was illegal till 2001, because it let you 'share' internet connections which reduced thier revenue...They basically banned ethernet by only allowing a firmware-crippled USB modem to run thier broadband, so people wouldn't share net connections. They blocked all extra ports, put the entire country behind a proxy blocking any 'un-islamic' websites, or those that critisize etisilat. they're as bad, or worse than china/iranian proxies....counless blogs are censored....

    It's no secret that all emails to etisalat are monitored and you have about as much privacy as posting your emails in a blog....

    /com/ss8/interceptor/app

  17. Field Marshal Von Krakenfart
    Big Brother

    What constitutes a treat?

    Of course it's only the wrongdoers that have anything to fear from this patch supplied by a merkin company that supplies "Interception and Surveillance" products…

    Like the Emirates airline executives when they are thinking of replacing their Boing 777 aircraft with more Airbus Aircraft.

    Draw your own conclusions as to the suitability of blackberries for senior executives

  18. Cameron Colley

    @Lionel Baden

    They don't have to worry about their customer base since, as has been mentioned above, they are one of two state-controlled companies. Mind you, from what I understand in Dubai all the information in the country belongs to the ruler and his family.

  19. Jason Bloomberg Silver badge
    FAIL

    Firewall ?

    Can someone not write a firewall app that runs on the device which will alert users when rogue apps do something unexpected ?

    It's not perfect but I wouldn't run my desktop PC without such a firewall running. I'm often bemused when the 'Linux fan club' tells me their OS is secure because by default it only lets unsolicited traffic out not in; total fail once your device is infected.

    Of course this case is technology fail on so many levels, that snooping can be done, that it's allowed by the device, that it can go unnoticed, to the stupid choice of classname and ease of decompiling classfiles.

  20. Boulaudan

    Thread still available on BB support forum

    it did not work when I clicked the link in the article, but I typed Etisalat in the search field and got to the thread.

    I applied the solution proposed by Tbilisoft. Don't know if it changes anything, time will tell.

  21. Anonymous Coward
    Anonymous Coward

    Try here

    http://supportforums.blackberry.com/rim/board/message?board.id=BlackBerryDeviceSoftware&thread.id=5632&view=by_date_ascending&page=1

  22. Anonymous Coward
    WTF?

    Derek G. Roga

    AC cut&pasted: "Derek started his career with what is now Morgan Stanley and holds a Bachelor of Science in Management from Saint Francis University."

    Is management a science now?

    I can't recall any process of experimentation.

    All management types seem to do is get in my fucking way and increase the stupid amount of paperwork I have to create

  23. Anonymous Coward
    Stop

    @it may not be the operator doing this.. WRONG!

    >" Anyone on the planet can send a WAP push to any mobile device. "

    Yes, but nobody in the world except for the holder of the network's private keys can sign the update so that it'll actually be installed. It's either them or someone doing it with their direct collaboration.

  24. Anonymous Coward
    Anonymous Coward

    roaming users affected also?

    Another website states that only Etisalats Blackberry subscribers got this program pushed onto their devices.

    But what about users of foreign networks, that used Etisalats network while travelling to the UAE? Are they also affected?

    Marek

  25. Chet Wisniewski - Sophos

    Digital Signatures are only the beginning

    It's interesting to me that it has taken this long for a "legitimate" signing certificate to be used for nefarious purposes. This is always a danger when a central authority like RIM or Verisign authorize someone to sign code/sites on their behalf without any oversight. This reminds me of how we used to tell users not to open .scr or .exe attachments, and now the baddies are using PDF and .ppt to infect via email. Now we can't simply inspect a file for an appropriate signature, we need to decide if we trust the publisher, and whether we need the update. We had published a blog article (http://www.sophos.com/blogs/sophoslabs/v/post/428) instructing users on being vigilant regarding signatures, perhaps this calls for an update.

    I hope RIM takes some action regarding this abuse of trust...

    Chet Wisniewski

    www.sophos.com

  26. Goat Jam
    FAIL

    @Chet

    "Now we can't simply inspect a file for an appropriate signature"

    SSL Certs have never purported to verify the "goodness" of data. This is a common misunderstanding amongst the plebs but I am shocked, shocked I say, that someone posting on behalf of Sophos would also labour under such a basic misconception.

    You should know that digital signatures are no different at all from traditional signatures. All they do is confirm that the signer is who they say they are. They do not have any bearing whatsoever on the quality or veracity of the signed material.

    There is no reason whatsoever that Osama Bin Laden himself couldn't sign his latest jihad orders just as George W Bush signed his documents declaring that Waterboarding is AOK and should be actively applied at GitMo.

    In neither case do their signatures qualify the ethical validity of the orders, they just confirm that the orders were signed by the person who has the authority to make such orders.

    If part of Sophos "security scan" included a "scan for an appropriate signature" then all I can say is I'm glad I don't use Sophos products for security.

  27. c 1

    @Anonymous Coward Posted Wednesday 15th July 2009 14:00 GMT

    Anyone can get a code signing certificate and sign the app. Sure - not with the networks operators private key but it will do exactly the same thing. BB devices don't make a distinction between an operator or third party certificate.

  28. Icantpickem

    Not enough info...

    Were the users on a BES? Did the BES IT Policy disallow 3rd party downloads? Sounds more like consumer devices, than corporate BES users.

  29. Chet Wisniewski - Sophos

    @Goat Jam

    I was not suggesting that people simply trust anything that is digitally signed, and clearly that is not the recommendation of Sophos, nor the manner in which our products are designed. The intent of the comment was directed towards users who are taught to look for the padlock in their browsers and consider that as some sort of validation that a website is secured. Clearly readers of El Reg are more sophisticated than most, and you are correct in pointing out that blindly trusting signed content means nothing.

This topic is closed for new posts.

Other stories you might like