Perimeter
7/23/2009
07:00 PM
Gadi Evron
Gadi Evron
Commentary
50%
50%

The BlackBerry 'Trojan Horse'

Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.

Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.This BBC story covers the incident, in which an update was suggested to customers of Etisalat via a text message proselytizing it for improved performance.

But instead, the BlackBerrys with the new software started acting strangely, crashing, running out of battery power, getting low reception, and in some cases shutting down entirely. That was when BlackBerry maker RIM started investigating.

According to a press release from RIM quoted in the BBC story,

"Etisalat appears to have distributed a telecommunications surveillance application...independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user's smartphone."
The BBC further states:
"The update has now been identified as an application developed by American firm SS8. The California-based company describes itself as a provider of 'lawful electronic intercept and surveillance solutions.'"

Whatever the reason for the update, this action could not have been well-planned, was planned to fail, or perhaps was even a premature execution of an operation. Regardless, such massive-scale surveillance operations suggest government involvement, whether or not it was the UAE. But it has an amateurish feel to it, which makes me doubt it was a government effort. Plus the government could more easily perform eavesdropping by tapping communication at a more central location.

Several possible perpetrators immediately jump to mind, by likelihood:

    1. Someone tricked the users, and it wasn't Etisalat (think phishing and criminals). 2. Etisalat did it on its own, for its own business reasons or partnerships. 3. Etisalat was not aware of what some of its employees were doing. 4. Etisalat was complying with the UAE government. 5. Etisalat was preparing an infrastructure to comply with government eavesdropping requests, using a very poor choice of technology.

Motive, however, is a whole other question.

Most important questions to ask at this point, outside of questioning Etisalat:

    1. From where did the SMS text message originate? 2. Where did users go to download the update?

Such a large-scale operation had no hope of remaining secret forever, even if successful.

From a security standpoint, the threat of scams that get users to click on or download software that compromises their machines is by far not a new trick. If that is what happened, we can just mark it down as "yet another incident." Etisalat did confirm that they pushed an update to users, though. Interesting.

This also should raise concerns about the content of software updates as decided by vendors and operators. They often hide updates inside updates, with no regulation telling them what they can and cannot do. There also have been cases where end users get products that come infected with malware due to unclean work environments. These incidents occur in compromised supply chains, for instance, especially with USB sticks.

Vendors naturally protect their software by claiming more and more rights on it from users. Perhaps it is time for activism in reverse -- to protect user rights, as well.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8896
Published: 2014-12-22
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify ...

CVE-2014-8897
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8898
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.