Perimeter
7/23/2009
07:00 PM
Gadi Evron
Gadi Evron
Commentary
50%
50%

The BlackBerry 'Trojan Horse'

Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.

Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.This BBC story covers the incident, in which an update was suggested to customers of Etisalat via a text message proselytizing it for improved performance.

But instead, the BlackBerrys with the new software started acting strangely, crashing, running out of battery power, getting low reception, and in some cases shutting down entirely. That was when BlackBerry maker RIM started investigating.

According to a press release from RIM quoted in the BBC story,

"Etisalat appears to have distributed a telecommunications surveillance application...independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user's smartphone."
The BBC further states:
"The update has now been identified as an application developed by American firm SS8. The California-based company describes itself as a provider of 'lawful electronic intercept and surveillance solutions.'"

Whatever the reason for the update, this action could not have been well-planned, was planned to fail, or perhaps was even a premature execution of an operation. Regardless, such massive-scale surveillance operations suggest government involvement, whether or not it was the UAE. But it has an amateurish feel to it, which makes me doubt it was a government effort. Plus the government could more easily perform eavesdropping by tapping communication at a more central location.

Several possible perpetrators immediately jump to mind, by likelihood:

    1. Someone tricked the users, and it wasn't Etisalat (think phishing and criminals). 2. Etisalat did it on its own, for its own business reasons or partnerships. 3. Etisalat was not aware of what some of its employees were doing. 4. Etisalat was complying with the UAE government. 5. Etisalat was preparing an infrastructure to comply with government eavesdropping requests, using a very poor choice of technology.

Motive, however, is a whole other question.

Most important questions to ask at this point, outside of questioning Etisalat:

    1. From where did the SMS text message originate? 2. Where did users go to download the update?

Such a large-scale operation had no hope of remaining secret forever, even if successful.

From a security standpoint, the threat of scams that get users to click on or download software that compromises their machines is by far not a new trick. If that is what happened, we can just mark it down as "yet another incident." Etisalat did confirm that they pushed an update to users, though. Interesting.

This also should raise concerns about the content of software updates as decided by vendors and operators. They often hide updates inside updates, with no regulation telling them what they can and cannot do. There also have been cases where end users get products that come infected with malware due to unclean work environments. These incidents occur in compromised supply chains, for instance, especially with USB sticks.

Vendors naturally protect their software by claiming more and more rights on it from users. Perhaps it is time for activism in reverse -- to protect user rights, as well.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4467
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site.

CVE-2014-4476
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4477
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4479
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4480
Published: 2015-01-30
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.