Perimeter
7/23/2009
07:00 PM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
RSS
E-Mail
50%
50%

The BlackBerry 'Trojan Horse'

Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.

Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.This BBC story covers the incident, in which an update was suggested to customers of Etisalat via a text message proselytizing it for improved performance.

But instead, the BlackBerrys with the new software started acting strangely, crashing, running out of battery power, getting low reception, and in some cases shutting down entirely. That was when BlackBerry maker RIM started investigating.

According to a press release from RIM quoted in the BBC story,

"Etisalat appears to have distributed a telecommunications surveillance application...independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user's smartphone."
The BBC further states:
"The update has now been identified as an application developed by American firm SS8. The California-based company describes itself as a provider of 'lawful electronic intercept and surveillance solutions.'"

Whatever the reason for the update, this action could not have been well-planned, was planned to fail, or perhaps was even a premature execution of an operation. Regardless, such massive-scale surveillance operations suggest government involvement, whether or not it was the UAE. But it has an amateurish feel to it, which makes me doubt it was a government effort. Plus the government could more easily perform eavesdropping by tapping communication at a more central location.

Several possible perpetrators immediately jump to mind, by likelihood:

    1. Someone tricked the users, and it wasn't Etisalat (think phishing and criminals). 2. Etisalat did it on its own, for its own business reasons or partnerships. 3. Etisalat was not aware of what some of its employees were doing. 4. Etisalat was complying with the UAE government. 5. Etisalat was preparing an infrastructure to comply with government eavesdropping requests, using a very poor choice of technology.

Motive, however, is a whole other question.

Most important questions to ask at this point, outside of questioning Etisalat:

    1. From where did the SMS text message originate? 2. Where did users go to download the update?

Such a large-scale operation had no hope of remaining secret forever, even if successful.

From a security standpoint, the threat of scams that get users to click on or download software that compromises their machines is by far not a new trick. If that is what happened, we can just mark it down as "yet another incident." Etisalat did confirm that they pushed an update to users, though. Interesting.

This also should raise concerns about the content of software updates as decided by vendors and operators. They often hide updates inside updates, with no regulation telling them what they can and cannot do. There also have been cases where end users get products that come infected with malware due to unclean work environments. These incidents occur in compromised supply chains, for instance, especially with USB sticks.

Vendors naturally protect their software by claiming more and more rights on it from users. Perhaps it is time for activism in reverse -- to protect user rights, as well.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.