Perimeter
7/23/2009
07:00 PM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
RSS
E-Mail
50%
50%

The BlackBerry 'Trojan Horse'

Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.

Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.This BBC story covers the incident, in which an update was suggested to customers of Etisalat via a text message proselytizing it for improved performance.

But instead, the BlackBerrys with the new software started acting strangely, crashing, running out of battery power, getting low reception, and in some cases shutting down entirely. That was when BlackBerry maker RIM started investigating.

According to a press release from RIM quoted in the BBC story,

"Etisalat appears to have distributed a telecommunications surveillance application...independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user's smartphone."
The BBC further states:
"The update has now been identified as an application developed by American firm SS8. The California-based company describes itself as a provider of 'lawful electronic intercept and surveillance solutions.'"

Whatever the reason for the update, this action could not have been well-planned, was planned to fail, or perhaps was even a premature execution of an operation. Regardless, such massive-scale surveillance operations suggest government involvement, whether or not it was the UAE. But it has an amateurish feel to it, which makes me doubt it was a government effort. Plus the government could more easily perform eavesdropping by tapping communication at a more central location.

Several possible perpetrators immediately jump to mind, by likelihood:

    1. Someone tricked the users, and it wasn't Etisalat (think phishing and criminals). 2. Etisalat did it on its own, for its own business reasons or partnerships. 3. Etisalat was not aware of what some of its employees were doing. 4. Etisalat was complying with the UAE government. 5. Etisalat was preparing an infrastructure to comply with government eavesdropping requests, using a very poor choice of technology.

Motive, however, is a whole other question.

Most important questions to ask at this point, outside of questioning Etisalat:

    1. From where did the SMS text message originate? 2. Where did users go to download the update?

Such a large-scale operation had no hope of remaining secret forever, even if successful.

From a security standpoint, the threat of scams that get users to click on or download software that compromises their machines is by far not a new trick. If that is what happened, we can just mark it down as "yet another incident." Etisalat did confirm that they pushed an update to users, though. Interesting.

This also should raise concerns about the content of software updates as decided by vendors and operators. They often hide updates inside updates, with no regulation telling them what they can and cannot do. There also have been cases where end users get products that come infected with malware due to unclean work environments. These incidents occur in compromised supply chains, for instance, especially with USB sticks.

Vendors naturally protect their software by claiming more and more rights on it from users. Perhaps it is time for activism in reverse -- to protect user rights, as well.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.