Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/23/2009
07:00 PM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The BlackBerry 'Trojan Horse'

Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.

Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.This BBC story covers the incident, in which an update was suggested to customers of Etisalat via a text message proselytizing it for improved performance.

But instead, the BlackBerrys with the new software started acting strangely, crashing, running out of battery power, getting low reception, and in some cases shutting down entirely. That was when BlackBerry maker RIM started investigating.

According to a press release from RIM quoted in the BBC story,

"Etisalat appears to have distributed a telecommunications surveillance application...independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user's smartphone."
The BBC further states:
"The update has now been identified as an application developed by American firm SS8. The California-based company describes itself as a provider of 'lawful electronic intercept and surveillance solutions.'"

Whatever the reason for the update, this action could not have been well-planned, was planned to fail, or perhaps was even a premature execution of an operation. Regardless, such massive-scale surveillance operations suggest government involvement, whether or not it was the UAE. But it has an amateurish feel to it, which makes me doubt it was a government effort. Plus the government could more easily perform eavesdropping by tapping communication at a more central location.

Several possible perpetrators immediately jump to mind, by likelihood:

    1. Someone tricked the users, and it wasn't Etisalat (think phishing and criminals). 2. Etisalat did it on its own, for its own business reasons or partnerships. 3. Etisalat was not aware of what some of its employees were doing. 4. Etisalat was complying with the UAE government. 5. Etisalat was preparing an infrastructure to comply with government eavesdropping requests, using a very poor choice of technology.

Motive, however, is a whole other question.

Most important questions to ask at this point, outside of questioning Etisalat:

    1. From where did the SMS text message originate? 2. Where did users go to download the update?

Such a large-scale operation had no hope of remaining secret forever, even if successful.

From a security standpoint, the threat of scams that get users to click on or download software that compromises their machines is by far not a new trick. If that is what happened, we can just mark it down as "yet another incident." Etisalat did confirm that they pushed an update to users, though. Interesting.

This also should raise concerns about the content of software updates as decided by vendors and operators. They often hide updates inside updates, with no regulation telling them what they can and cannot do. There also have been cases where end users get products that come infected with malware due to unclean work environments. These incidents occur in compromised supply chains, for instance, especially with USB sticks.

Vendors naturally protect their software by claiming more and more rights on it from users. Perhaps it is time for activism in reverse -- to protect user rights, as well.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2319
PUBLISHED: 2019-12-12
HLOS could corrupt CPZ page table memory for S1 managed VMs in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM84...
CVE-2019-2320
PUBLISHED: 2019-12-12
Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ805...
CVE-2019-2321
PUBLISHED: 2019-12-12
Incorrect length used while validating the qsee log buffer sent from HLOS which could then lead to remap conflict in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdra...
CVE-2019-2337
PUBLISHED: 2019-12-12
While Skipping unknown IES, EMM is reading the buffer even if the no of bytes to read are more than message length which may cause device to shutdown in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ809...
CVE-2019-2338
PUBLISHED: 2019-12-12
Crafted image that has a valid signature from a non-QC entity can be loaded which can read/write memory that belongs to the secure world in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastruc...