Etisalat's Trojan BlackBerries
July 15, 2009 7:55 AM   Subscribe

UAE phone company pushes BlackBerry update with embedded spyware. The United Arab Emirates phone company Etisalat recently sent out a firmware update to its BlackBerry-using customers, billed as a “performance enhancement patch”. After customers reported the patch degrading their handsets' performance and draining their batteries more rapidly, a programmer examined it and found that it contained spyware from a US company, which could be remotely activated to forward all emails and text messages to a third-party server.

It is not clear who is behind the spyware. It could be the Emirati government plugging a hole in its surveillance capabilities (it is not clear whether BlackBerry emails are kept anywhere where the Emirati government can reach them). Alternatively, there are probably a lot of people in Dubai, from Iranian dissidents to radical Islamist fixers to ordinary dubious businessmen, who would be of interest to various parties across the world.
posted by acb (31 comments total) 6 users marked this as a favorite
 
Theocratic absolute monarchy tries to exert control over its subjects? Whatever next?
posted by MuffinMan at 8:04 AM on July 15, 2009


Secret CIA Program?

Operation CrackedBerry?
posted by lazaruslong at 8:04 AM on July 15, 2009 [1 favorite]


RIM will not be pleased.
posted by Decimask at 8:11 AM on July 15, 2009


Theocratic absolute monarchy tries to exert control over its subjects? Whatever next?

Would the government, with its control of the network, need to install spyware on all handsets to do this?
posted by acb at 8:11 AM on July 15, 2009 [2 favorites]


From the SS8 website:
"From tactical deployments to multi-technology service providers to nationwide multi-carrier solutions, SS8 offers law enforcement a scaleable solution to meet both the simplest and most comprehensive needs."

Sounds about right.
posted by Xoebe at 8:11 AM on July 15, 2009


Curiously, the fact that it's client-side is probably an indication that this is corporate or industrial espionage, rather than a government agency.

Most (and I think maybe all) Blackberry data traffic goes through RIM-controlled servers anyway, and you can be sure that they've been compromised at that level by somebody; they cross wires controlled by national telcos, too. The right way to manage that sort of espionage is at the network level, a la Carnivore or the NSA's warrantless wiretapping program.

Doing it through the handsets like that, that's strictly for chumps.
posted by mhoye at 8:16 AM on July 15, 2009 [2 favorites]


Ha, I received a message from a UAE-based friend this morning asking for advice on how to remove a mysterious software update that seems to constantly drain her battery. Any word on what can be done?
posted by Adam_S at 8:18 AM on July 15, 2009


Thanks for the heads-up on this. Time to call our Dubai office.
posted by Optamystic at 8:19 AM on July 15, 2009


From the SS8 website:
"From tactical deployments to multi-technology service providers to nationwide multi-carrier solutions, SS8 offers law enforcement a scaleable solution to meet both the simplest and most comprehensive needs."

Sounds about right.
posted by Xoebe at 11:11 AM on July 15 [+] [!]


Except when they fuck it up so everybody notices their BBs run like shit and eat battery charge like crazy.
posted by krash2fast at 8:20 AM on July 15, 2009 [3 favorites]


"From tactical deployments to multi-technology service providers to nationwide multi-carrier solutions, SS8 offers law enforcement a scaleable solution to meet both the simplest and most comprehensive needs."

How about e-sucking my multi-scalable e-dick solution?

C'mon, it's god-damn 2009 not 2000. Can the eCommerce-speak just for a fucking day, eh?
posted by KevinSkomsvold at 8:26 AM on July 15, 2009 [5 favorites]


mhoye: "Curiously, the fact that it's client-side is probably an indication that this is corporate or industrial espionage, rather than a government agency.…Doing it through the handsets like that, that's strictly for chumps."

My understanding of the BlackBerry system is that most traffic either goes through RIM's servers in Canada, or BlackBerry Enterprise Servers set up by large companies. The connection between the handset and the BES is encrypted.

So let's say you're a company in Dubai: you buy a BES license, and get your employees hooked up with BlackBerries. Their emails are encrypted as they pass over the government-run network from the BES to the handset. There's no opportunity for the government to intercept them in transit, at least in cleartext form.

If messages are being sent out to Internet users rather than just internally, the ISP could grab them then (as they head out onto the Internet from the BES), but it has no opportunity to get purely internal emails going from one BlackBerry device to another, or from an employee's internal email account to a BlackBerry.

So it makes perfect sense that Etisalat tried to compromise the endpoint; that's really the only way they can get at the messages.
posted by Kadin2048 at 8:27 AM on July 15, 2009 [6 favorites]


Remember when people were up in arms because Nokia/Siemens had sold lawful intercept capable telephone switching equipment to the Iranians?

Now that we have a U.S. company, whose network surveillance equipment is solely designed for the purpose of lawful intercepts (and as their website notes) other uses by intelligence agencies, will we see a similar shitstorm?

SS8 is the company who makes this arguably crappy surveillance software, and wouldn't have gotten discovered if their constantly busy registration servers hadn't caused UAE Blackberries to slow down and chew through battery.

SS8 claims to have sold their software/hardware to companies/governments in 25 countries. Will we see calls for boycotts of SS8? No.. the reason being, that SS8 doesn't sell consumer level gear. The only people in a position to boycott SS8 are its happy corporate and government clients.

Finally, remember that "lawful intercept" is only as good as the laws in the country in which the hardware is used. That may mean surveillance requires a warrant issued by a court upon a showing of probable cause, a subpoena, which is not reviewed by a judge, upon a showing of relevance to an ongoing investigation (as is the case for much non-wiretap surveillance in the states), or a simple polite phone call from the police asking for the information, after claiming so called exigent circumstances.
posted by genome4hire at 8:29 AM on July 15, 2009 [3 favorites]


Well, obviously this is bad from a civil liberties perspective (But come on, this is the UAE. what did you expect?)

But beyond this, this just a terrible idea from the standpoint of a "law enforcement/spying on citizens" perspective. never trust the client. If people have the devices in their hands, obviously they're going to be able to remove the software. Especially when you own the phone network yourself and you can just tap the data.

On the other hand, the interesting thing thing from the UAE's perspective is that users would carry this software on their phones when they leave the country. I'm guessing for industrial espionage angle this would be great. You get this software on the blackberry of BigCorp's CEO when he's visiting Dubai and you'll get all kinds of interesting data until he gets a new phone. At lest you would if your software actually worked in the first place.

The interesting thing with these smart phones is that you can easily write encryption software for them that works well, at least for text messaging (voice might be more challenging). As long as they let your app on the App stores, it should be able to be distributed pretty easily (and on the G1 at least you should be able to load programs over USB as well)
posted by delmoi at 8:34 AM on July 15, 2009


Theocratic absolute monarchy tries to exert control over its subjects? Whatever next?

No kidding, hey?

We should sell these guys some Carnivore software, teach them how to build entire secret network monitoring centers and give lessons on surreptitious GPS tracking.

You know, to teach these punks a thing or two about how to really spy on their own populations.

Fucking amateurs.
posted by rokusan at 8:40 AM on July 15, 2009 [3 favorites]



Remember when people were up in arms because Nokia/Siemens had sold lawful intercept capable telephone switching equipment to the Iranians?


Speaking of which, does anyone remember or have a link to a blog post poked a hole in the techno-utopian rapture about how mobile technologies were going to enable a new wave of democratization, pointing out that these same technologies could be easily intercepted and manipulated en masse with a minimum of personnel (unlike, say, thousands of Stasi agents who would have to monitor individual phone calls)? I forgot to bookmark it and reading this thread makes me want to read it over again.
posted by foxy_hedgehog at 9:02 AM on July 15, 2009


Curiously, the fact that it's client-side is probably an indication that this is corporate or industrial espionage, rather than a government agency.

Either that or the actions of a foreign government.

Iran has been cracking down pretty hard on dissidents recently, and aggressively using surveillance within its borders to catch dissidents. There are a lot of expatriate Iranians, critical of the regime, abroad, including plenty in Dubai. Chances are, some of them are involved in organising dissent or campaigning against the recent hardline coup. I imagine the Iranian secret service would love to know what they're saying and to whom.

I imagine that Hezbollah, Hamas and al-Qaeda would also have people there. Not necessarily military commanders, though financiers and fixers who keep their heads down and stay closer to where the deals are made. The Israeli Mossad would presumably be quite interested in these parties, and so would the CIA and MI6.

And with Dubai being a centre of economic activity, particularly to do with oil and energy, a lot of other governments might have an interest in keeping their ears open and hopefully stealing a march on their rivals. Dubai has been described as a sort of 21st-century Casablanca, a "free city" teeming with intrigues.
posted by acb at 9:11 AM on July 15, 2009


Oops. Someone is gonna get spanked.
posted by Bovine Love at 10:08 AM on July 15, 2009


Holy fucking amateur hour.
posted by GuyZero at 10:22 AM on July 15, 2009


Fucking amateurs.

dont forget to send them a heaping helping of AT&T.
posted by sexyrobot at 10:42 AM on July 15, 2009


rokusan: "We should sell these guys some Carnivore software…"

Carnivore is so last decade.

A system like Carnivore wouldn't get you anything on the BlackBerry network, because everything is encrypted while in transit. I can't quite say that the whole BIS/BES network was designed with systems like Carnivore in mind, but it sure seems like it.

Carnivore was designed to snoop on late-90s email, which was almost universally unencrypted. Today there's a lot more encryption in use: companies have VPNs to link offices, we have SMTP over TLS, and most consumer webmail services offer HTTPs. There's still a lot of cleartext traffic floating around, but it's pretty trivial to protect your communications if you want to.

So if you want to reliably intercept communications, wiretapping and grabbing a copy of the message in transit is not the best way. At best you end up having to do some sort of MITM attack to defeat the encryption (which requires you to conduct the attack in real time, not just hoover everything down and datamine later), at worst you get an encrypted message that might take thousands of years of processor-time to break, and might turn out to be garbage.

Compromising the endpoints isn't some amateur technique, it's cutting edge. That's where things are going. Software has gotten smarter — it assumes that the communications links it uses aren't friendly. But most applications and users still assume that the hardware in their pocket or on their desk is trustworthy. So that's where you do your snooping.

The Etisalat software package wasn't great because of the battery-life issues that made it noticeable, but that's a fairly obvious bug that will be corrected. If it hadn't been for that problem — and for all we know this could have been going on for a while without anyone's knowledge — it would have been a near-perfect spy tool.

Pushing out compromised software to end-user devices is the next big thing in interception. The FBI already uses something like it to get passwords on PCs — all you do is make the a user hit a web page, and it downloads a trojan to their machine that logs keystrokes and sends back the results. With something like that, you can get around all the link-level encryption you want. On devices that have automatic update mechanisms, or even worse the remote-push mechanisms that BlackBerries and cell phones have, you don't even need to make the target go to a website of your choice. It's cheaper and significantly easier than building black rooms in switching points.

Etisalat isn't some bush league operation; they're ahead of the curve. They may have momentarily gotten a big ahead of themselves and tripped in a very public way, but they know what they're doing.
posted by Kadin2048 at 11:03 AM on July 15, 2009 [3 favorites]


Everyone is laughing, but how do you know your cellphone didn't come with a bug-free version of that software already?
posted by blue_beetle at 11:15 AM on July 15, 2009


Everyone is laughing, but how do you know your cellphone didn't come with a bug-free version of that software already?

US citizen here so I feel confident that "They" they already have all of my data.
posted by anti social order at 11:53 AM on July 15, 2009


Fucking amateurs.

You want a toe? Etisalat can get you a toe, believe me. There are ways. You don't wanna know about it. Ebn el Metanaka, they can get you a toe by 3 o'clock this afternoon... with embedded spyware. Insha'Allah.
posted by Smedleyman at 12:48 PM on July 15, 2009 [1 favorite]


In case the update was missed:

"the fact that the interception is done on the client device rather than on the ISP’s server — where it would normally be done — helps law enforcement, or whoever else might want to intercept the messages, circumvent encryption used by the sender of an e-mail, since it’s grabbing the message after it’s been decrypted on the recipient’s BlackBerry."
posted by -harlequin- at 1:42 PM on July 15, 2009


Is it illegal?
posted by ZaneJ. at 2:14 PM on July 15, 2009


from a friend of mine who is just recently back from 2 years in the UAE:
Figures. I forwarded it over to a friend of mine in Dubai. He just
laughed and said the guys in the back alleys are already offering
"fixes" that roll back to a previous firmware with a bogus version
number.
posted by namewithoutwords at 2:25 PM on July 15, 2009


I forwarded it over to a friend of mine in Dubai. He just
laughed and said the guys in the back alleys are already offering
"fixes" that roll back to a previous firmware with a bogus version
number.
And can they be sure that the back-alley fixes don't instead forward their email to the Russian Mafia or someone?
posted by acb at 4:32 PM on July 15, 2009


companies have VPNs to link offices

yep, OK, I'm with ya...

we have SMTP over TLS

sure-- when I send & receive email using a dedicated client, it's secure...

and most consumer webmail services offer HTTPs

gmail? Yahoo! Mail? mobile me?

Oops- yes, gmail does offer https now, but the other two don't. That secures the server to client connection, but not the server-to-server mail relaying and the connection from my correspondent's client to his server. Yahoo, Google, Apple and others had the opportunity to support GPG for real end-to-end email security but they chose not to. Various parties have offered it in dedicated GUI mail clients, sometimes with nice integration (Mozilla Mail in 2001, mebbe?), but it never made it to webmail.

Carnivore and the NSA wiretapping were supposed to make ensuring your privacy more than a "eat your peas, they're good for you" irritation that you dealt with because it was a good idea in theory. It's provably necessary now, but I'm still not going to press my dad to send me a GPG key so I can discuss voting booth sniper attacks (in a Schneier-esque "movie plot" terrorism discussion) without worrying about a knock on the door.
posted by morganw at 6:28 PM on July 15, 2009


Is it illegal?

/picks up John Yoo doll, shakes it, reads result.

Nope, completely legal. Go ahead.
posted by rokusan at 10:48 PM on July 15, 2009


At best you end up having to do some sort of MITM attack to defeat the encryption

Nah, at best you end up getting all the information you need from traffic analysis alone. (The people I know who like to be paranoid about this kind of thing are of the opinion that the spooks stopped trying to suppress crypto in the US because they have much better traffic analysis tools than anyone thinks they do.)
posted by hattifattener at 2:25 AM on July 16, 2009


Not surprisingly, SS8 has an office in the UAE. They also have an office in China.
posted by CG at 4:05 AM on July 16, 2009


« Older "Genuinely confusing to rapists"   |   Would you give this man $125,000? Newer »


This thread has been archived and is closed to new comments