Monday, July 27, 2009

Mobile malware: Blackberry

Also in July we have the UAE's mobile cellular provider Etisalat serving up hostile Blackberry updates to their subscribers that includes interception code. From Wired:

The update was billed as a “performance-enhancement patch” by the UAE-based phone and internet service provider Etisalat, which issued the patch to its 100,000 subscribers.

The patch only drew attention after numerous users complained that it drained their BlackBerry battery and slowed performance, according to local publication ITP.

Nigel Gourlay, a Qatar-based programmer who examined the patch, told ITP that the patch contained “phone-home” code that instructed the BlackBerries to contact a server to register. But once the patch was installed, thousands of devices tried to contact the server simultaneously, crashing it and causing their batteries to drain.

“When the BlackBerry cannot register itself, it tries again and this causes the battery drain,” he said, noting that the spyware wouldn’t have drawn any attention if the company had simply configured the registration server to handle the load.

The spying part of the patch is switched off by default on installation, but switching it on would be a simple matter of pushing out a command from the server to any device, causing the device to then send a copy of the user’s subsequent e-mail and text messages to the server.

The spyware appears to have been developed by a U.S. company, which markets electronic surveillance software.

Gourlay obtained source code for the patch after someone posted it on a BlackBerry forum. He said the code contained the name “SS8.com,” which belongs to a U.S. company that, according to its web site, provides surveillance solutions for “lawful interception” to ISPs, law enforcement and intelligence agencies around the world.

Chris Wysopal from Veracode has a short breakdown of the code on his site that's worth perusing. From his conclusion:

The most alarming part about this whole situation is that people only noticed the malware because it was draining their batteries. The server receiving the initial registration packets (i.e. "Here I am, software is installed!") got overloaded. Devices kept trying to connect every five seconds to empty the outbound message queue, thereby causing a battery drain. Some people were reporting on official BlackBerry forums that their batteries were being depleted from full charge in as little as half an hour.

The final thing to mention is that the spyware does appear to be installed in a non-running state by default, where it's not actually exfiltrating data once the initial registration packet has gone out. However, using the command and control mechanism we described earlier, the carrier can remotely start/stop the service at will on a per-device basis.

The best technical breakdown of the code that I've seen is from Zensay labs and available here. The author's blog (company?) is here and talks at length about the whole situation, possibly remedies, future work, etc.

More interesting from my perspective how little coverage this mass distribution of spyware seems to be getting and the obvious lessons for someone trying to deploy malicious code on this scale. Also of interest is the reasoning behind pushing the code to the client instead of using the network as most other providers are probably doing today. A few people pointed out that this was probably done to circumvent the strong encryption mechanisms that RIM has put in place, which implies that the UAE doesn't have the ability to succesfully crack or MITM (man-in-the-middle) their encrypted data at the network.

Clearly testing these applications before massive field deployments would seem to be a good idea. The application itself, while naive seems to be sufficient for what they wanted to accomplish. But by not properly factoring the network requirements or thinking about various modes of failure the entire thing blew up in their faces. Or not, given that nothing seems to be happening yet.

A much more successful approach to spying on citizens using the cellular network is detailed in the "Athen's Affair", the UAE/Etisalat spying community should have read that first. In the "Athens Affair" an unknown party surrepticiously monitored a number of key government personnel for a good length of time and the personnel behind it remain undetected, it was only stumbled upon by chance.

Client-side spyware is difficult to deploy/monitor on massive scales, and will increase in complexity as people screw up the deployment and allow them to be detected and raise concern for all other future software deployments. And users and defenders have an equal challenge of determining trust... if you can't trust the software from your provider, manufacturer, or government (just found out about this INSLAW thing, some interesting reading/viewing on that one), or open source software, who do you trust?