Feeds

RIM fights BlackBerry snoop gaffe

Denies involvement in half-baked Etisalat scheme

SANS - Survey on application security programs

RIM, maker of the BlackBerry mobile phone, has told the Reg that Etisalat is talking tosh and the BlackBerry remains a secure platform, after the United Arab Emirates operator "patched" the device with surveillance software.

The "patch" which Etisalat sent out last week was actually a surveillance application, designed to make copies of received e-mails, despite the operator's claims that the software was designed to ease 2G to 3G handoffs. RIM has sent The Register a statement making it clear that such an operator-issued application simply could not interact with low-level radio functionality, and that there aren't any problems on Etisalat's network that needed fixing anyway.

RIM's statement is restrained: so restrained that one can hear the sound of gritted teeth between the words: "Etisalat also issued a press release that referred to the software as a BlackBerry Software Upgrade... RIM confirms that this software is not a patch and it is not a RIM authorized upgrade. RIM did not develop this software application and RIM was not involved in any way in the testing, promotion or distribution of this software application."

This would seem to fit the bill, as even our quick glance at the application demonstrated it wasn't very well written - certainly not up to RIM's standards. This was borne out by a far-more-detailed analysis from Sheran Gunasekera (pdf) who concluded that code of such a poor quality could only be "mistakenly rolled out or... an early release that was being tested."

RIM is only slightly less damning, in public at least. After all, Etisalat is a RIM customer, and the customer is always right, except when they're lying:

"RIM further confirms, in general terms, that a third party patch cannot provide any enhancements to network services as there is no capability for third parties to develop or modify the low level radio communications protocols that would be involved in making such improvements to the communications between a BlackBerry smartphone and a carrier’s network."

Just in case there was any doubt about RIM's position on the installation of spyware onto BlackBerry devices the company has provided a free tool to remove the software. RIM also sent us helpful advice for companies who wish to use the BlackBerry Enterprise Server to check if any of their users' devices have been infected with installed the patch*, along with details of how to prevent users installing such a thing in future.

The Etisalat "patch" was signed, but not by RIM, and users did have to give authorisation for the installation. Most users, however, will trust their network operators. Legal interception is an evolving problem, but it's one that needs open and honest debate, rather than half-arsed attempts at subterfuge: that kind of thing just gets embarrassing for all concerned.

* BES administrators can execute the following query against their BES database in order to determine if any of their users have installed the “Registration” software from Etisalat:

SELECT SyncDeviceMgmt.UserConfigID, SyncDeviceMgmt.ModuleName, UserConfig.PIN, UserConfig.DisplayName FROM SyncDeviceMgmt INNER JOIN UserConfig ON SyncDeviceMgmt.UserConfigID=UserConfig.Id WHERE SyncDeviceMgmt.ModuleName='Registration’

This will provide a list of impacted devices. You can then use this information to contact the relevant users and provide the appropriate removal instructions.

®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.