UAE spying on citizens through an Etisalat BlackBerry update?

Posted

Steve Halzinski

on July 13, 2009, at 10:40 am

in News

. Tags: big brother, etisalat, official, uae, united arab emirates, update.

Comments: 42 responses

42 Comments

big-brother-bw

Etisalat, the carrier responsible for bringing the BlackBerry solution to the United Arab Emirates, released a very suspect official update. A member on the official support forums did some detective work, and found some suspicious code in the update. According to the user:

“Blackberry subscribers for Etisalat (one of the official service providers in the UAE) received a WAP Push to download a JAR named “registration”

The description of the “update” was as follows:

“Etisalat network upgrade for Blackberry service. Please download to ensure continuous service quality.”

I called the operator’s hotline inquiring about the update, and they confirmed it’s an “official” update that’s meant to enhance network stability which users experienced last few weeks, causing email and BBM delays. But anyone with two functional braincells would imagine such an update/fix would be done at the network side, rather than with an obscure piece of code pushed to client handsets as a WAP Push, rather than a service book.

Out of curiosity, I downloaded, unpacked and decoded the file, and can’t help but feel something is fishy here.

Following is a list of the class files within registration.jar:

/Interceptor.class
/Registration.cod
/Registration.csl
/Registration.cso
/META-INF/MANIFEST.MF
/com/ss8/interceptor/app/Commands.class
/com/ss8/interceptor/app/Transmit.class
/com/ss8/interceptor/app/MsgOut.class
/com/ss8/interceptor/app/Log.class
/com/ss8/interceptor/app/Main$1.class
/com/ss8/interceptor/app/StatusChange.class
/com/ss8/interceptor/app/Send.class
/com/ss8/interceptor/app/Main.class
/com/ss8/interceptor/app/Recv.class
/com/ss8/interceptor/app/Constants.class
/com/ss8/interceptor/tcp/smtp/SMTPHeader.class
/com/ss8/interceptor/tcp/smtp/SMTP.class
com/ss8/interceptor/tcp/HTTPDeliver.class
com/ss8/interceptor/tcp/SocketBase.class

I put up the original JAD/JAR/COD File along with the unpacked classes and decoded ones in one zip file at http://iihs.net/registration.zip and attached it here for those interested in having a look.

There are interesting references in the software to alternate APN, as well as some BB PINs to relay certain messages through. The whole thing seems VERY fishy.

Any JAVA Developers out there willing to take a look as well and help me make sense out of this?”

Share:

Permalink

Post Comment

42 Responses to “UAE spying on citizens through an Etisalat BlackBerry update?”

Feed for this Entry Trackback Address

1 DXB
July 13, 2009 at 12:30 pm

The real bummer is that Etisalat was announcing this “Performance Patch” for a whole week and the BB Messenger was really close to absolutely useless the week before (took minutes to deliver a message). So everybody was “in the right mood” for a performance boost. And then this is what you get: A lie in your face. Etisalat makes billions of profit with their nice duopoly in the UAE while we residents and locals are enjoying some of the worlds highest call prices of the world with VOIP services like Skype being banned.

Thank you Etisalat, really very nice of you.
2 muerl
July 13, 2009 at 1:07 pm

I took a quick peek at this, it basically seems to log STUFF (still trying to figure out what) and then either posts a large xml document to http://10.116.3.99:7095/bbupgr or emails it to “etisalat_upgr@etisalat.ae”, “bb_register@etislat.ae”

as far as i can tell the only occasions that this happens are when you connect to the network or when you come into data coverage or when a set of GUIDs are thrown by the global event listener.

I think this is related to the registration messages you get when you bring a blackberry onto the network, and when you come into data services. these are the only two events that it seems concerned with, other than the GUIDS i don’t understand.

I haven’t been fully through the code, but these are my initial theories.

anyway, if anyone has further theories send me a reply on twitter @muerl
3 kaediil
July 13, 2009 at 1:46 pm

You can see why this is draining the batter. They have a task set up to run every 5 seconds.
TIMER.schedule(new TimerTask() {

public void run()
{
Transmit xmit = null;
if((xmit = cmds.getTransmitObject()) != null)
xmit.queueCentral();
xmit = null;
}

}
, 5000L, 5000L);
4 muerl
July 13, 2009 at 2:32 pm

Ignore what i said before.

So, going on that it might be more complex than i thought.

Yea, their differently recording email coming in and out, i missed this line the first time they come after all the other logic i dismissed as registration and device information code:

103: MsgOut msgout = new MsgOut(log, sender, msg, false);
104: msgout.start();

the MsgOut run method didn’t decompile well, so it took me a few runs through that as well to figure out what was up. I can’t say for sure if it will do it in all cases, or what logic defines when Send.messageToCentral() is called, but it seems to be called for atleast most messages that are sent and received by the device.

Yea, this smells like BS to me.
5 BlackBerryCool (BlackBerry Cool)
July 13, 2009 at 3:59 pm

UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo
6 blkboxstudioz (Tony Million)
July 13, 2009 at 4:04 pm

Great– UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo–mills
7 mikerlawson (Michael Lawson)
July 13, 2009 at 4:10 pm

RT @BlackBerryCool: UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo
8 CivilLizard (CivilLizard)
July 13, 2009 at 4:12 pm

RT: @BlackBerryCool: UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo
9 webchetan (webchetan)
July 13, 2009 at 4:12 pm

RT @BlackBerryCool UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo
10 blkboxstudioz (Tony Million)
July 13, 2009 at 4:18 pm

UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo
11 Koolpep (Koolpep)
July 13, 2009 at 5:31 pm

RT @BlackBerryCool: UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo
12 davidmccormack (David McCormack)
July 13, 2009 at 8:12 pm

@angelistiic Hey, were you complaining about your BB battery being drained after a recent OS update? Seen this story? http://bit.ly/122Swo
13 akb
July 14, 2009 at 4:45 am

This should clear things up..

http://www.ss8.com/company-management.php

Derek G. Roga

Sr. Vice President, Business Development

Derek joined SS8 in January of 2009 as part of the acquisition of OCI Mobile. As founder and owner of OCI Mobile Derek successfully developed technology for smart phone interception. In 2005 Derek began developing the Middle East region to introduce the BlackBerry solution; he was the founder and CEO of EMS Mobile which became RIM’s Strategic Channel Partner for the region. Previous positions within the wireless and mobility industry include; founder and CEO of Wall Street Communications which started in 1998 to specifically launch the product that has now taken the world by storm – BlackBerry. Wall Street Communications which then merged with Outercurve Technologies in 2000 became RIM’s most successful and prolific partner. Derek was the Chief Operating Officer and then went on to become the Chief Executive Officer of Outercurve Technologies. Derek started his career with what is now Morgan Stanley and holds a Bachelor of Science in Management from Saint Francis University.
14 007
July 14, 2009 at 6:01 am

Anyone know how to remove or disable the patch? Haven’t been able to find anything out there about how to do so yet.
15 JAD
July 14, 2009 at 7:15 am

Has anyone worked out how to “undo” the patch yet? The impact on the battery is very annoying. Thanks
16 007
July 14, 2009 at 2:17 pm

Only solution so far is wiping the handheld, and
a) restoring a previously backed-up profile that does not contain Etisalat’s update (believed to be contained in the “Applications Permissions” Database)
b) reconfiguring profile from scratch

Overwriting the “Applications Permissions” Database believed to contain the patch was unsuccessful – it appears that the “Applications Permissions” Database on the handheld cannot be overwritten, as other databases (contacts, tasks, URLs, etc…) can be.
17 Matt
July 14, 2009 at 3:44 pm

Funny how the comment was deleted from blackberry forums….
18 Kaarlisk
July 14, 2009 at 5:20 pm

It was not deleted.
The link changed – http://supportforums.blackberry.com/rim/board/message?board.id=BlackBerryDeviceSoftware&thread.id=5632&view=by_date_ascending&page=2
19 Cláudio
July 14, 2009 at 7:48 pm

Sign in and compare: http://www.telecom360.com.br.
20 Aws
July 14, 2009 at 11:38 pm

The following workaround to overcome the battery life and excessive heating problem.

1- Go to Options

2- Select Advanced Options

3- Select Applications

4- Press the Menu button

5- Under which select “Modules”

6- Start typing the word Registration

7- Once found press the Menu button again

8- Under which select “Edit Permissions”

9- Select all the three options and whatever under it to Deny, therefore you will end up with the following

+ Connection Deny

+ Interactions Deny

+ User Data. Deny

10- Once done press the Menu button again.

11- Select Save

It is important to save the new settings. The blackberry may ask you to reboot to accept the changes made.

The above workaround has solved problem for most of the Users, and I do not take any responsibility on my part. What you’ve got to lose I did it solved my problem but unfortunatly the update is not removable.

Best Regards,
21 steely
July 15, 2009 at 11:35 am

snip-snap from “Transmit.class”,
–snip–
http://10.116.3.99:7095/bbupgr ÷ ø /register /store regbb@etisalat.ae etisalat_upgr@etisalat.ae

ù ú #com/ss8/interceptor/tcp/HTTPDeliver S û ü ý þ ÿ java/lang/InterruptedException !com/ss8/interceptor/tcp/smtp/SMTP 10.116.3.99 bb_register@etislat.ae mail.etisalat.ae ƒ „ ,net/rim/device/api/crypto/AESEncryptorEngine net/rim/device/api/crypto/AESKey EtisalatIsAProviderForBlackBerry ] ^ S é S e com/ss8/interceptor/app/Transmit
–snap–
and from the registration.cod:
–snip–
$ØMessage-ID: < $ØName: $ØNetworkStarted_ $ØPOST $ØPlatformVersion ‘ $ØProfile/MIDP-2.0 Configuration/CLDC-1.0 $ØReason $ØRegistration
$ØReply-To: $ØSender: $ØSent: $ØServiceChange_ $ØState $ØSubject: $ØTime $ØTo: $ØUName: $ØUTF-8 $ØUnsupported content type
–snap–
this is botnet, isn’t it?
I think they got hacked by “3rd party”.
I#m sry that i can’t run it,
but i wonder what “registration”means
22 Tim Thompson
July 16, 2009 at 4:01 am

Does anyone know if this will affect only Etisalat hosted BB customers or any BB that ‘roams’ whilst in the UAE.
We have an office in Dubai where the users have UK based Vodafone BB’s which connect to our BES in the UK.

Cheers
Tim
23 Chris
July 16, 2009 at 10:38 am

Here’s an analysis of the Etisalat spyware that I wrote up yesterday:

http://www.veracode.com/blog/2009/07/blackberry-spyware-dissected/
24 ae
July 16, 2009 at 6:17 pm

AWS:by attemting your remedy I get a pop-up every few second informing me ‘the application Registration has attemped to open an external connection which is not allowed by the current settings’

This whole thing is driving me mad. Please someone offer solution!!

:@
25 Ch0pstick
July 17, 2009 at 9:48 pm

I’ve released a free tool that helps you reveal the Etisalat BB spyware. Once its revealed, you can uninstall it yourself. If you need more info, please visit: http://bit.ly/info/YNFsP
26 Ahmed khalil
July 22, 2009 at 2:15 am

From blackberry site
Recently an update may have been provided to you by Etisalat for your BlackBerry Handheld via a WAP push. The Etisalat update is not a RIM-authorized update and was not developed by RIM. Independent sources have concluded that the Etisalat update is not designed to improve performance of your BlackBerry Handheld, but rather to send received messages back to a central server. RIM has developed this software (“Software”) that will enable you to remove the Etisalat update.

You can find the update on the following link
http://na.blackberry.com/eng/ataglance/security/regappremover.jsp

BlackBerry Cool

Search