UAE spying on citizens through an Etisalat BlackBerry update?

72 Comments

big-brother-bw

Etisalat, the carrier responsible for bringing the BlackBerry solution to the United Arab Emirates, released a very suspect official update. A member on the official support forums did some detective work, and found some suspicious code in the update. According to the user:

“Blackberry subscribers for Etisalat (one of the official service providers in the UAE) received a WAP Push to download a JAR named “registration”

The description of the “update” was as follows:

“Etisalat network upgrade for Blackberry service. Please download to ensure continuous service quality.”

I called the operator’s hotline inquiring about the update, and they confirmed it’s an “official” update that’s meant to enhance network stability which users experienced last few weeks, causing email and BBM delays. But anyone with two functional braincells would imagine such an update/fix would be done at the network side, rather than with an obscure piece of code pushed to client handsets as a WAP Push, rather than a service book.

Out of curiosity, I downloaded, unpacked and decoded the file, and can’t help but feel something is fishy here.

Following is a list of the class files within registration.jar:

/Interceptor.class
/Registration.cod
/Registration.csl
/Registration.cso
/META-INF/MANIFEST.MF
/com/ss8/interceptor/app/Commands.class
/com/ss8/interceptor/app/Transmit.class
/com/ss8/interceptor/app/MsgOut.class
/com/ss8/interceptor/app/Log.class
/com/ss8/interceptor/app/Main$1.class
/com/ss8/interceptor/app/StatusChange.class
/com/ss8/interceptor/app/Send.class
/com/ss8/interceptor/app/Main.class
/com/ss8/interceptor/app/Recv.class
/com/ss8/interceptor/app/Constants.class
/com/ss8/interceptor/tcp/smtp/SMTPHeader.class
/com/ss8/interceptor/tcp/smtp/SMTP.class
com/ss8/interceptor/tcp/HTTPDeliver.class
com/ss8/interceptor/tcp/SocketBase.class

I put up the original JAD/JAR/COD File along with the unpacked classes and decoded ones in one zip file at http://iihs.net/registration.zip and attached it here for those interested in having a look.

There are interesting references in the software to alternate APN, as well as some BB PINs to relay certain messages through. The whole thing seems VERY fishy.

Any JAVA Developers out there willing to take a look as well and help me make sense out of this?”

  • DXB

    The real bummer is that Etisalat was announcing this “Performance Patch” for a whole week and the BB Messenger was really close to absolutely useless the week before (took minutes to deliver a message). So everybody was “in the right mood” for a performance boost. And then this is what you get: A lie in your face. Etisalat makes billions of profit with their nice duopoly in the UAE while we residents and locals are enjoying some of the worlds highest call prices of the world with VOIP services like Skype being banned.

    Thank you Etisalat, really very nice of you.

  • DXB

    The real bummer is that Etisalat was announcing this “Performance Patch” for a whole week and the BB Messenger was really close to absolutely useless the week before (took minutes to deliver a message). So everybody was “in the right mood” for a performance boost. And then this is what you get: A lie in your face. Etisalat makes billions of profit with their nice duopoly in the UAE while we residents and locals are enjoying some of the worlds highest call prices of the world with VOIP services like Skype being banned.

    Thank you Etisalat, really very nice of you.

  • DXB

    The real bummer is that Etisalat was announcing this “Performance Patch” for a whole week and the BB Messenger was really close to absolutely useless the week before (took minutes to deliver a message). So everybody was “in the right mood” for a performance boost. And then this is what you get: A lie in your face. Etisalat makes billions of profit with their nice duopoly in the UAE while we residents and locals are enjoying some of the worlds highest call prices of the world with VOIP services like Skype being banned.

    Thank you Etisalat, really very nice of you.

  • DXB

    The real bummer is that Etisalat was announcing this “Performance Patch” for a whole week and the BB Messenger was really close to absolutely useless the week before (took minutes to deliver a message). So everybody was “in the right mood” for a performance boost. And then this is what you get: A lie in your face. Etisalat makes billions of profit with their nice duopoly in the UAE while we residents and locals are enjoying some of the worlds highest call prices of the world with VOIP services like Skype being banned.

    Thank you Etisalat, really very nice of you.

  • DXB

    The real bummer is that Etisalat was announcing this “Performance Patch” for a whole week and the BB Messenger was really close to absolutely useless the week before (took minutes to deliver a message). So everybody was “in the right mood” for a performance boost. And then this is what you get: A lie in your face. Etisalat makes billions of profit with their nice duopoly in the UAE while we residents and locals are enjoying some of the worlds highest call prices of the world with VOIP services like Skype being banned.

    Thank you Etisalat, really very nice of you.

  • muerl

    I took a quick peek at this, it basically seems to log STUFF (still trying to figure out what) and then either posts a large xml document to http://10.116.3.99:7095/bbupgr or emails it to “etisalat_upgr@etisalat.ae”, “bb_register@etislat.ae”

    as far as i can tell the only occasions that this happens are when you connect to the network or when you come into data coverage or when a set of GUIDs are thrown by the global event listener.

    I think this is related to the registration messages you get when you bring a blackberry onto the network, and when you come into data services. these are the only two events that it seems concerned with, other than the GUIDS i don’t understand.

    I haven’t been fully through the code, but these are my initial theories.

    anyway, if anyone has further theories send me a reply on twitter @muerl

  • muerl

    I took a quick peek at this, it basically seems to log STUFF (still trying to figure out what) and then either posts a large xml document to http://10.116.3.99:7095/bbupgr or emails it to “etisalat_upgr@etisalat.ae”, “bb_register@etislat.ae”

    as far as i can tell the only occasions that this happens are when you connect to the network or when you come into data coverage or when a set of GUIDs are thrown by the global event listener.

    I think this is related to the registration messages you get when you bring a blackberry onto the network, and when you come into data services. these are the only two events that it seems concerned with, other than the GUIDS i don’t understand.

    I haven’t been fully through the code, but these are my initial theories.

    anyway, if anyone has further theories send me a reply on twitter @muerl

  • muerl

    I took a quick peek at this, it basically seems to log STUFF (still trying to figure out what) and then either posts a large xml document to http://10.116.3.99:7095/bbupgr or emails it to “etisalat_upgr@etisalat.ae”, “bb_register@etislat.ae”

    as far as i can tell the only occasions that this happens are when you connect to the network or when you come into data coverage or when a set of GUIDs are thrown by the global event listener.

    I think this is related to the registration messages you get when you bring a blackberry onto the network, and when you come into data services. these are the only two events that it seems concerned with, other than the GUIDS i don’t understand.

    I haven’t been fully through the code, but these are my initial theories.

    anyway, if anyone has further theories send me a reply on twitter @muerl

  • kaediil

    You can see why this is draining the batter. They have a task set up to run every 5 seconds.
    TIMER.schedule(new TimerTask() {

    public void run()
    {
    Transmit xmit = null;
    if((xmit = cmds.getTransmitObject()) != null)
    xmit.queueCentral();
    xmit = null;
    }

    }
    , 5000L, 5000L);

  • kaediil

    You can see why this is draining the batter. They have a task set up to run every 5 seconds.
    TIMER.schedule(new TimerTask() {

    public void run()
    {
    Transmit xmit = null;
    if((xmit = cmds.getTransmitObject()) != null)
    xmit.queueCentral();
    xmit = null;
    }

    }
    , 5000L, 5000L);

  • muerl

    Ignore what i said before.

    So, going on that it might be more complex than i thought.

    Yea, their differently recording email coming in and out, i missed this line the first time they come after all the other logic i dismissed as registration and device information code:

    103: MsgOut msgout = new MsgOut(log, sender, msg, false);
    104: msgout.start();

    the MsgOut run method didn’t decompile well, so it took me a few runs through that as well to figure out what was up. I can’t say for sure if it will do it in all cases, or what logic defines when Send.messageToCentral() is called, but it seems to be called for atleast most messages that are sent and received by the device.

    Yea, this smells like BS to me.

  • muerl

    Ignore what i said before.

    So, going on that it might be more complex than i thought.

    Yea, their differently recording email coming in and out, i missed this line the first time they come after all the other logic i dismissed as registration and device information code:

    103: MsgOut msgout = new MsgOut(log, sender, msg, false);
    104: msgout.start();

    the MsgOut run method didn’t decompile well, so it took me a few runs through that as well to figure out what was up. I can’t say for sure if it will do it in all cases, or what logic defines when Send.messageToCentral() is called, but it seems to be called for atleast most messages that are sent and received by the device.

    Yea, this smells like BS to me.

  • http://twitter.com/BlackBerryCool/statuses/2615946123 BlackBerryCool (BlackBerry Coo

    UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/blkboxstudioz/statuses/2616019458 blkboxstudioz (Tony Million)

    Great– UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo–mills

  • http://twitter.com/mikerlawson/statuses/2616118732 mikerlawson (Michael Lawson)

    RT @BlackBerryCool: UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/webchetan/statuses/2616151612 webchetan (webchetan)

    RT @BlackBerryCool UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/webchetan/statuses/2616151612 webchetan (webchetan)

    RT @BlackBerryCool UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/webchetan/statuses/2616151612 webchetan (webchetan)

    RT @BlackBerryCool UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/CivilLizard/statuses/2616144049 CivilLizard (CivilLizard)

    RT: @BlackBerryCool: UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/CivilLizard/statuses/2616144049 CivilLizard (CivilLizard)

    RT: @BlackBerryCool: UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/blkboxstudioz/statuses/2616238012 blkboxstudioz (Tony Million)

    UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/Koolpep/statuses/2617337692 Koolpep (Koolpep)

    RT @BlackBerryCool: UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/Koolpep/statuses/2617337692 Koolpep (Koolpep)

    RT @BlackBerryCool: UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/Koolpep/statuses/2617337692 Koolpep (Koolpep)

    RT @BlackBerryCool: UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/Koolpep/statuses/2617337692 Koolpep (Koolpep)

    RT @BlackBerryCool: UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/Koolpep/statuses/2617337692 Koolpep (Koolpep)

    RT @BlackBerryCool: UAE spying on citizens through an Etisalat BlackBerry update? http://bit.ly/122Swo

  • http://twitter.com/davidmccormack/statuses/2619721283 davidmccormack (David McCormac

    @angelistiic Hey, were you complaining about your BB battery being drained after a recent OS update? Seen this story? http://bit.ly/122Swo

  • akb

    This should clear things up..

    http://www.ss8.com/company-management.php

    Derek G. Roga

    Sr. Vice President, Business Development

    Derek joined SS8 in January of 2009 as part of the acquisition of OCI Mobile. As founder and owner of OCI Mobile Derek successfully developed technology for smart phone interception. In 2005 Derek began developing the Middle East region to introduce the BlackBerry solution; he was the founder and CEO of EMS Mobile which became RIM’s Strategic Channel Partner for the region. Previous positions within the wireless and mobility industry include; founder and CEO of Wall Street Communications which started in 1998 to specifically launch the product that has now taken the world by storm – BlackBerry. Wall Street Communications which then merged with Outercurve Technologies in 2000 became RIM’s most successful and prolific partner. Derek was the Chief Operating Officer and then went on to become the Chief Executive Officer of Outercurve Technologies. Derek started his career with what is now Morgan Stanley and holds a Bachelor of Science in Management from Saint Francis University.

  • akb

    This should clear things up..

    http://www.ss8.com/company-management.php

    Derek G. Roga

    Sr. Vice President, Business Development

    Derek joined SS8 in January of 2009 as part of the acquisition of OCI Mobile. As founder and owner of OCI Mobile Derek successfully developed technology for smart phone interception. In 2005 Derek began developing the Middle East region to introduce the BlackBerry solution; he was the founder and CEO of EMS Mobile which became RIM’s Strategic Channel Partner for the region. Previous positions within the wireless and mobility industry include; founder and CEO of Wall Street Communications which started in 1998 to specifically launch the product that has now taken the world by storm – BlackBerry. Wall Street Communications which then merged with Outercurve Technologies in 2000 became RIM’s most successful and prolific partner. Derek was the Chief Operating Officer and then went on to become the Chief Executive Officer of Outercurve Technologies. Derek started his career with what is now Morgan Stanley and holds a Bachelor of Science in Management from Saint Francis University.

  • 007

    Anyone know how to remove or disable the patch? Haven’t been able to find anything out there about how to do so yet.

  • 007

    Anyone know how to remove or disable the patch? Haven’t been able to find anything out there about how to do so yet.

  • JAD

    Has anyone worked out how to “undo” the patch yet? The impact on the battery is very annoying. Thanks

  • JAD

    Has anyone worked out how to “undo” the patch yet? The impact on the battery is very annoying. Thanks

  • 007

    Only solution so far is wiping the handheld, and
    a) restoring a previously backed-up profile that does not contain Etisalat’s update (believed to be contained in the “Applications Permissions” Database)
    b) reconfiguring profile from scratch

    Overwriting the “Applications Permissions” Database believed to contain the patch was unsuccessful – it appears that the “Applications Permissions” Database on the handheld cannot be overwritten, as other databases (contacts, tasks, URLs, etc…) can be.

  • 007

    Only solution so far is wiping the handheld, and
    a) restoring a previously backed-up profile that does not contain Etisalat’s update (believed to be contained in the “Applications Permissions” Database)
    b) reconfiguring profile from scratch

    Overwriting the “Applications Permissions” Database believed to contain the patch was unsuccessful – it appears that the “Applications Permissions” Database on the handheld cannot be overwritten, as other databases (contacts, tasks, URLs, etc…) can be.

  • Matt

    Funny how the comment was deleted from blackberry forums….

  • Matt

    Funny how the comment was deleted from blackberry forums….

  • Kaarlisk
  • Kaarlisk
  • http://www.telecom360.com.br/ Cláudio

    Sign in and compare: http://www.telecom360.com.br.

  • http://www.telecom360.com.br/ Cláudio

    Sign in and compare: http://www.telecom360.com.br.

  • http://www.telecom360.com.br Cláudio

    Sign in and compare: http://www.telecom360.com.br.