Tuesday 14 July 2009

Etisalat and SS8 hacking your Blackberry for (un) lawful interception

It seems the UAE had some trouble reading Blackberry communications and turned to SS8 for a solution. SS8 suggested an unobtrusive program to be loaded on all Etisalat's customers Blackberry's. 'Trust me guv, nobody will notice'... yeah right. The programme eats batteries for lunch and the server it needed to communicate back with was overloaded (IDIOTS, like you don't know how many devices there are!). Annoyed Blackberry users saw their devices slow down to a crawl and started to complain. A little investigation later and a programmer found out the so called performance upgrade rolled out to all Blackberry users was a snooping programme by the SS8 company.

As some of you might know I've worked on the data retention and lawful interception in the past. I was at the Ministry of Economic Affairs, writing obligations into the Dutch Telecommunications law (chapter 13). The rules of lawful interception are that:

  1. you perform it in a way that the target cannot identify whether he/she is being intercepted.
  2. the intercepted data is transferred to the government as is and with precautions against tampering with the data on the side of the telecommunications company and on the side of the law enforcement agency.
  3. all the communications of the target are intercepted, regardless of the service/channel used (so GSM, GPRS, UMTS etc)
The trouble is that a target may irritate a law enforcement agency by using encrypted communications. So when you intercept that according to the rules, you get intercepted communication that you can't read. (but still can perform cool traffic analysis on, however that is for a different post.) In the past we've seen complaints about Skype and the German/Dutch Cryptophone. Blackberry is also one of the naughty boys who seem to have encryption in place. Not a very good one as the NSA doesn't like it for Obama and from what I can find on the net, the Indians claim to have cracked it.
For the UAE it seems to have been too difficult to do cryptanalysis on the Blackberry. They must have asked around the world of lawful interception vendors and found one who was able to sell them a 'solution'. From personal experience I can tell you that the world of lawful interception vendors is full with dodgy, shady, snake oil vendors. If ever you want to see some of them, go to the ISS world conference. It is way fun as you can read in this Wired story :-) And well SS8 is one of the more respectable ones in this dodgy world. But they're still out to make a quick buck and now have been found with their pants down. This is not the way to do proper interception and even if the technology would have worked as advertised chances are that some Blackberry developer would have figured this one out within no time and would have spilled the beans on-line. What programmer doesn't want to know how a proprietary performance update works.
Now the UAE is no democracy and it doesn't care much for 'rights' as demonstrated in this video, so it doesn't care about due process, but it does care about 'face' and I bet SS8 will have quite some trouble to try and save it's masters face ..... or face a 'similar' punishment as the grain salesman in the video. (who wants to bet that SS8 will not be at ISS World Dubai in 2010?)
Update: I did some searching around and came across this brilliant posting on the Blackberry boards. To really make everything very clear the files in the update were in a directory named: ss8/interceptor.... yeah right... like we don't have Google these days.

3 comments:

  1. Well written, thx.

    ReplyDelete
  2. Remco van Mook15 July 2009 at 13:50

    It's not just Etisalat and SS8 who are embarrassed; the link to the posting on the Blackberry forums now says this:

    The message you are trying to access has been deleted. Please update your bookmarks.

    ReplyDelete
  3. Thanks Remco,

    The link has been fixed now. The story is up again on the Blackberry forums, but under a different number.

    ReplyDelete

Note: only a member of this blog may post a comment.