RIM warns Mideast customers of spyware
BlackBerry users in the Mideast business centres of Dubai and Abu Dhabi who were directed by their service provider to upgrade their phones were actually installing spy software that could allow outsiders to peer inside, according to the device's maker.
While many questions about the breach remain unanswered, including who ordered it sent and why, analysts say the disclosure highlights the security risks posed by increasingly popular smartphones like the BlackBerry.
Richard M. Smith, an internet security and privacy consultant at Boston Software Forensics, said smartphones are "the perfect personal spying devices" because as tiny computers they can be programmed to send back a broad range of information.
"This is an evolving threat. As the technology advances, the security problems follow behind," he said.
Research in Motion Ltd., the Waterloo, Ont.-based company that makes the mobile gadgets, said in a statement emailed Wednesday that it did not authorize the software installation and "was not involved in any way in the testing, promotion or distribution of this software application." It is directing customers on how to remove the software.
"Independent sources have concluded that it is possible that the installed software could ... enable unauthorized access to private or confidential information stored on the user's smartphone," the company said in an eight-page statement strongly distancing itself from the decision to install the software.
RIM disputes software was 'upgrade'
The Abu Dhabi-based mobile service provider Etisalat, which is majority owned by the United Arab Emirates government, earlier sent text messages to BlackBerry customers in the country instructing them to follow a link to update their phones. Etisalat says it has more than 145,000 BlackBerry users in the UAE.
Some customers who installed the new software said it quickly drained the device's batteries, prompting hundreds of complaints to Etisalat and sending users to internet message boards looking for ways to fix the problem.
In a statement issued following complaints last week, Etisalat described the software change as an "upgrade ... required for service enhancements." It said the upgrades were required and linked to a handover to the 3G wireless technology standard.
The BlackBerry maker dismissed that explanation.
"RIM is not aware of any technical network concerns with the performance of BlackBerry smartphones on Etisalat's network in the UAE," the company said, adding that it "does not endorse this software application."
Etisalat did not respond to requests for comment Wednesday.
RIM said the application users unwittingly installed was a surveillance program developed by a privately held Silicon Valley company called SS8 Networks Inc.
SS8 describes itself in a company brochure as "the leader in communications interception and a worldwide provider of regulatory compliant, electronic intercept and surveillance solutions." It markets its services to intelligence agencies, law enforcement and communication service providers.
Smartphones 'not inherently more secure': security expert
A person who answered the phone at SS8's Middle East office in Dubai declined to comment and refused to provide a name. He said the company's regional head, Derek Roga, was out of the country. A spokesman at the company's headquarters in Milpitas, Calif., could not be reached.
It is not clear why Etisalat encouraged users to install the application or if any private information was compromised. The company, one of two major telecommunications providers in the UAE, regularly blocks hundreds of web addresses — ranging from pornographic sites to the photo-sharing portal Flikr.com — in line with state censorship guidelines.
Etisalat operates phone networks in countries throughout the Middle East and Africa, but a BlackBerry spokeswoman said the device maker believes the snooping software was sent only to the operator's UAE customers.
Smith, the security and privacy consultant, said a data thief tapping into a smartphone in theory could turn on the microphone to listen in on a private conversation, provide a list of previous calls or send back the user's location.
Bruce Schneier, an author and chief security technology officer at BT, the British telecommunications operator, said smartphones are "not inherently more secure."
"We've mostly been protected because it's annoying and inconvenient to write software for these devices," he said.