Officials in the United Arab Emirates have put the BlackBerry smartphone under review as potential national security threat, according to WAM, the UAE's official state news agency.
BlackBerry "operates beyond the jurisdiction of national legislation since it is the only device ... that exports its data off-shore and is managed by a foreign commercial organization," according to a government statement reported by WAM.
As a result, "certain BlackBerry applications allow people to misuse the service, causing serious social, judicial and national security repercussions," the statement noted.
"We have been working for a long time to resolve these critical issues, with the objective of finding a solution that safeguards our consumers and operates within the boundaries of UAE law."
BlackBerry was introduced in the UAE in 2006, one year before the introduction of new national security legislation, the statement indicated.
Researcher: Middle East Blackberry Update Spies on Users:
In 2009 a BlackBerry update that a United Arab Emirates service provider pushed out to its customers contained a spyware that would allow the company to siphon and read the customers and subscriber's e-mail and text messages without the customer's knowledge, according to the researcher who examined the update and the spyware.
The update was billed as a “performance-enhancement patch” by the UAE-based phone and internet service provider Etisalat, which issued the patch to its 100,000 subscribers.
The patch only drew attention after numerous users complained that it drained their BlackBerry battery and slowed performance, according to local publication ITP.
Nigel Gourlay, a Qatar-based programmer who examined the patch, told ITP that the patch contained “phone-home” code that instructed the BlackBerries to contact a server to register. But once the patch was installed, thousands of devices tried to contact the server simultaneously, crashing it and causing their batteries to drain.
“When the BlackBerry cannot register itself, it tries again and this causes the battery drain,” he said, noting that the spyware wouldn’t have drawn any attention if the company had simply configured the registration server to handle the load.
The spying part of the patch is switched off by default on installation, but switching it on would be a simple matter of pushing out a command from the server to any device, causing the device to then send a copy of the user’s subsequent e-mail and text messages to the server.
The spyware appears to have been developed by a U.S. company, which markets electronic surveillance software.
Gourlay obtained source code for the patch after someone posted it on a BlackBerry forum. He said the code contained the name “SS8.com,” which belongs to a U.S. company that, according to its web site, provides surveillance solutions for “lawful interception” to ISPs, law enforcement and intelligence agencies around the world.
Neither Etisalat nor SS8 could be reached for comment.
UPDATE: Veracode has provided an analysis of the spyware source code. The spyware apparently is designed to encrypt messages it grabs from a BlackBerry before it sends them back to the server so that anyone intercepting the data en-route would not be able to read it.
Chris Wysopal, co-founder and chief technology officer of Veracode, pointed out that the fact that the interception is done on the client device rather than on the ISP’s server — where it would normally be done — helps law enforcement, or whoever else might want to intercept the messages, circumvent encryption used by the sender of an e-mail, since it’s grabbing the message after it’s been decrypted on the recipient’s BlackBerry.