The Case of the Stolen BlackBerry and the Awesome Chinese Hacking Skills

A high-level British government employee had his BlackBerry stolen by Chinese intelligence:

The aide, a senior Downing Street adviser who was with the prime minister on a trip to China earlier this year, had his BlackBerry phone stolen after being picked up by a Chinese woman who had approached him in a Shanghai hotel disco.

The aide agreed to return to his hotel with the woman. He reported the BlackBerry missing the next morning.

That can't look good on your annual employee review.

But it's this part of the article that has me confused:

Experts say that even if the aide’s device did not contain anything top secret, it might enable a hostile intelligence service to hack into the Downing Street server, potentially gaining access to No 10’s e-mail traffic and text messages.

Um, what? I assume the IT department just turned off the guy's password. Was this nonsense peddled to the press by the UK government, or is some "expert" trying to sell us something? The article doesn't say.

EDITED TO ADD (7/22): The first commenter makes a good point, which I didn't think of. The article says that it's Chinese intelligence:

A senior official said yesterday that the incident had all the hallmarks of a suspected honeytrap by Chinese intelligence.

But Chinese intelligence would be far more likely to clone the BlackBerry and then return it. Much better information that way. This is much more likely to be petty theft.

EDITED TO ADD (7/23): The more I think about this story, the less sense it makes. If you're a Chinese intelligence officer and you manage to get an aide to the British Prime Minister to have sex with one of your agents, you're not going to immediately burn him by stealing his BlackBerry. That's just stupid.

Posted on July 22, 2008 at 10:05 AM • 40 Comments

Comments

BetaJuly 22, 2008 10:16 AM

"Mr. Laurio, never trust a beautiful woman, especially one who's interested in you."

Honestly, isn't it more likely that this was just petty theft? I would expect a competent intelligence agent to copy the contents of the blackberry and leave the device where it was.

CalumJuly 22, 2008 10:23 AM

Sounds more like petty theft to me. As for the "expert", I think this is a case of an expert being browbeaten by a reporter into agreeing that on balance, a hacker with a Blackberry will find it easier than a hacker without a Blackberry to access Dowing Street's email. But the caveats will have been conveniently left out.

Paul LarsonJuly 22, 2008 10:25 AM

I would hope that the IT department did a KILL on the device from the BES server. The kill command is nice if you lose or have your device stolen. But, you still have the gap between lose and the issuing of the kill command to worry about.

Brandioch ConnerJuly 22, 2008 10:32 AM

First off, would they actually list "must have sex with foreigners" on the job app for Chinese agents? Or is this one of those "understood" things?

Secondly, I have to agree with the others so far. This sounds more like petty theft.

Thirdly, of course the "experts" are going to claim the situation is far more dire than it could possibly be. We've seen that time and time again. Who's going to go on record and say that something CANNOT happen when the story is just breaking?

It's about selling advertising. And people tune in for dire warnings of catastrophes.

The more catastrophic, the more dire, the larger the audience.

The retraction will be covered next month. On the back page. In one line.

Patrick CahalanJuly 22, 2008 10:37 AM

Well, petty theft or not in this particular case, it certainly illustrates a point about physical security. If the data's sensitive enough, you'd have to assume that a lost device represents information leakage (at least, in your IT planning). Then you don't care what actually happens to a device if it is lost, or if it is lost.

samJuly 22, 2008 10:41 AM

Which would you rather give as the explanation for losing your blackberry:

1. I picked up a cheap hooker and went to sleep while she took all my valuables because I trusted her.

2. A Chinese agent, highly trained in the art of seduction, managed to steal my blackberry while slipping into something more comfortable.

Andre LePlumeJuly 22, 2008 10:46 AM

Dude is lucky he didn't wind up in a tub filled with ice, and one of his kidneys missing.

LuisJuly 22, 2008 10:55 AM

"Downing Street BlackBerrys are password-protected but security officials said most are not encrypted. "

I would say this is one of the most important of the story, who know what was on that cell phone...


"Last week it emerged that US intelligence and security officials were debating whether to warn business people and other travellers heading to the Beijing Olympics about the dangers posed by Chinese computer hackers.

Joel Brenner, the US government’s top counter-intelligence official, warned: “So many people are going to the Olympics and are going to get electronically undressed.” "

this part is also good.

shouldn't this comentaries be considered racist? I mean, there are all kinds of criminals all over the world ... wht warn specifically about the chinese?

Martin SeebachJuly 22, 2008 11:07 AM

@Luis

No, it's not racism. It's the realization that, even though China puts on a nice show for foreigners, they should still be considered in the "enemy" category.

If a shady Chinese business man (and they exist) gets his hands on your latest confidential product design, he can start producing a cheap knock-off, and there isn't much you can do, besides going after his (western) clients one by one. Say bye-bye to the 2 bln consumers in the russian and domestic chinese markets.

If that happened in, say, Germany, you'd go red-faced to your lawyer and have him file a complaint, and that would be the end of that, but China conveniently doesn't care.

If it's secret, don't bring it into an un-free country.

NealJuly 22, 2008 11:24 AM

I'm just thinking I need a government job working as an aide to somebody who travels to China. What a great perk - hot Chinese chicks sexing you up to steal your phone. How cool is that!?

Honey MonsterJuly 22, 2008 11:26 AM

When I go on foreign trips I display honey pots for all those lovely foreign agency ladies.

I get to get my brains f**d out - they leave before breakfast with my worthless piece of s**t.

Sure is a sweet deal for me.

Honey Monster

havvokJuly 22, 2008 11:31 AM

@Luis:

"If a shady Chinese business man (and they exist) gets his hands on your latest confidential product design, he can start producing a cheap knock-off..."

"If it's secret, don't bring it into an un-free country."

That is such an interesting statement. What you really mean is "It it is intellectual property, don't bring it to a country that doesn't provide rigorous legal protection of IP."

I don't mean to imply that China is free, but protection of IP is not comparable to freedom.

LuisJuly 22, 2008 11:38 AM

@OneEyedCarmen:

People are going every where, to china, to south africa, to the UK, to Canada, to __________ insert name of a country here.

Did the issue the same warning to the sydney olympics?

@Martin Seebach :

So you say it's not racism because they should be put in the enemy categor, makes sense. good to know

and for the second part: never heard of clean room design, wich is a process to reverse engineering a product with out breaking the trade secrets and copy-rights (never mind patents since they are public to begin with) , so what would be the diference if a shady german business man(and they exist) did exactly that?

if it is a secret, don«t walk around with it, unless it is protect where ever you go...


Erik V. OlsonJuly 22, 2008 11:48 AM

Echoing Paul Larson. A corporate Blackberry uses BES -- the Blackberry Enterprise Server -- to talk to the local Exchange/Notes servers and send that traffic (encrypted) to the device.

One of the options on the BES is "Kill device" -- which erases the keys on the handheld, wipes the memory, and locks the SIM.

If Whitehall hasn't figured out -- or deliberately blocked -- the remote kill feature, the the phrase "Deserves to lose" leaps to mind.

You *have* to assume that confidential information will end up on the handheld of a user with access to such. It's just too easy to email stuff around, which is why RIM (correctly) designed the device as a fortress. I recall a bit of a row over India insisting that they get copies of the keys, and RIM seriously arguing that they would disable the service and stop selling in India before they give up the keys.

But if you're giving a Blackberry to someone with access to confidential information, you better be sure you can kill that box if he loses it.

TSJuly 22, 2008 12:51 PM

All the hallmarks of Chinese Intelligence? Hah. It has all the hallmarks of a stupid john getting ripped off by your average run-o-da-mill hooker.

Rogue MedicJuly 22, 2008 1:12 PM

The woman may have committed petty theft, but the reporter is committing grand larceny, by getting paid so much for misrepresenting so little. :-)

Doesn't the US examine the hard drive of computers going through customs? So, shouldn't we expect China to do the same?

MuerlJuly 22, 2008 1:14 PM

Erik V. Olson, thanks for saving me the effort of explaining remote kill.

I would also add that for 10 bad password attempts the phone wipes it self along with all stored email and data.

Certainly if there is no on device encryption it could be taken from the flash directly

LeeJuly 22, 2008 1:18 PM

This is a beautiful hack on the part of the Chinese (if that is truly the case), social engineering at it's best. The fact that the 'high-level British government employee' failed to associate his personal security, position and resources, with his carnal desires is not really surprising.

He probably thought his luck was in, and that it would be a once in a life-time experience. Yes it certainly was that!

It wouldn't surprise me if his real name was 'Dick Led'!

Paricular Random GuyJuly 22, 2008 1:26 PM

Whats the difference between getting your IT equipment stolen by a seductive woman or by a grumpy border security agent? :)

However I also come to petty theft after applying Occams' Razor.

sidelobeJuly 22, 2008 1:45 PM

BES can provide a VPN access to the subscriber's internal network. That lets the user access internal e-mail services and can support things like ssh and telnet clients, IM, etc. If this handset was able to reach its home service, it's possible that it was accessing an intranet.

Note that the remote kill feature only works if the handset can be contacted by the BES. If the user turns off the radio, or simply moves out of range of a cell tower that connects it (roaming or home) to the proper service provider , then the kill request will never reach the handset.

Note also that Blackberry handsets are often set up to lock themselves. In my limited experience, the lock feature on the RIM handsets is pretty effective.

Davi OttenheimerJuly 22, 2008 1:49 PM

"This is a beautiful hack on the part of the Chinese (if that is truly the case), social engineering at it's best."

Oh, I say it's a beautiful hack on the part of the British. A guy attractive enough to lure a Chinese agent back to his room is dispatched. He cleverly convinces her to abscond with his mobile phone. Now they have the ability to trace her movements among the clubs and record her conversations. Brilliant reverse play of the body snatcher, old chap.

Davi OttenheimerJuly 22, 2008 1:58 PM

"Note also that Blackberry handsets are often set up to lock themselves. In my limited experience, the lock feature on the RIM handsets is pretty effective."

Certainly is. The feature includes a self-destruct. A few brute-force attempts too many and the phone should erase its data. So the BES admin (assuming it was BES-attached) could have the template with a low tolerance (default is 10), and forced complexity.

Are we convinced he didn't just drop the phone at the bar or lose it in the gutter, or maybe a taxi, and then sketched a sexy spy story about a woman to save face.

EGJuly 22, 2008 2:30 PM

There is a special on China, broadcast on the Discovery channel. Ted Koppel is the jounalist and while my DVR munged the first two hours of the series, the last two have been facinating.

dragonfrogJuly 22, 2008 2:47 PM

Even if it was originally only petty theft, the Blackberry is very probably in the hands of intelligence services by now.

The intelligence services just have to talk to the hotel or nightclub staff, and find out who the fellow took to his room. Then they knock on her door, and either buy the thing off her at ten times what she could sell it for to a pawn shop, or find out what pawn shop she's already sold it to, and buy out all the blackberries in the store.

And if they hadn't already realized this had happened, they read the papers...

BryanJuly 22, 2008 3:18 PM

It seems to me that if an intelligence service wanted the data on the unit, they could wrap it in tin foil until it is examined in a Faraday cage environment. This would stop the kill command.

I'm sure that Blackberry's encrypted communications with sattelites are monitored and recorded by intelligence services.

With a purloined unit in hand, the adversary has the current key and examples of cleartexts that could be matched against intercepted communications.

Blackberry encryption is Triple DES or AES.

I don't know if the resources of a government could crack Triple DES given this info, but its a thought.

However, by knowing a particular unit's DES key, any deleted messages that were also intercepted could be reconstructed, couldn't they?

BallsJuly 22, 2008 3:50 PM

I remember going through training for this specific scenario, prior to obtaining US government security clearance.

We were instructed to be very wary of females coming up and being friendly.

I just thought the government was just player hating.

TSJuly 22, 2008 3:54 PM

If she was an agent, don't you think she would already have the password? It isn't hard to shoulder-surf a password, especially if she's already gotten familiar with him. I would think that one of the parameters of the mission would be to get the password.

MikeJuly 22, 2008 5:37 PM

Is it even possible to clone a modern cellphone using the digital networks? I know with analog it was cake.

paulJuly 22, 2008 7:50 PM

Aren't all the comments about the limited effectiveness of this attack based on the assumption that all the services the blackberry is talking to are properly secured, and that no one's machine back home is configured to treat bytes coming from that blackberry as trusted?

WilliamJuly 23, 2008 1:23 AM

My Chinese colleague is convinced that Chinese intelligence services are not in the habit of using sex this way. The Soviets certainly weren't above this sort of "honeytrap" for blackmail purposes, but Chinese citizens would be displeased if it were proved that their government had done this. I am inclined to believe that the Chinese government would not be willing to risk this kind of embarassment right before the Olympics. It could very well be a simple case of theft.

SteveLJuly 23, 2008 5:42 AM

1. It doesn't have to be the PRC at play; there are other countries nearby that could care for the emails. Taiwan?

2. How much traffic analysis could a government that had been logging encrypted blackberry comms now pull off? Could they go through old data and work out who was talking to who based on message times and sender/receiver info? Hopefully there is way too much blackberry data for this to have all be captured...

TimJuly 23, 2008 6:18 AM

Presumably that phone will contain the phone numbers of all the main Downing St players too? That would make it very valuable to anyone thinking of carrying out another phone tapping hack like happened to many members of the Greek Govt 2 years ago (Google for Vodafone Greece Tapping for more info about that). Unless, of course, they've already got that tap up & running...

Jonas GrumbyJuly 23, 2008 11:56 AM

I plan to buy people's old Blackberries and take them all to Beijing. Just the ticket to get hot secret agents to take you home for the night. Then, go back to your hotel, grab a new BB and go out the next night.

Martin DJuly 24, 2008 5:37 AM

How long to the Chines need to clone the BB? OK, cloning is the chinese core business. But even here it could be too early in the morning.

IainJuly 24, 2008 8:05 AM

There is so much spin in the Times article I felt dizzy reading it.

As has been said probably just petty theft.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..