Security Researchers Expose New Gold Standard In Government/Law Enforcement Spyware

from the tech-staff-rerouted-to-parallel-construction-site dept

Tue, Jun 24th 2014 2:20pm — Tim Cushing

If you've ever wondered just how far a government entity can embed itself in your personal electronic devices (without physically taking it out of the box and implanting hardware/firmware), the answer is pretty damn far.

Newly uncovered components of a digital surveillance tool used by more than 60 governments worldwide provide a rare glimpse at the extensive ways law enforcement and intelligence agencies use the tool to surreptitiously record and steal data from mobile phones.

The modules, made by the Italian company Hacking Team, were uncovered by researchers working independently of each other at Kaspersky Lab in Russia and the Citizen Lab at the University of Toronto's Munk School of Global Affairs in Canada, who say the findings provide great insight into the trade craft behind Hacking Team's tools...

They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone's camera to snap pictures or piggyback on the phone's GPS system to monitor the user's location.

Hacking Team's tool can be deployed against Android and iOS devices, along with Blackberries and Windows Phones. And that's just the phone end of the spectrum. Hacking Team also has exploits that target desktop and laptop computers.

The software is fully "legal" and is used by intelligence and law enforcement agencies around the world. Kapersky Lab's research managed to track down the location of several servers that act as collection points for the legal malware. Finishing in the top two spots by a wide margin were the United States… and Kazakhstan. The next three? UK, Canada and Ecuador. While Kapersky cautiously notes that it's impossible to say whether these servers are controlled locally by law enforcement agencies, etc., that would be the most probable situation.

[I]t would make sense for LEAs to put their C&Cs in their own countries in order to avoid cross-border legal problems and the seizure of servers.

Hacking Team's spyware does its own recon in order to sniff out other software that might detect it before installing and, once installed, does everything it can to remain undetected -- like send and receive data only while accessing a Wifi connection and carefully controlling use of anything that might noticeably affect battery life.

Once on a system, the iPhone module uses advance techniques to avoid draining the phone's battery, turning on the phone's microphone, for example, only under certain conditions.

"They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers," says Costin Raiu, head of Kaspersky's Global Research and Analysis team.

One of those triggers might be when the victim's phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. "I can't remember having seen such advanced techniques in other mobile malware," he says.

While Hacking Team claims to only sell to NATO partners and countries that haven't been blacklisted for hosting oppressive regimes, there's some indication that its tools are still being used by governments to target dissent. Citizen Lab's research points out that Hacking Team's software has been "bundling" itself with certain versions of a legitimate Saudi news app ("Qatif Today") in order to covertly deploy its payload.

Using signatures developed as part of our ongoing research into "lawful intercept" malware developed by Hacking Team, we identified a suspicious Android installation package (APK). The file was a functional copy of the 'Qatif Today' (القطيف اليوم) news application bundled with a Hacking Team payload. Documents we have reviewed suggest that Hacking Team refers to this kind of mobile implant as an "Installation Package," where a legitimate third party application file is bundled with the implant. This kind of tactic with Android package implants has been seen in other targeted malware attacks (that do not use commercial "lawful intercept" products) including the LuckyCat campaign, and in attacks against Tibetan activists, and groups in the Uyghur community.

Kim Zetter at Wired also notes that it's been used to spy on a citizen journalist group in Morocco and to target a US woman who's been a vocal critic of Turkey's Gulen movement, the latter of which could create some serious complications if true.

Turkey is a member of the North Atlantic Treaty Organization alliance. If authorities there were behind the hack attack, it would mean that a NATO ally had attempted to spy on a U.S. citizen on U.S. soil, presumably without the knowledge or approval of U.S. authorities, and for reasons that don't appear to be related to a criminal or counter-terrorism investigation.

The legal framework surrounding the deployment of government malware is shaky at best, but creative readings of existing laws and seemingly insignificant wording in proposed laws governing surveillance could easily legitimize all-access packages like this one. Christopher Parsons at Toronto's Munk School of Global Affairs points out that the addition of a just a few words into Canada's proposed anti-cyberbullying legislation (Bill C-13) would effectively give the government permission to deploy this spyware against its own citizens.

[U]nder proposed sub-section 492.1(2)

"[a] justice or judge who is satisfied by information on oath that there are reasonable grounds to believe that an offence has been or will be committed under this or any other Act of Parliament and that tracking an individual's movement by identifying the location of a thing that is usually carried or worn by the individual will assist in the investigation of the offence may issue a warrant authorizing a peace officer or a public officer to obtain that tracking data by means of a tracking device."

Tracking devices are defined as "a device, including a computer program within the meaning of subsection 342.1(2), that may be used to obtain or record tracking data or to transmit it by a means of telecommunication", and tracking data is broadly understood as "data that relates to the location of a transaction, individual or thing."

While the existing section 492.1 allows the installation for tracking devices, it doesn't refer to software, only hardware. The addition of 'computer programs' to the definitions of tracking devices means authorities – after receiving a warrant based on grounds to suspect – could covertly install computer programs that are designed to report on the location of targeted persons, devices (e.g. mobile phones), or vehicles. The government is attempting to legitimize the secretive installation of govware on devices for the purpose of tracking Canadians.

He goes on to note that the same wording also applies to "transmission data," meaning the government would have permission to both track location as well as intercept content using tools like those developed by Hacking Team.

The power of surveillance malware, as deployed by government agencies, has been discussed before, but the "arms race" that pits both intelligence/law enforcement agencies and actual criminals against the general public shows no sign of slowing down. At this point, authorities hardly even need to bother seeking the assistance of third parties like Google and Apple when seeking access to data and communications. They're already deep inside.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: computers, mobile phones, security research, surveillance
Companies: hacking team

32 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Rich Kulawiec, 24 Jun 2014 @ 2:45pm

This report isn't the scary part
(Although it is excellent work on the part of the researchers.)

The scary part is this: do you think this is the only project involving surveillance malware?

(If so, why? Given what we've learned in the last year, why would you think that they'd only try once?)

If you do not think this is the only project involving surveillance malware, then you share my working hypothesis that this is just one of many such efforts.

And if this is just one of many such efforts, then it may not be the "best" one.

If it's not the best one, then what can that software do?
[ link to this | view in chronology ]
- John Fenderson (profile), 24 Jun 2014 @ 3:39pm
  
  Re: This report isn't the scary part
  "do you think this is the only project involving surveillance malware?"
  
  I work for a software security research and defense company, and I can tell you that it's certainly not. There are many such projects, coming from many actors. Governments, organized crime, individuals, etc. We find such malware on a regular basis.
  
  "If it's not the best one, then what can that software do?"
  
  Probably the same as this software -- it seems to have covered all the bases. What makes some malware "better" than others isn't the payload -- once in, the software can do anything it likes, so the only limit is imagination. The thing that makes some malware "better" is how well it evades attempts to prevent it from getting in, and how well it hides from detection.
  
  A theoretically perfect piece of malware would be completely undetectable. Fortunately, perfection is impossible.
  [ link to this | view in chronology ]
  - Anonymous, 24 Jun 2014 @ 5:11pm
    
    Re: Re: This report isn't the scary part
    I know of a certain DVD decryption/ripping program with a limited free trial period. After the trial period expires the program no longer functions (they then want you to cough up money to purchase it, of course). You can uninstall it, wipe out traces of it in the registry, etc., all to no avail because if you install it again it will still tell you the trial period has expired. Well, the secret is in a certain file which is hidden so well one can't find it. Fortunately, there are a couple of programs that can find and eliminate that file. Run one of those and voila! Your trial period has been reset! By doing this you can use the program for free indefinitely.
    [ link to this | view in chronology ]
    - Anonymous Coward, 24 Jun 2014 @ 6:14pm
      
      Re: Re: Re: This report isn't the scary part
      It's merely hidden the fact that the trial has been run before in registry. A place where they can name it as an encrypted file and then vague reference it to another part of the registry to actually make the note it's been there. Part of the install process will go look for that hidden file notation. Get rid of that and suddenly there's no record you had a trial period.
      
      Many softwares use this method.
      [ link to this | view in chronology ]
    - John Fenderson (profile), 25 Jun 2014 @ 8:13am
      
      Re: Re: Re: This report isn't the scary part
      Hiding things like that is a different thing. It's not at all sophisticated (usually, it's just a registry key with an unsuspicious name such as a GUID.) There's no active evasion involved.
      [ link to this | view in chronology ]
Jim B., 24 Jun 2014 @ 2:50pm

What the hell do you mean it is legal
That been proven in a court of law yet? Just because a government can spy doesn't mean it is legal for them to do so. To hide behind a thin veil of national security is no way for a government to conduct itself.
[ link to this | view in chronology ]
- Anonymous Coward, 24 Jun 2014 @ 4:58pm
  
  Re: What the hell do you mean it is legal
  That was my first reaction,
  
  "The software is fully "legal" and is used by intelligence and law enforcement agencies around the world."
  
  Please explain. Because if I were to deploy such a beast I would be some sort of terrorist hacker psycho subject to massive swat raid using flash grenades, armored vehicles fully automatic weapons and helicopters with the SAC on standby.
  [ link to this | view in chronology ]
- Eldakka (profile), 25 Jun 2014 @ 12:47am
  
  Re: What the hell do you mean it is legal
  What the hell do you mean it is legal
  That been proven in a court of law yet?
  
  If it has not been declared illegal in a court of law then ipso facto it is legal.
  
  Witness all the actions of the NSA that are defended as legal because no court of law has found those activities illegal. Of course, the Government is doing it's best song-and-dance act to prevent these activities from being brought before the courts, thus avoiding a finding of illegality.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Jun 2014 @ 5:15am
    
    Re: Re: What the hell do you mean it is legal
    I thought there was at least one case where clandestine loading of spyware on a computer that does not belong to you was deemed illegal.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 25 Jun 2014 @ 7:45am
      
      Re: Re: Re: What the hell do you mean it is legal
      It's illegal in the US unless for ordinary people. There are ways for LEOs and government agencies to do it legally, though. It usually (but not always) requires a court order.
      
      Remember, what's legal or illegal is determined by Congress. If they say it's legal, then it is.
      [ link to this | view in chronology ]
- Anonymous Coward, 25 Jun 2014 @ 7:18am
  
  Re: What the hell do you mean it is legal
  It's legal because it's the government and they are powerful, have no oversight, no morals, no accountability, and therefore will do whatever they want. When will people realize this and stop asking how something is legal?
  [ link to this | view in chronology ]
That One Guy (profile), 24 Jun 2014 @ 2:55pm

Whack-a-mole time?
Now that they've been found out, sounds like it's time for various groups and people to figure out ways to kill off or neutralize the spy programs/code altogether, if for no other reason than to annoy the agencies paying the company to slip it into people's phones.
[ link to this | view in chronology ]
Anonymous Anonymous Coward, 24 Jun 2014 @ 3:16pm

Electronic Leashes
I have a cell phone. It is in a box over here, and the battery is in another box, way over there. Look Ma, no leash!
[ link to this | view in chronology ]
- jupiterkansas (profile), 24 Jun 2014 @ 3:27pm
  
  Re: Electronic Leashes
  Giving up all the conveniences of life is no answer to overreaching government surveillance.
  [ link to this | view in chronology ]
  - Anonymous Anonymous Coward, 24 Jun 2014 @ 3:32pm
    
    Re: Re: Electronic Leashes
    Oh, it is not just about surveillance. It is about interruption. I am doing something, and someone someplace else with no inkling as to what I am up to feels the need to interrupt me. Since I no longer work, I no longer have to bend to an outsiders desires. There are other ways to contact me.
    [ link to this | view in chronology ]
    - Anonymous Coward, 24 Jun 2014 @ 6:25pm
      
      Re: Re: Re: Electronic Leashes
      Please consider bagging your phone as a more convenient option than removing the battery. EDEC makes excellent products for this purpose. Given the current state of affairs, I've developed the habit of only unbagging my personal phone when I'm using it.
      
      Sometimes I can't believe it's come to this. And all in the name of keeping us safe. Feels the opposite of safe to me.
      [ link to this | view in chronology ]
      - Anonymous Anonymous Coward, 24 Jun 2014 @ 6:35pm
        
        Re: Re: Re: Re: Electronic Leashes
        I ran through my options, in the end it was an economic one. If I only carried the phone to place calls, and had it either battery-less or in a Faraday bag, then its utility went way down, and justifying recurring monthly charges to make a few calls per month was just ridiculous. The pay as you go plan I tried once, sunset-ed your minutes if you did not use them in some time limit. For me, the best option was opt out.
        [ link to this | view in chronology ]
Anonymous Coward, 24 Jun 2014 @ 6:41pm

Keep voting for same shyster politicians, who allow this crap. You well deserve, suckers.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Jun 2014 @ 5:17am
  
  Re:
  Keep repeating that tired old excuse for victim blaming.
  [ link to this | view in chronology ]
Whatever (profile), 25 Jun 2014 @ 1:43am

This story is a perfect example of "what techonology allows". It's a moral stand I learned from reading people like Mike Masnick, Rick Falkvinge, and the sainted Mr Lessig.

Most of us carry a device with us with incredible computing power, microphones, cameras, and a near endless connection to the internet. It knows it's own location, it knows where it is connected, and it probably knows about as much about you as a loved one might, maybe more. I doubt your loved ones know the type of night clubs and other establishments you visit when you are "out with friends". Because of that utility, you carry your smart phone everywhere, most people taking it into the washroom for a nice sitdown break even.

Technology is such that adding a virus onto those devices isn't that hard. We are still in the relative infancy on these things, and much like the PC in the past, the wave of viruses, malware, and keyloggers came before the anti-virus software came to take care of most of the problems.

Hacking Team's product is certainly morally wrong, it is technically very possible. Just like piracy, just like "borrowing" your neighbors semi-secured wi-fi, and just like applying a "patch" to software so it won't ask for a license, it's all possible and all done quite clearly because technology allows for it.

Don't cry too loud when they do it, lest you sound like someone complaining about piracy or wi-fi theft.
[ link to this | view in chronology ]
- That One Guy (profile), 25 Jun 2014 @ 2:30am
  
  Re:
  Oh yes, because copyright infringement and using someone's wi-fi is obviously so very similar to spyware on a phone/device that can scoop up a person's every communication and/or action involving that device. /s
  [ link to this | view in chronology ]
- Anonymous Coward, 25 Jun 2014 @ 5:24am
  
  Re:
  "Most of us carry a device with us with incredible computing power, microphones, cameras, and a near endless connection to the internet."
  - Exactly why I do not have a smart phone
  
  "you carry your smart phone everywhere"
  - nope, not even the dumb phone
  
  "Technology is such that adding a virus onto those devices isn't that hard"
  - But it is still illegal
  
  "Just like piracy,"
  - Loading spyware without permission on a computer you do not own is not just like piracy, war driving or patching software. This claim is lame at best.
  
  "Don't cry too loud when they do it, lest you sound like someone complaining about piracy or wi-fi theft."
  - Ok, now you just made yourself look stupid.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Jun 2014 @ 12:57pm
    
    Re: Re:
    Area Man Constantly Mentioning He Doesn't Own A Television
    [ link to this | view in chronology ]
Dan G Difino, 25 Jun 2014 @ 6:50am

Throw away our cell phones
They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone's camera to snap pictures or piggyback on the phone's GPS system to monitor the user's location.

In that everyone is not ditching their cell phones after such a revelation is definitely indicative of how fast this world is spinning out of control.
[ link to this | view in chronology ]
- John Fenderson (profile), 25 Jun 2014 @ 9:00am
  
  Re: Throw away our cell phones
  Well, if people are going to throw out their cellphones over this, they should be equally compelled to stop using landline telephones, the internet, their cars, or increasingly, going outside at all.
  
  Avoiding the technology isn't a solution at all, as these invasions are only going to get more intrusive. We need to fix the problem at its root.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Jun 2014 @ 10:52am
    
    Re: Re: Throw away our cell phones
    Can you explain, please? Normally I'd agree, but I feel like such a popular market being disrupted would send a strong message to companies and governments alike; people are not okay with anything that allows surveillance of such an intense degree.
    
    Progress will inevitably keep going. We may be set back a couple of years, but the tradeoff is we'd likely see products develop in a way that keeps the STASI's wet dream from becoming a reality.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 25 Jun 2014 @ 12:54pm
      
      Re: Re: Re: Throw away our cell phones
      " I feel like such a popular market being disrupted would send a strong message to companies and governments alike"
      
      The government couldn't care less about disrupting the market, as is evidenced by the actions of the NSA et. al. The telecoms also largely don't care about it, as it's far more important to them that they keep the government happy. If the government isn't happy, they might not be able to get the licenses and contracts they need.
      [ link to this | view in chronology ]
  - Anonymous, 25 Jun 2014 @ 3:42pm
    
    Re: Re: Throw away our cell phones
    "Avoiding the technology isn't a solution at all...".
    I'd bet that the Amish are better prepared to survive than most of us in the "modern world".
    [ link to this | view in chronology ]
    - Anonymous, 25 Jun 2014 @ 3:48pm
      
      Re: Re: Re: Throw away our cell phones
      To clarify: "...than most of us 'modern-worlders'".
      [ link to this | view in chronology ]
    - John Fenderson (profile), 26 Jun 2014 @ 10:09am
      
      Re: Re: Re: Throw away our cell phones
      The Amish are better prepared to survive in the Amish world, not in the modern world. Besides, the Amish don't avoid technology -- they use lots of it -- they're just very selective about which technologies they use.
      
      You can't build that nice furniture without technology.
      [ link to this | view in chronology ]
subvoice (profile), 25 Jun 2014 @ 7:38am

serious complications?
"Turkey is a member of the North Atlantic Treaty Organization alliance. If authorities there were behind the hack attack, it would mean that a NATO ally had attempted to spy on a U.S. citizen on U.S. soil, presumably without the knowledge or approval of U.S. authorities, and for reasons that don't appear to be related to a criminal or counter-terrorism investigation."

Thank god that the U.S. is not doing such atrocius things....
[ link to this | view in chronology ]
TL (profile), 6 Feb 2015 @ 7:23am

cell phone microphone
a disabler device is available on ebay.com ....search "cell phone microphone disabler"
[ link to this | view in chronology ]