Security Researchers Expose New Gold Standard In Government/Law Enforcement Spyware
from the tech-staff-rerouted-to-parallel-construction-site dept
If you've ever wondered just how far a government entity can embed itself in your personal electronic devices (without physically taking it out of the box and implanting hardware/firmware), the answer is pretty damn far.
Newly uncovered components of a digital surveillance tool used by more than 60 governments worldwide provide a rare glimpse at the extensive ways law enforcement and intelligence agencies use the tool to surreptitiously record and steal data from mobile phones.Hacking Team's tool can be deployed against Android and iOS devices, along with Blackberries and Windows Phones. And that's just the phone end of the spectrum. Hacking Team also has exploits that target desktop and laptop computers.
The modules, made by the Italian company Hacking Team, were uncovered by researchers working independently of each other at Kaspersky Lab in Russia and the Citizen Lab at the University of Toronto's Munk School of Global Affairs in Canada, who say the findings provide great insight into the trade craft behind Hacking Team's tools...
They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone's camera to snap pictures or piggyback on the phone's GPS system to monitor the user's location.
The software is fully "legal" and is used by intelligence and law enforcement agencies around the world. Kapersky Lab's research managed to track down the location of several servers that act as collection points for the legal malware. Finishing in the top two spots by a wide margin were the United States… and Kazakhstan. The next three? UK, Canada and Ecuador. While Kapersky cautiously notes that it's impossible to say whether these servers are controlled locally by law enforcement agencies, etc., that would be the most probable situation.
[I]t would make sense for LEAs to put their C&Cs in their own countries in order to avoid cross-border legal problems and the seizure of servers.Hacking Team's spyware does its own recon in order to sniff out other software that might detect it before installing and, once installed, does everything it can to remain undetected -- like send and receive data only while accessing a Wifi connection and carefully controlling use of anything that might noticeably affect battery life.
Once on a system, the iPhone module uses advance techniques to avoid draining the phone's battery, turning on the phone's microphone, for example, only under certain conditions.While Hacking Team claims to only sell to NATO partners and countries that haven't been blacklisted for hosting oppressive regimes, there's some indication that its tools are still being used by governments to target dissent. Citizen Lab's research points out that Hacking Team's software has been "bundling" itself with certain versions of a legitimate Saudi news app ("Qatif Today") in order to covertly deploy its payload.
"They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers," says Costin Raiu, head of Kaspersky's Global Research and Analysis team.
One of those triggers might be when the victim's phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. "I can't remember having seen such advanced techniques in other mobile malware," he says.
Using signatures developed as part of our ongoing research into "lawful intercept" malware developed by Hacking Team, we identified a suspicious Android installation package (APK). The file was a functional copy of the 'Qatif Today' (القطيف اليوم) news application bundled with a Hacking Team payload. Documents we have reviewed suggest that Hacking Team refers to this kind of mobile implant as an "Installation Package," where a legitimate third party application file is bundled with the implant. This kind of tactic with Android package implants has been seen in other targeted malware attacks (that do not use commercial "lawful intercept" products) including the LuckyCat campaign, and in attacks against Tibetan activists, and groups in the Uyghur community.Kim Zetter at Wired also notes that it's been used to spy on a citizen journalist group in Morocco and to target a US woman who's been a vocal critic of Turkey's Gulen movement, the latter of which could create some serious complications if true.
Turkey is a member of the North Atlantic Treaty Organization alliance. If authorities there were behind the hack attack, it would mean that a NATO ally had attempted to spy on a U.S. citizen on U.S. soil, presumably without the knowledge or approval of U.S. authorities, and for reasons that don't appear to be related to a criminal or counter-terrorism investigation.The legal framework surrounding the deployment of government malware is shaky at best, but creative readings of existing laws and seemingly insignificant wording in proposed laws governing surveillance could easily legitimize all-access packages like this one. Christopher Parsons at Toronto's Munk School of Global Affairs points out that the addition of a just a few words into Canada's proposed anti-cyberbullying legislation (Bill C-13) would effectively give the government permission to deploy this spyware against its own citizens.
[U]nder proposed sub-section 492.1(2)He goes on to note that the same wording also applies to "transmission data," meaning the government would have permission to both track location as well as intercept content using tools like those developed by Hacking Team.
"[a] justice or judge who is satisfied by information on oath that there are reasonable grounds to believe that an offence has been or will be committed under this or any other Act of Parliament and that tracking an individual's movement by identifying the location of a thing that is usually carried or worn by the individual will assist in the investigation of the offence may issue a warrant authorizing a peace officer or a public officer to obtain that tracking data by means of a tracking device."
Tracking devices are defined as "a device, including a computer program within the meaning of subsection 342.1(2), that may be used to obtain or record tracking data or to transmit it by a means of telecommunication", and tracking data is broadly understood as "data that relates to the location of a transaction, individual or thing."
While the existing section 492.1 allows the installation for tracking devices, it doesn't refer to software, only hardware. The addition of 'computer programs' to the definitions of tracking devices means authorities – after receiving a warrant based on grounds to suspect – could covertly install computer programs that are designed to report on the location of targeted persons, devices (e.g. mobile phones), or vehicles. The government is attempting to legitimize the secretive installation of govware on devices for the purpose of tracking Canadians.
The power of surveillance malware, as deployed by government agencies, has been discussed before, but the "arms race" that pits both intelligence/law enforcement agencies and actual criminals against the general public shows no sign of slowing down. At this point, authorities hardly even need to bother seeking the assistance of third parties like Google and Apple when seeking access to data and communications. They're already deep inside.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: computers, mobile phones, security research, surveillance
Companies: hacking team
Reader Comments
Subscribe: RSS
View by: Time | Thread
This report isn't the scary part
The scary part is this: do you think this is the only project involving surveillance malware?
(If so, why? Given what we've learned in the last year, why would you think that they'd only try once?)
If you do not think this is the only project involving surveillance malware, then you share my working hypothesis that this is just one of many such efforts.
And if this is just one of many such efforts, then it may not be the "best" one.
If it's not the best one, then what can that software do?
[ link to this | view in chronology ]
Re: This report isn't the scary part
I work for a software security research and defense company, and I can tell you that it's certainly not. There are many such projects, coming from many actors. Governments, organized crime, individuals, etc. We find such malware on a regular basis.
"If it's not the best one, then what can that software do?"
Probably the same as this software -- it seems to have covered all the bases. What makes some malware "better" than others isn't the payload -- once in, the software can do anything it likes, so the only limit is imagination. The thing that makes some malware "better" is how well it evades attempts to prevent it from getting in, and how well it hides from detection.
A theoretically perfect piece of malware would be completely undetectable. Fortunately, perfection is impossible.
[ link to this | view in chronology ]
Re: Re: This report isn't the scary part
[ link to this | view in chronology ]
Re: Re: Re: This report isn't the scary part
Many softwares use this method.
[ link to this | view in chronology ]
Re: Re: Re: This report isn't the scary part
[ link to this | view in chronology ]
What the hell do you mean it is legal
[ link to this | view in chronology ]
Re: What the hell do you mean it is legal
"The software is fully "legal" and is used by intelligence and law enforcement agencies around the world."
Please explain. Because if I were to deploy such a beast I would be some sort of terrorist hacker psycho subject to massive swat raid using flash grenades, armored vehicles fully automatic weapons and helicopters with the SAC on standby.
[ link to this | view in chronology ]
Re: What the hell do you mean it is legal
If it has not been declared illegal in a court of law then ipso facto it is legal.
Witness all the actions of the NSA that are defended as legal because no court of law has found those activities illegal. Of course, the Government is doing it's best song-and-dance act to prevent these activities from being brought before the courts, thus avoiding a finding of illegality.
[ link to this | view in chronology ]
Re: Re: What the hell do you mean it is legal
[ link to this | view in chronology ]
Re: Re: Re: What the hell do you mean it is legal
Remember, what's legal or illegal is determined by Congress. If they say it's legal, then it is.
[ link to this | view in chronology ]
Re: What the hell do you mean it is legal
[ link to this | view in chronology ]
Whack-a-mole time?
[ link to this | view in chronology ]
Electronic Leashes
[ link to this | view in chronology ]
Re: Electronic Leashes
[ link to this | view in chronology ]
Re: Re: Electronic Leashes
[ link to this | view in chronology ]
Re: Re: Re: Electronic Leashes
Sometimes I can't believe it's come to this. And all in the name of keeping us safe. Feels the opposite of safe to me.
[ link to this | view in chronology ]
Re: Re: Re: Re: Electronic Leashes
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Most of us carry a device with us with incredible computing power, microphones, cameras, and a near endless connection to the internet. It knows it's own location, it knows where it is connected, and it probably knows about as much about you as a loved one might, maybe more. I doubt your loved ones know the type of night clubs and other establishments you visit when you are "out with friends". Because of that utility, you carry your smart phone everywhere, most people taking it into the washroom for a nice sitdown break even.
Technology is such that adding a virus onto those devices isn't that hard. We are still in the relative infancy on these things, and much like the PC in the past, the wave of viruses, malware, and keyloggers came before the anti-virus software came to take care of most of the problems.
Hacking Team's product is certainly morally wrong, it is technically very possible. Just like piracy, just like "borrowing" your neighbors semi-secured wi-fi, and just like applying a "patch" to software so it won't ask for a license, it's all possible and all done quite clearly because technology allows for it.
Don't cry too loud when they do it, lest you sound like someone complaining about piracy or wi-fi theft.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
- Exactly why I do not have a smart phone
"you carry your smart phone everywhere"
- nope, not even the dumb phone
"Technology is such that adding a virus onto those devices isn't that hard"
- But it is still illegal
"Just like piracy,"
- Loading spyware without permission on a computer you do not own is not just like piracy, war driving or patching software. This claim is lame at best.
"Don't cry too loud when they do it, lest you sound like someone complaining about piracy or wi-fi theft."
- Ok, now you just made yourself look stupid.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Throw away our cell phones
In that everyone is not ditching their cell phones after such a revelation is definitely indicative of how fast this world is spinning out of control.
[ link to this | view in chronology ]
Re: Throw away our cell phones
Avoiding the technology isn't a solution at all, as these invasions are only going to get more intrusive. We need to fix the problem at its root.
[ link to this | view in chronology ]
Re: Re: Throw away our cell phones
Progress will inevitably keep going. We may be set back a couple of years, but the tradeoff is we'd likely see products develop in a way that keeps the STASI's wet dream from becoming a reality.
[ link to this | view in chronology ]
Re: Re: Re: Throw away our cell phones
The government couldn't care less about disrupting the market, as is evidenced by the actions of the NSA et. al. The telecoms also largely don't care about it, as it's far more important to them that they keep the government happy. If the government isn't happy, they might not be able to get the licenses and contracts they need.
[ link to this | view in chronology ]
Re: Re: Throw away our cell phones
I'd bet that the Amish are better prepared to survive than most of us in the "modern world".
[ link to this | view in chronology ]
Re: Re: Re: Throw away our cell phones
[ link to this | view in chronology ]
Re: Re: Re: Throw away our cell phones
You can't build that nice furniture without technology.
[ link to this | view in chronology ]
serious complications?
Thank god that the U.S. is not doing such atrocius things....
[ link to this | view in chronology ]
cell phone microphone
[ link to this | view in chronology ]