Security Researchers Expose New Gold Standard In Government/Law Enforcement Spyware

from the tech-staff-rerouted-to-parallel-construction-site dept

If you've ever wondered just how far a government entity can embed itself in your personal electronic devices (without physically taking it out of the box and implanting hardware/firmware), the answer is pretty damn far.

Newly uncovered components of a digital surveillance tool used by more than 60 governments worldwide provide a rare glimpse at the extensive ways law enforcement and intelligence agencies use the tool to surreptitiously record and steal data from mobile phones.

The modules, made by the Italian company Hacking Team, were uncovered by researchers working independently of each other at Kaspersky Lab in Russia and the Citizen Lab at the University of Toronto's Munk School of Global Affairs in Canada, who say the findings provide great insight into the trade craft behind Hacking Team's tools...

They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone's camera to snap pictures or piggyback on the phone's GPS system to monitor the user's location.
Hacking Team's tool can be deployed against Android and iOS devices, along with Blackberries and Windows Phones. And that's just the phone end of the spectrum. Hacking Team also has exploits that target desktop and laptop computers.

The software is fully "legal" and is used by intelligence and law enforcement agencies around the world. Kapersky Lab's research managed to track down the location of several servers that act as collection points for the legal malware. Finishing in the top two spots by a wide margin were the United States… and Kazakhstan. The next three? UK, Canada and Ecuador. While Kapersky cautiously notes that it's impossible to say whether these servers are controlled locally by law enforcement agencies, etc., that would be the most probable situation.
[I]t would make sense for LEAs to put their C&Cs in their own countries in order to avoid cross-border legal problems and the seizure of servers.
Hacking Team's spyware does its own recon in order to sniff out other software that might detect it before installing and, once installed, does everything it can to remain undetected -- like send and receive data only while accessing a Wifi connection and carefully controlling use of anything that might noticeably affect battery life.
Once on a system, the iPhone module uses advance techniques to avoid draining the phone's battery, turning on the phone's microphone, for example, only under certain conditions.

"They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers," says Costin Raiu, head of Kaspersky's Global Research and Analysis team.

One of those triggers might be when the victim's phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. "I can't remember having seen such advanced techniques in other mobile malware," he says.
While Hacking Team claims to only sell to NATO partners and countries that haven't been blacklisted for hosting oppressive regimes, there's some indication that its tools are still being used by governments to target dissent. Citizen Lab's research points out that Hacking Team's software has been "bundling" itself with certain versions of a legitimate Saudi news app ("Qatif Today") in order to covertly deploy its payload.
Using signatures developed as part of our ongoing research into "lawful intercept" malware developed by Hacking Team, we identified a suspicious Android installation package (APK). The file was a functional copy of the 'Qatif Today' (القطيف اليوم) news application bundled with a Hacking Team payload. Documents we have reviewed suggest that Hacking Team refers to this kind of mobile implant as an "Installation Package," where a legitimate third party application file is bundled with the implant. This kind of tactic with Android package implants has been seen in other targeted malware attacks (that do not use commercial "lawful intercept" products) including the LuckyCat campaign, and in attacks against Tibetan activists, and groups in the Uyghur community.
Kim Zetter at Wired also notes that it's been used to spy on a citizen journalist group in Morocco and to target a US woman who's been a vocal critic of Turkey's Gulen movement, the latter of which could create some serious complications if true.
Turkey is a member of the North Atlantic Treaty Organization alliance. If authorities there were behind the hack attack, it would mean that a NATO ally had attempted to spy on a U.S. citizen on U.S. soil, presumably without the knowledge or approval of U.S. authorities, and for reasons that don't appear to be related to a criminal or counter-terrorism investigation.
The legal framework surrounding the deployment of government malware is shaky at best, but creative readings of existing laws and seemingly insignificant wording in proposed laws governing surveillance could easily legitimize all-access packages like this one. Christopher Parsons at Toronto's Munk School of Global Affairs points out that the addition of a just a few words into Canada's proposed anti-cyberbullying legislation (Bill C-13) would effectively give the government permission to deploy this spyware against its own citizens.
[U]nder proposed sub-section 492.1(2)

"[a] justice or judge who is satisfied by information on oath that there are reasonable grounds to believe that an offence has been or will be committed under this or any other Act of Parliament and that tracking an individual's movement by identifying the location of a thing that is usually carried or worn by the individual will assist in the investigation of the offence may issue a warrant authorizing a peace officer or a public officer to obtain that tracking data by means of a tracking device."

Tracking devices are defined as "a device, including a computer program within the meaning of subsection 342.1(2), that may be used to obtain or record tracking data or to transmit it by a means of telecommunication", and tracking data is broadly understood as "data that relates to the location of a transaction, individual or thing."

While the existing section 492.1 allows the installation for tracking devices, it doesn't refer to software, only hardware. The addition of 'computer programs' to the definitions of tracking devices means authorities – after receiving a warrant based on grounds to suspect – could covertly install computer programs that are designed to report on the location of targeted persons, devices (e.g. mobile phones), or vehicles. The government is attempting to legitimize the secretive installation of govware on devices for the purpose of tracking Canadians.
He goes on to note that the same wording also applies to "transmission data," meaning the government would have permission to both track location as well as intercept content using tools like those developed by Hacking Team.

The power of surveillance malware, as deployed by government agencies, has been discussed before, but the "arms race" that pits both intelligence/law enforcement agencies and actual criminals against the general public shows no sign of slowing down. At this point, authorities hardly even need to bother seeking the assistance of third parties like Google and Apple when seeking access to data and communications. They're already deep inside.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Rich Kulawiec, Jun 24th, 2014 @ 2:45pm

    This report isn't the scary part

    (Although it is excellent work on the part of the researchers.)

    The scary part is this: do you think this is the only project involving surveillance malware?

    (If so, why? Given what we've learned in the last year, why would you think that they'd only try once?)

    If you do not think this is the only project involving surveillance malware, then you share my working hypothesis that this is just one of many such efforts.

    And if this is just one of many such efforts, then it may not be the "best" one.

    If it's not the best one, then what can that software do?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Jun 24th, 2014 @ 3:39pm

      Re: This report isn't the scary part

      "do you think this is the only project involving surveillance malware?"

      I work for a software security research and defense company, and I can tell you that it's certainly not. There are many such projects, coming from many actors. Governments, organized crime, individuals, etc. We find such malware on a regular basis.

      "If it's not the best one, then what can that software do?"

      Probably the same as this software -- it seems to have covered all the bases. What makes some malware "better" than others isn't the payload -- once in, the software can do anything it likes, so the only limit is imagination. The thing that makes some malware "better" is how well it evades attempts to prevent it from getting in, and how well it hides from detection.

      A theoretically perfect piece of malware would be completely undetectable. Fortunately, perfection is impossible.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous, Jun 24th, 2014 @ 5:11pm

        Re: Re: This report isn't the scary part

        I know of a certain DVD decryption/ripping program with a limited free trial period. After the trial period expires the program no longer functions (they then want you to cough up money to purchase it, of course). You can uninstall it, wipe out traces of it in the registry, etc., all to no avail because if you install it again it will still tell you the trial period has expired. Well, the secret is in a certain file which is hidden so well one can't find it. Fortunately, there are a couple of programs that can find and eliminate that file. Run one of those and voila! Your trial period has been reset! By doing this you can use the program for free indefinitely.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Jun 24th, 2014 @ 6:14pm

          Re: Re: Re: This report isn't the scary part

          It's merely hidden the fact that the trial has been run before in registry. A place where they can name it as an encrypted file and then vague reference it to another part of the registry to actually make the note it's been there. Part of the install process will go look for that hidden file notation. Get rid of that and suddenly there's no record you had a trial period.

          Many softwares use this method.

           

          reply to this | link to this | view in chronology ]

        •  
          icon
          John Fenderson (profile), Jun 25th, 2014 @ 8:13am

          Re: Re: Re: This report isn't the scary part

          Hiding things like that is a different thing. It's not at all sophisticated (usually, it's just a registry key with an unsuspicious name such as a GUID.) There's no active evasion involved.

           

          reply to this | link to this | view in chronology ]

  •  
    identicon
    Jim B., Jun 24th, 2014 @ 2:50pm

    What the hell do you mean it is legal

    That been proven in a court of law yet? Just because a government can spy doesn't mean it is legal for them to do so. To hide behind a thin veil of national security is no way for a government to conduct itself.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 24th, 2014 @ 4:58pm

      Re: What the hell do you mean it is legal

      That was my first reaction,

      "The software is fully "legal" and is used by intelligence and law enforcement agencies around the world."

      Please explain. Because if I were to deploy such a beast I would be some sort of terrorist hacker psycho subject to massive swat raid using flash grenades, armored vehicles fully automatic weapons and helicopters with the SAC on standby.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Eldakka (profile), Jun 25th, 2014 @ 12:47am

      Re: What the hell do you mean it is legal

      What the hell do you mean it is legal
      That been proven in a court of law yet?


      If it has not been declared illegal in a court of law then ipso facto it is legal.

      Witness all the actions of the NSA that are defended as legal because no court of law has found those activities illegal. Of course, the Government is doing it's best song-and-dance act to prevent these activities from being brought before the courts, thus avoiding a finding of illegality.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jun 25th, 2014 @ 5:15am

        Re: Re: What the hell do you mean it is legal

        I thought there was at least one case where clandestine loading of spyware on a computer that does not belong to you was deemed illegal.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          John Fenderson (profile), Jun 25th, 2014 @ 7:45am

          Re: Re: Re: What the hell do you mean it is legal

          It's illegal in the US unless for ordinary people. There are ways for LEOs and government agencies to do it legally, though. It usually (but not always) requires a court order.

          Remember, what's legal or illegal is determined by Congress. If they say it's legal, then it is.

           

          reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 25th, 2014 @ 7:18am

      Re: What the hell do you mean it is legal

      It's legal because it's the government and they are powerful, have no oversight, no morals, no accountability, and therefore will do whatever they want. When will people realize this and stop asking how something is legal?

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    That One Guy (profile), Jun 24th, 2014 @ 2:55pm

    Whack-a-mole time?

    Now that they've been found out, sounds like it's time for various groups and people to figure out ways to kill off or neutralize the spy programs/code altogether, if for no other reason than to annoy the agencies paying the company to slip it into people's phones.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Anonymous Coward, Jun 24th, 2014 @ 3:16pm

    Electronic Leashes

    I have a cell phone. It is in a box over here, and the battery is in another box, way over there. Look Ma, no leash!

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      jupiterkansas (profile), Jun 24th, 2014 @ 3:27pm

      Re: Electronic Leashes

      Giving up all the conveniences of life is no answer to overreaching government surveillance.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Anonymous Coward, Jun 24th, 2014 @ 3:32pm

        Re: Re: Electronic Leashes

        Oh, it is not just about surveillance. It is about interruption. I am doing something, and someone someplace else with no inkling as to what I am up to feels the need to interrupt me. Since I no longer work, I no longer have to bend to an outsiders desires. There are other ways to contact me.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Jun 24th, 2014 @ 6:25pm

          Re: Re: Re: Electronic Leashes

          Please consider bagging your phone as a more convenient option than removing the battery. EDEC makes excellent products for this purpose. Given the current state of affairs, I've developed the habit of only unbagging my personal phone when I'm using it.

          Sometimes I can't believe it's come to this. And all in the name of keeping us safe. Feels the opposite of safe to me.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Anonymous Coward, Jun 24th, 2014 @ 6:35pm

            Re: Re: Re: Re: Electronic Leashes

            I ran through my options, in the end it was an economic one. If I only carried the phone to place calls, and had it either battery-less or in a Faraday bag, then its utility went way down, and justifying recurring monthly charges to make a few calls per month was just ridiculous. The pay as you go plan I tried once, sunset-ed your minutes if you did not use them in some time limit. For me, the best option was opt out.

             

            reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 24th, 2014 @ 6:41pm

    Keep voting for same shyster politicians, who allow this crap. You well deserve, suckers.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Whatever (profile), Jun 25th, 2014 @ 1:43am

    This story is a perfect example of "what techonology allows". It's a moral stand I learned from reading people like Mike Masnick, Rick Falkvinge, and the sainted Mr Lessig.

    Most of us carry a device with us with incredible computing power, microphones, cameras, and a near endless connection to the internet. It knows it's own location, it knows where it is connected, and it probably knows about as much about you as a loved one might, maybe more. I doubt your loved ones know the type of night clubs and other establishments you visit when you are "out with friends". Because of that utility, you carry your smart phone everywhere, most people taking it into the washroom for a nice sitdown break even.

    Technology is such that adding a virus onto those devices isn't that hard. We are still in the relative infancy on these things, and much like the PC in the past, the wave of viruses, malware, and keyloggers came before the anti-virus software came to take care of most of the problems.

    Hacking Team's product is certainly morally wrong, it is technically very possible. Just like piracy, just like "borrowing" your neighbors semi-secured wi-fi, and just like applying a "patch" to software so it won't ask for a license, it's all possible and all done quite clearly because technology allows for it.

    Don't cry too loud when they do it, lest you sound like someone complaining about piracy or wi-fi theft.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      That One Guy (profile), Jun 25th, 2014 @ 2:30am

      Re:

      Oh yes, because copyright infringement and using someone's wi-fi is obviously so very similar to spyware on a phone/device that can scoop up a person's every communication and/or action involving that device. /s

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 25th, 2014 @ 5:24am

      Re:

      "Most of us carry a device with us with incredible computing power, microphones, cameras, and a near endless connection to the internet."
      - Exactly why I do not have a smart phone


      "you carry your smart phone everywhere"
      - nope, not even the dumb phone

      "Technology is such that adding a virus onto those devices isn't that hard"
      - But it is still illegal

      "Just like piracy,"
      - Loading spyware without permission on a computer you do not own is not just like piracy, war driving or patching software. This claim is lame at best.

      "Don't cry too loud when they do it, lest you sound like someone complaining about piracy or wi-fi theft."
      - Ok, now you just made yourself look stupid.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Dan G Difino, Jun 25th, 2014 @ 6:50am

    Throw away our cell phones

    They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone's camera to snap pictures or piggyback on the phone's GPS system to monitor the user's location.

    In that everyone is not ditching their cell phones after such a revelation is definitely indicative of how fast this world is spinning out of control.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Jun 25th, 2014 @ 9:00am

      Re: Throw away our cell phones

      Well, if people are going to throw out their cellphones over this, they should be equally compelled to stop using landline telephones, the internet, their cars, or increasingly, going outside at all.

      Avoiding the technology isn't a solution at all, as these invasions are only going to get more intrusive. We need to fix the problem at its root.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jun 25th, 2014 @ 10:52am

        Re: Re: Throw away our cell phones

        Can you explain, please? Normally I'd agree, but I feel like such a popular market being disrupted would send a strong message to companies and governments alike; people are not okay with anything that allows surveillance of such an intense degree.

        Progress will inevitably keep going. We may be set back a couple of years, but the tradeoff is we'd likely see products develop in a way that keeps the STASI's wet dream from becoming a reality.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          John Fenderson (profile), Jun 25th, 2014 @ 12:54pm

          Re: Re: Re: Throw away our cell phones

          " I feel like such a popular market being disrupted would send a strong message to companies and governments alike"

          The government couldn't care less about disrupting the market, as is evidenced by the actions of the NSA et. al. The telecoms also largely don't care about it, as it's far more important to them that they keep the government happy. If the government isn't happy, they might not be able to get the licenses and contracts they need.

           

          reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous, Jun 25th, 2014 @ 3:42pm

        Re: Re: Throw away our cell phones

        "Avoiding the technology isn't a solution at all...".
        I'd bet that the Amish are better prepared to survive than most of us in the "modern world".

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous, Jun 25th, 2014 @ 3:48pm

          Re: Re: Re: Throw away our cell phones

          To clarify: "...than most of us 'modern-worlders'".

           

          reply to this | link to this | view in chronology ]

        •  
          icon
          John Fenderson (profile), Jun 26th, 2014 @ 10:09am

          Re: Re: Re: Throw away our cell phones

          The Amish are better prepared to survive in the Amish world, not in the modern world. Besides, the Amish don't avoid technology -- they use lots of it -- they're just very selective about which technologies they use.

          You can't build that nice furniture without technology.

           

          reply to this | link to this | view in chronology ]

  •  
    icon
    subvoice (profile), Jun 25th, 2014 @ 7:38am

    serious complications?

    "Turkey is a member of the North Atlantic Treaty Organization alliance. If authorities there were behind the hack attack, it would mean that a NATO ally had attempted to spy on a U.S. citizen on U.S. soil, presumably without the knowledge or approval of U.S. authorities, and for reasons that don't appear to be related to a criminal or counter-terrorism investigation."

    Thank god that the U.S. is not doing such atrocius things....

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    TL (profile), Feb 6th, 2015 @ 7:23am

    cell phone microphone

    a disabler device is available on ebay.com ....search "cell phone microphone disabler"

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.