If you've ever wondered just how far a government entity can embed itself in your personal electronic devices (without physically taking it out of the box and implanting hardware/firmware), the answer is pretty damn far.
Newly uncovered components of a digital surveillance tool used by more than 60 governments worldwide provide a rare glimpse at the extensive ways law enforcement and intelligence agencies use the tool to surreptitiously record and steal data from mobile phones.
The modules, made by the Italian company Hacking Team, were uncovered by researchers working independently of each other at Kaspersky Lab in Russia and the Citizen Lab at the University of Toronto's Munk School of Global Affairs in Canada, who say the findings provide great insight into the trade craft behind Hacking Team's tools...
They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone's camera to snap pictures or piggyback on the phone's GPS system to monitor the user's location.
Hacking Team's tool can be deployed against Android and iOS devices, along with Blackberries and Windows Phones. And that's just the phone end of the spectrum. Hacking Team also has exploits that target desktop and laptop computers.
The software is fully "legal" and is used by intelligence and law enforcement agencies around the world. Kapersky Lab's research managed to track down the location of several servers that act as collection points for the legal malware
. Finishing in the top two spots by a wide margin were the United States… and Kazakhstan. The next three? UK, Canada and Ecuador. While Kapersky cautiously notes that it's impossible to say whether these servers are controlled locally by law enforcement agencies, etc., that would be the most probable situation.
[I]t would make sense for LEAs to put their C&Cs in their own countries in order to avoid cross-border legal problems and the seizure of servers.
Hacking Team's spyware does its own recon in order to sniff out other software that might detect it before installing and, once installed, does everything it can to remain undetected -- like send and receive data only while accessing a Wifi connection and carefully controlling use of anything that might noticeably affect battery life.
Once on a system, the iPhone module uses advance techniques to avoid draining the phone's battery, turning on the phone's microphone, for example, only under certain conditions.
"They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers," says Costin Raiu, head of Kaspersky's Global Research and Analysis team.
One of those triggers might be when the victim's phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. "I can't remember having seen such advanced techniques in other mobile malware," he says.
While Hacking Team claims to only sell to NATO partners and countries that haven't been blacklisted for hosting oppressive regimes, there's some indication that its tools are still being used by governments to target dissent. Citizen Lab's research points out that Hacking Team's software has been "bundling" itself with certain versions of a legitimate Saudi news app
("Qatif Today") in order to covertly deploy its payload.
Using signatures developed as part of our ongoing research into "lawful intercept" malware developed by Hacking Team, we identified a suspicious Android installation package (APK). The file was a functional copy of the 'Qatif Today' (القطيف اليوم) news application bundled with a Hacking Team payload. Documents we have reviewed suggest that Hacking Team refers to this kind of mobile implant as an "Installation Package," where a legitimate third party application file is bundled with the implant. This kind of tactic with Android package implants has been seen in other targeted malware attacks (that do not use commercial "lawful intercept" products) including the LuckyCat campaign, and in attacks against Tibetan activists, and groups in the Uyghur community.
Kim Zetter at Wired also notes
that it's been used to spy on a citizen journalist group in Morocco and to target a US woman who's been a vocal critic of Turkey's Gulen movement, the latter of which could create some serious complications if true
Turkey is a member of the North Atlantic Treaty Organization alliance. If authorities there were behind the hack attack, it would mean that a NATO ally had attempted to spy on a U.S. citizen on U.S. soil, presumably without the knowledge or approval of U.S. authorities, and for reasons that don't appear to be related to a criminal or counter-terrorism investigation.
The legal framework surrounding the deployment of government malware is shaky at best, but creative readings of existing laws and seemingly insignificant wording in proposed laws governing surveillance could easily legitimize all-access packages like this one. Christopher Parsons at Toronto's Munk School of Global Affairs points out that the addition of a just a few words into Canada's proposed anti-cyberbullying legislation
(Bill C-13) would effectively give the government permission to deploy this spyware against its own citizens
[U]nder proposed sub-section 492.1(2)
"[a] justice or judge who is satisfied by information on oath that there are reasonable grounds to believe that an offence has been or will be committed under this or any other Act of Parliament and that tracking an individual's movement by identifying the location of a thing that is usually carried or worn by the individual will assist in the investigation of the offence may issue a warrant authorizing a peace officer or a public officer to obtain that tracking data by means of a tracking device."
Tracking devices are defined as "a device, including a computer program within the meaning of subsection 342.1(2), that may be used to obtain or record tracking data or to transmit it by a means of telecommunication", and tracking data is broadly understood as "data that relates to the location of a transaction, individual or thing."
While the existing section 492.1 allows the installation for tracking devices, it doesn't refer to software, only hardware. The addition of 'computer programs' to the definitions of tracking devices means authorities – after receiving a warrant based on grounds to suspect – could covertly install computer programs that are designed to report on the location of targeted persons, devices (e.g. mobile phones), or vehicles. The government is attempting to legitimize the secretive installation of govware on devices for the purpose of tracking Canadians.
He goes on to note that the same wording also applies to "transmission data," meaning the government would have permission to both track location as well as intercept content using tools like those developed by Hacking Team.
The power of surveillance malware, as deployed by government agencies, has been discussed before, but the "arms race" that pits both intelligence/law enforcement agencies and
actual criminals against
the general public shows no sign
of slowing down. At this point, authorities hardly even need to bother seeking the assistance of third parties like Google and Apple when seeking access to data and communications. They're already deep inside.