More on Hacking Team's Government Spying Software

Hacking Team is an Italian malware company that sells exploit tools to governments. Both Kaspersky Lab and Citizen Lab have published detailed reports on its capabilities against Android, iOS, Windows Mobile, and BlackBerry smart phones.

They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone's camera to snap pictures or piggyback on the phone's GPS system to monitor the user's location. The Android version can also enable the phone's Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner's suspicion.

[...]

Once on a system, the iPhone module uses advance techniques to avoid draining the phone's battery, turning on the phone's microphone, for example, only under certain conditions.

"They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers," says Costin Raiu, head of Kaspersky's Global Research and Analysis team.

One of those triggers might be when the victim's phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. "I can't remember having seen such advanced techniques in other mobile malware," he says.

Hacking Team's mobile tools also have a "crisis" module that kicks in when they sense the presence of certain detection activities occurring on a device, such as packet sniffing, and then pause the spyware's activity to avoid detection. There is also a "wipe" function to erase the tool from infected systems.

Hacking Team claims to sell its tools only to ethical governments, but Citizen Lab has found evidence of their use in Saudi Arabia. It can't be certain the Saudi government is a customer, but there's good circumstantial evidence. In general, circumstantial evidence is all we have. Citizen Lab has found Hacking Team servers in many countries, but it's a perfectly reasonable strategy for Country A to locate its servers in Country B.

And remember, this is just one example of government spyware. Assume that the NSA -- as well as the governments of China, Russia, and a handful of other countries -- have their own systems that are at least as powerful.

Posted on June 26, 2014 at 6:37 AM • 37 Comments

Comments

PhilipJune 26, 2014 7:25 AM

A big limitation of the iOS exploit, from Kaspersky: "The iOS module works only on jailbroken devices." This severely restricts the pool of possible iOS devices to exploit and suggests a way to help impede such malware, namely don't jail brake your iOS device.

NotFredJune 26, 2014 7:49 AM

@Philip:
Followed almost immediately by an exploit that will automatically jailbreak your iOS device when it's next plugged in to your computer with the Evasi0n toolkit. And so the cycle of security continues.

x11794AJune 26, 2014 9:41 AM

What "ethical" governments would want to buy zero days and exploits? (Other than potentially to get the holes fixed.)

ATNJune 26, 2014 9:49 AM

Is there an app to manage all those malware from all those companies, so that you can at least upgrade to the last version when some incompatibility happens in between (for instance) the Italian malware and the NSA malware - and get your mobile phone working again?
On the same vein, how much Internet communication slow down is imposed by all these listening devices all over the world?

SimonJune 26, 2014 11:25 AM

These exploits would never work on my iPhone because I use Sprint. I'm lucky if I can get designed features to function. Text message? Good luck, they might get it, they might not. Maybe two days later. "Find Friends" app? Yeah, it'll just timeout...unable to locate. Incoming? Maybe it'll ring, maybe you'll find out an hour later they tried to call. Camera? Nice, just don't try and send anything over 10KB. So, these exploits sound like they can do all this stuff, but not on my phone.

Rufo guerreschiJune 26, 2014 11:30 AM

The key question nobody is asking is what is the cost per target per day to perform such continuous surveillance beyond point of decryption? If that is very low, can they do it for hundreds of thousands or millions of valuable targets continuously?

Does that make all protections we are using today useless? Shouldn't we than build completely verifiable and extremely verified devices, albeit extremely low featured, which can complement our other hopeless devices with at treat a space of freedom?!

User Verified Social Telematics

Clive RobinsonJune 26, 2014 11:32 AM

There are two behaviours reported that are of interest and one would enable you to detect the malware without putting any sniffing or other software on the phone...

But firstly the crisis mode, knowing all about that would enable you to trigger it and thus limit the abilities of the spyware... then perhaps use the wipe mode to clear it off.

But of interest is the enabaling and use of the WiFi, that's a silly thing to do. It's not that difficult to disable the WiFi such that it's not normaly usable by other software, you can get fairly cheaply WiFi detectors that take very little modification to alarm on WiFi signals above a certain signal strength. Likewise as I've mentioned many times it's fairly easy to make an AM or Envelop detector that will produce a burbling noise in the presence of any envelope modulated signal in the UHF/low Microwave bands such that transmition by GSM or WiFi will give an audible signal which would fairly quickly give warning of strange or unexpected behaviour.

Bob S.June 26, 2014 12:17 PM

According to The Register :

"Snowden warned the council's committee on legal affairs and human rights - which had asked him to express his views on improving protection of whistleblowers - that "intelligence services are operating mass surveillance around the world, without oversight".

That's a developing revelation in my opinion: Governments all over the world have adopted a general warrant policy to collect, seize, search, collate and act on the entire body of electronic data in the entire world, cooperatively in many cases for political purposes, criminal investigations and corporate espionage.

That's problematical because the law and constitutions of those countries seriously frown on that kind of dragnet surveillance. Indeed it might be described as cyber warfare.

The tool described here fits in nicely with the wide open skullduggery suggested by Snowden. I would like to think talented technology people are working hard at fighting back with defensive weaponry. The best offense is a good defense.

(ps: As far as this tool goes, would it a crime to let people know how to find and fix the exploit?)

Clive RobinsonJune 26, 2014 12:46 PM

@ Simon,

Maybe your phone is so bad because "these exploits" and others are already on board...

@ Rufo,

I suspect the backend cost is very variable.

Look at it this way the likes of the Five Eye and other Nations are already setup with the backend capabilities so the extra cost for them would be minimal. But a country like say Burkina Faso run by the less than fragrant Blaise Compaore with his "Fire starter" ways and with tge UN rating them 183rd out of 187 for "Human Development" won't nativly have the backend systems so would either have to buy in with very limited economic means or emplok trusted humans, the number of which would be limited economicaly. But you also have the likes of Saudi who might not have the technical skill but have sufficient spare money that funding a proxie war by ISIS in more than one nation is not a major budget issue, they could easily aford the backend to cover their whole population if some one was daft enough to sell it to them...

AlexJune 26, 2014 4:08 PM

Just wondering....is software like this really necessary? I was under the impression that such vulnerabilities / capabilities were already on the phones either embedded in the OS or by carrier via CarrierIQ or similar.

65535June 26, 2014 7:56 PM

This is a very sophisticated [documented] bug. But, one poster at Arstechnica claims that this malware is only specific to Samsung Galaxy S3 or Samsung’s Exynos chip-set. I don’t know if this is correct. But, since its been documented and leaked to the public it makes some sense.

[Comment]

“According to your link Dan, this affects only the Samsung Galaxy S3 or anything with Samsung's Exynos chipset. It isn't an Android root exploit in general. It's already been patched a year ago.” - sprockkets

http://arstechnica.com/security/2014/06/how-governments-devise-custom-implants-to-bug-smartphones/?comments=1&post=27099723#comment-27099723

But, after reading about the various modules and routes of infection I believe this type of exploit is still being used on Smartphones.

There was a huge amount of work that went into this malware kit and that kit could be ported to other Smartphone’s. I think we are seeing documentation of a deprecated surveillance package that may have been up-dated and ported to other Smartphones (But, that is only a guess).

WaelJune 27, 2014 1:13 AM

Why do they call it malware? They should call it governmentware! Nice video!... The more powerful the smartphone becomes, the more backdoors it can support. Like I said before, one needs an attack forest to describe possible attacks on a smart phone. While the owner of the device is given a "perception" of control, Google, Apple, Carrier, Chip manufacturer, third parties, and other entities have total control of the phone -- the phone will accept all kinds of updates such as FOTA, and it's friends. Reinforces my assessment that a consumer is not in a position to "secure" the device.

Clive RobinsonJune 27, 2014 5:36 AM

@ Wael,

What you've said about smart phone security and ownership, I've said about laptops, netbooks etc.

Now of course we have pads that like the "fusion food" equivalent, the consumer sees it as being a melding of the best bits, and thus showing them as showing distinction&taste. Whilst the maker sees it as a way to use cheap parts nobody would otherwise touch, thus in effect profiting mightily from the contempt they feel for the consumer...

With such a difference of view points you have worse than "mutton dressed as lamb" you have in effect the deluded Emporer and the chancer faux tailors. Thus security in reality is not a consideration by either party, until some child in the crowd shouts as the Emporer passes "hey mister is that your 455 hanging out?" by which time all that we hold dear would have been put out to the public gaze and critisism.

This state of afaires will only get worse with "smart metering", "Internet of Things" and worse yet "Smart Implants" griping our vitals...

We will be like Greek babies of old smothered in fat and left over night on the hills out of town at the mercy of the wolves. But not for us the one night test for citizenship, no, we will be the goat tethered unknowingly, by those we neither know or control, all night every night untill we meet our asigned fate.

WinterJune 27, 2014 11:48 AM

@Clive Robinson
"We will be like Greek babies of old smothered in fat and left over night on the hills out of town at the mercy of the wolves"

The Spartans did not need the NSA to terrorize the Helots. Nor did the Romans need mobile phones to keep their hordes of slaves in check. The reason Orwell's dystopia did not materialize was not a lack of technology. It did not materialize because we did not let it happen.

The current problems are not technical, but political. People are surveiled because they let themselves be surveiled. People are fooled over "terrorism" and "online predators" because they want the xenophobia and witch hunts. Islamic terrorism is the excuse to expell all those of foreign blood (as the last EU elections showed).

The problems are not smart meters but the fact that the public does not demand the heads of those who would abuse it.

Nick PJune 27, 2014 12:00 PM

@ Winter

That's exactly what I've been preaching here. That's also the reason I have a dim outlook of the future. Relying on the wisdom of the crowds to prevail against such sophisticated oppressors is a loose-loose proposition. Probably.

WaelJune 27, 2014 12:22 PM

@Nick P, @Clive Robinson, @Winter

You are “preaching to the Choir”! You are aware of that, right?

loose-loose...
More likely: lose-lose? Even more likely is: loose-lose (applied to the same entity). You become lax, you loose 

@Winter

The current problems are not technical, but political.
Agreed. "Politics" trump "technical solutions". But to be fair, the majority of the problems are political, some of them are technical.

DBJune 27, 2014 2:35 PM

@ Wael

The problem is, "all I can do" is very little politically... that doesn't mean "don't do it"... definitely do what you can!!! it just means I'm not holding my breath... But, myself being a technical person rather than a political one, I CAN do more technical stuff... Frankly I believe the strongest/best solution overall is to go after it with everything you've got both politically AND technically, as well as socially and educationally every other way too....

WiltorJune 27, 2014 2:59 PM

It's both. How do all of you know that implementing new laws etc will work?
The spooks work hard to circumvent the current laws. They might work as hard to get around the new ones. Thus IMO we need both technical and political solutions.

{ However, the spooks tangle with tech too. Hard battle will it be. }

JayJune 27, 2014 4:53 PM

Well Android has made it musch easier for ALL governments to spy on citizens.
Remeber that Android backs up your WiFi passwords so when big G wants into your network, all they have to do is ask Google.

WaelJune 27, 2014 6:22 PM

You become lax, you loose
I screwed up too! Should've been "lose", instead!

Clive RobinsonJune 27, 2014 6:45 PM

@ Wael,

There was me thinking you'd gone all medical on us ;-)

Afterall if you are lax due to fear/medication/illness you tend to be asked "Are you are a bit loose?" or the doctor might say of you to a nurse "Check his fluids regularly, he's a bit loose currently".

WaelJune 28, 2014 12:05 AM

@Clive Robinson,

gone all medical on us ;-)
Oh, no. I'm not that clever, was a mistake. Although I am coming down with a cold that normally kicks my butt for a couple of weeks... When I am sick, I get to sleep well :) one thing I noticed, which I'll share with you: it seems corn has an ingredient that fights cold. If I catch the cold symptoms early, I eat three or four boiled corn cobs -- the yellow kind (I eat the corn, not the cob), what you would call "sweet corn". Same thing next day, and the cold disappears. Kinda makes sense, the indigenous Americans never knew cold, and corn was a major component in their diet. Just a theory that works for me... Or it could be the combination of the salt and hot water, an ingredient in the "chicken soup" common recommendation. But I still think corn has something...

FigureitoutJune 28, 2014 1:11 AM

Wael
--You should just focus on sleep; I've gotten sick immediately after periods of little to no sleep. I've never heard anything about corn and helping the cold, that would be interesting. Who knows, the world and it's ingredients are freaky enough that it may just help some people like you...

WaelJune 28, 2014 1:50 AM

@Figureitout,

You should just focus on sleep
I am trying to count the goats (or is it sheep?), but @Mike the goat is not helping me. If he posts more stuff, I'll probably go to sleep faster :) And yes, lack of sleep is detrimental, I know that first hand! Brain cells regenerate during sleep, so I am told. Right now, I have 5 neurons left -- one for each line of a limerick :)

Secret PoliceJune 28, 2014 8:15 PM

The Android version of this state spyware requires that you physically install it. It's being proliferated online by Twitter links to phony news apps that don't use the Playstore and instead provide a shortened link to a dropbox account. To gain root it uses a known exploit (CVE-2012-6422) that permits a user without permissions to write to a compromised device’s physical memory. Doesn't affect Android 4.4+ (KitKat) which patched this vuln but only 13% of all Android users are using Kitkat.

The first thing it does is kill the vol daemon, as that will automatically detect and mount storage devices letting the user know something is happening. Then it will remount the system read/write, and clone itself to /system/bin/rilcap with permissions 04755 to act as persistent root regardless if you have SU installed or not.

To avoid this shady spyware don't install APK's posted by some random guy on twitter, use the playstore and review the permissions as the "Hacking Team's" APK wants r/w access to everything. Also check out Cyanogenmod if it's compatible with your phone, then you get security updates instead of relying on your carrier to provide them which they never do.


Nick PJune 29, 2014 9:47 AM

@ Jarda

I'd start with countries whose surveyed residents say they're quite happy with their government. Usually a good sign. I'd also focus on small governments, like cities, whose politicians are physically close to those they govern. There's been quite a few exemplary ones in terms of govt working for its people.

So, unlike some suggest, ethical governments exist in many places. They're just not the majority. And given American apathy, I'm not going to blame the governments for an unchallenged stream of unethical activity. They could be put in check any time if people only have the will.

Craig McQueenJune 29, 2014 7:16 PM

@Jarda said:

Now, could someone give me an example of an "ethical government"?

How about the president of Uruguay. He seems like a decent bloke.

David Carter BrownJuly 3, 2014 1:25 PM

Variants of this technology are being deployed without justification or reasonable grounds. It targets your work computers, it targets your phones, it targets literally everything you including social media which runs on a standard operating system.

Political con artistry is being perpetuated against normal people who have nothing to do with any manner of political agenda. It changes the words you type, it slows down your communication speed, it interrupts every technological interaction in which you participate.

It is persistent, belligerent, and should be illegal to such a degree that the people using it on regular citizens should be thrown into jail for felonies of-to and including: Racketeering, Aggrandizement, Impostering, etc.

Ignore me or not. I am telling you the whole truth and nothing but the truth here. The Grynchbaum family or some related political entity has been targeting me for in excess of 18 months. I am being lied to, my job(s) have been repeatedly threatened, and all of this - mind you - is wholly and completely without Evidence, Grounds, or actual crimes committed.

I suspect the NSA is guilty in ways which we do not even fully understand yet.

TIMJuly 4, 2014 7:11 AM

Actual I play "Watch dogs" on my PS3 and think that it is extremly near to reality ... ok, hacking devices only by using a camera should be descussed, but the rest seams to be realistic with the big data collection about everybody.

What do you think, how near this game matches todays reality?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.