Brazilian Cell Phone Hack

I know there's a lot of politics associated with this story, but concentrate on the cybersecurity aspect for a moment. The cell phones of a thousand Brazilians, including senior government officials, were hacked -- seemingly by actors much less sophisticated than rival governments.

Brazil's federal police arrested four people for allegedly hacking 1,000 cellphones belonging to various government officials, including that of President Jair Bolsonaro.

Police detective João Vianey Xavier Filho said the group hacked into the messaging apps of around 1,000 different cellphone numbers, but provided little additional information at a news conference in Brasilia on Wednesday. Cellphones used by Bolsonaro were among those attacked by the group, the justice ministry said in a statement on Thursday, adding that the president was informed of the security breach.

[...]

In the court order determining the arrest of the four suspects, Judge Vallisney de Souza Oliveira wrote that the hackers had accessed Moro's Telegram messaging app, along with those of two judges and two federal police officers.

When I say that smartphone security equals national security, this is the kind of thing I am talking about.

Posted on August 7, 2019 at 10:48 AM • 23 Comments

Comments

SofakinbdAugust 7, 2019 11:03 AM

Bruce,

Typo, you have:
The cell phones of a thousand Brazilians, including senior government officials, was hacked

You mean "were" hacked, singular vs. plural.

- Sofa

Brian FettAugust 7, 2019 12:41 PM

But, its not like we are talking about nuclear launch codes or anything...

*tongue firmly in cheek*

BillAugust 7, 2019 1:11 PM

@Brian Fett

I don't trust SMS for two factor authentication. I use Google Authenticator as 2FA to safeguard my nuclear launch codes.

Clive RobinsonAugust 7, 2019 1:20 PM

@ Bruce,

When I say that smartphone security equals national security, this is the kind of thing I am talking about.

But do you say "smartphone security is nonexistent" as well?

Have we learned nothing from the Greek Olympics?


@ ALL,

Speaking of device insecurity, that "Xmas gift that keeps giving" has given/spawned again...

@Callmelate... Got in first on the squid page with it, so a hat tip in his direction. You can read more at,

https://www.infosecurity-magazine.com/news/new-intel-swapgs-flaw-spells-bad/

Again this attack is technically below the CPU level in the computing stack, so there is not realy anything the layers at the ISA layer or above such as software can do to properly solve the problem, just another dirty, ineffective, inefficient hack...

Due to fourty odd years of intense marketing "Specmanship" anything much above a 16bit Microcontroler these days is going to have these low level problems over and over, again and again ad nauseam :-(

Just remember as I've said for years and years there is a trade to be made in all cases thus we have "Efficiency-v-Security" as a basic rule of thumb. It is possible to try to design secure and moderatly efficient systems, but the chances are you will fail and fail badly. Because "efficiency" means "greater bandwidth" which means "more usable side channels" and other issues. As we are only just starting in trying to eliminate time based side channels we are not realy paying attention to other types of side channels...

The short and the long of it is, your only solution to this, that has any hope of working, is to move your security endpoint off of your communications end point device. To do this with consumer devices realy means one device for your communications end point and a second device issolated by an energy gap. Anything less is just not going to work to keep your privacy.

BillAugust 7, 2019 2:20 PM

@Clive

I would have thought the smiley unnecessary.

And that's one of my favorite Tom Lehrer songs!

David HAugust 7, 2019 3:32 PM

Doesn't Telegram use homebrew crypto algorithms instead of established standards, or am I thinking of another phone messaging app?

LomaxAugust 7, 2019 4:37 PM

Brazilian commenter here.

I've mentioned this story a few weeks ago in a squid thread, but it turned out to be even worse than I knew at the time. (Not much had been officially revealed by the investigators at the time). As in, it was even wider than I knew back then, not just because they made plenty more victims in the government but because it included the brazilian president himself.

As far as sophistication the attack was low-level, which isn't really a surprise. Brazil's tech level is far from state-of-the-art and our politicians never pushed for a tech level beyond what is 3rd-world consumer-grade equipment. They never understood any of it to give it much attention (which thankfully means we're pretty far behind on the "worldwide constant state-mandated surveillance" regime.) But I digress.

Bear in mind I can't say all the attacks were using the same methods, but what has been revealed is based on the investigation of the hack of Justice minister Sergio Moro's phone. According to his account, one afternoon he noticed his phone was ringing and the calling number was his own. After that several messages were sent during the following six hours from his account that he didn't recognize. He cancelled that phone line that night.
The attackers just requested a new Telegram access code and then used a VoIP service to both flood Moro's phone in order to redirect Telegram's call to the voicemail. Phone companies aren't exactly heavy on voicemail security given that's not a feature many users bother with and the attackers had no trouble reaching Moro's.

But the attackers had plenty of faults which brought upon their demise. It wasn't just the hubris of sending messages pretending to be the victim or the blatant stupidity of making the fateful phone calls during a time when a victim who commands the police force would have a high chance of noticing it; their leader carelessly left a trail that led the police to his doorstep, including a call to the VoIP company after his account was suspended for "suspicious activity". He didn't even use a VPN in the computer he logged into Telegram from!

So, the tech security side of the story isn't really big. This is just your regular lame swindler performing a regular spoofing and the police techs reading call logs and IP numbers. The irksome part is a) the fact that the victims are the highest authorities in the country and b) the whole political aspect, which I unfortunately have to touch upon now.

The group was found with a big amount of cash that doesn't even come close to matching their combined earnings, but they couldn't explain where the money came from. Meanwhile, Glenn Greenwald has been releasing copies of embarassing messages supposedly extracted from the phone of Operation Car Wash's Federal Attorney Deltan Dallagnol and other Justice members. Assuming they are true those are very good news for former president Lula and the left-aligned parties who are the opposition to the right-aligned current president. So there is strong suspicion that someone paid the group to hack authorities in order to find things they could use to invalidate Lula's sentence or at least influence the outcome of future elections towards the left.

We're yet to see how things go but no matter what comes up or who wins it will leave a sour taste in the mouth of the population. As always.

tfbAugust 7, 2019 5:08 PM

Is this the point where we finally get to stop talking about 'state actors' as if they were some special magic superpeople? 'State actors' are staffed by people who couldn't get jobs at Googlebook, where they'd get paid a lot better. These are the people who weren't smart enough to invent some scam that would make their hedge fund rich. And, oh look, it turns out that 'actors much less [erm, more] sophisticated than rival governments' did this, Who could have guessed?

DenisAugust 7, 2019 8:06 PM

@tfb Don't be so dismissive. Some people (not you, clearly) are motivated not by money but by their dedication to their country/government. Not to mention that visa/work permit regimes mean some people have a pretty low chance of landing a job at a leading tech company.

DomAugust 8, 2019 1:53 AM

@Denis,

The so-called "state actors" is an umbrella term covering many aspects. The essence is that these "actors" operate above the law as established in their given state of jurisdiction because a state does not punish itself nor each other. Thus, when we read that a "state actor" did this or did that, it often mean the act goes unpunished. If we read that acts were perpetrated by non-state actors, that just means authorities have the moral superiority or punishment isn't "out of reach."


RachelAugust 8, 2019 2:06 AM

David H
Doesn't Telegram use homebrew crypto algorithms instead of established standards, or am I thinking of another phone messaging app?

Yes. You may be thinking of Marlo Moxinspike who challenged the designers of Telegram on all the many inherent vulnerabilities, and offered to help them.

https://hackerfall.com/story/a-crypto-challenge-for-the-telegram-developers-1

I can't find the original blog posts on moxie.org but there's some technical detail at the above link. A salient point is Telegram requires trust.

RachelAugust 8, 2019 2:09 AM

Lomax
Thank you for your informed contribution.

They never understood any of it to give it much attention (which thankfully means we're pretty far behind on the "worldwide constant state-mandated surveillance" regime.)

Sounds like Glenn Greenwald is probably a few chess moves ahead, for his own protection, then

RachelAugust 8, 2019 2:15 AM

Lomax

a) why did such high ranking officials all choose Telegram as their messenger app of choice

b) Did the attackers thus have prior knowledge of a) - I'm not familiar with how Telegram works, but it's harder to attack someones messenger app without knowing which one they use, if any

Petre Peter August 8, 2019 7:11 AM

They 'never dealt with sensitive or national security issues through cell phone'. I am guessing that's referring only to their telephone app on their smart phone.

LomaxAugust 8, 2019 8:00 AM

@Rachel

    a) why did such high ranking officials all choose Telegram as their messenger app of choice

About your first question, I guess the answer is exactly because our politicians know too little about anything tech and never had the epiphany of asking tech people to advise them.

I'm certain other countries' politicians aren't any better but some of them at least realized that the field can be important and tech-oriented people "might" know more about it than them. For example I'd say USA learned this during WW2 when mathematicians were vital in breaking german communications.


    b) Did the attackers thus have prior knowledge of a) - I'm not familiar with how Telegram works, but it's harder to attack someones messenger app without knowing which one they use, if any

According to the leader's deposition, he started by hacking into the Telegram of the state prosecutor that acted on a case against him a couple years ago. This man has a fairly decent criminal record, with some absolutions and some jail time for swindling which I forgot to expand upon in my previous message. Anyway, after he entered this prosecutor's Telegram he started gathering more victims through their contact list and soon he got someone who was in a group of federal prosecutors.

Apparently he found all the embarrassing material before getting in touch with one of the leaders of the main brazilian left party to sell them (or as he claims it, to deliver them for free). This politician Manuela D'avila admitted putting him in touch with Glenn Grennwald. He claimed to have found her number before in some other politician's contact list.

So it seems he stumbled upon something he could sell for a lot of money when aimlessly invading authorities' Telegrams rather than being paid to direct his efforts towards said authorities.

PatriotAugust 8, 2019 10:46 AM

Beating a dead horse:

If the end points are not secure, it is not really end-to-end.

I am no longer surprised when I read articles about how encryption is bypassed: "Police had access to their Telegram messages...blah, blah..."

Who?August 10, 2019 8:37 AM

@ tfb

Some of the smartest and most honest people I know work for the United States government. Okay, they don't have the highest incomes in the world but the reason is simple: they are not motivated by money.

It is sad when someone's life is only motivated by money, don't you agree with me?

joergenAugust 13, 2019 9:15 PM

@Patriot
If the end points are not secure, it is not really end-to-end.
I am no longer surprised when I read articles about how encryption is bypassed: "Police had access to their Telegram messages...blah, blah..."


Also when it comes to these sorts of services, the endpoints could well be "cryptographically secure" but if the data is decrypted in the middle where it enters some central hub where you have folks entertaining themselves by other peoples messages...

WaelAugust 14, 2019 12:29 AM

@Clive Robinson,

Because "efficiency" means "greater bandwidth"…

Perhaps true in the current context, but generally speaking, efficiency has broader meanings: it could also mean power consumption efficiency, for one.

your only solution to this, that has any hope of working, is to move your security endpoint off of your communications end point device

That's one solution. It's a manifestation of "Separation of Duties" and "Segregation of Roles"[1]. Also from our C-v-P discussions, it's about putting sensitive components of the system under complete and exclusive control by the owner. Our awareness tells us: systems are full of holes: known holes, unknown holes, intentional back and front doors (and windows, and chimneys too,) screw-ups, … and that's the "happy story"; the reality is not only do you have "back doors" and such: you have missing walls, chief! How much would a backdoor weaken a house that's missing a couple of walls?

So just take the computing element and wrap it in some aluminum foil or put it in a heavy-gauge pressure cooker for maximum security.

The end goal is to shrink the Attack Surface to a "Protocol only" surface[2] -- that's the maximum achievable theoretical limit over a hostile communication link, I claim. It's kind of like trimming and pruning the attack rain forest[3] of a mobile device to an attack tree with one wilted branch - a Bonsai attack tree. Lol

[1] Anyone knows the difference? ;)
[2] Perhaps it's just an "Attack Line" in this case -- a one-dimensional target. And that's assuming the protocols haven't been weakened at the specification levels, or implementation, or...
[3] It keeps on growing, and giving

WaelAugust 14, 2019 12:49 AM

Seems I got rusty; words have betrayed me again:

attack tree with one wilted branch

More precisely:

attack tree with a single branch; a branch that happens to be wilted.

Clive RobinsonAugust 14, 2019 5:57 AM

@ Wael,

efficiency has broader meanings: it could also mean power consumption efficiency, for one.

Which also means greater bandwidth.

Part of being a more efficient power supply is the ability to follow as closely as possible the changes in the load. Which means as short a time duration as possible and as f=1/t the smaller the interval of time the higher the frequency thus band width.

So much so in fact with some modern computer power supplies it is possible to see key presses in the powersupply loop control. An aspect of security many don't think about. Likewise some large flat pannel displays used for televisions etc, you can see in the mains input to a house, sufficient information to identify the program or video being watched...

Anything that has an effect on the time domain has an effect on the frequency domain and thus the bandwidth of some part of the system.

... the reality is not only do you have "back doors" and such: you have missing walls, chief! How much would a backdoor weaken a house that's missing a couple of walls?

That depends on the person who designed the house, but in a fiscally dependent market where costs have to be ruthlessly reduced, the wolf would not have to even huff or puff, just wave a paw as the cards fall down.

And in essence that is the first and currently perhaps the most significant problem...

Whilst it is entirely possible to do "smart cost reduction"[1] you usually need an external driver such as regulation / legislation to make it happen.

Without doubt the telecommunications sector is in a mess, it's been in one type of free fall after another since the 1980's. Thus mobile phones are in a similar mess as cars were in the 1950-70s. But worse software generally does not have a significant physical asspect on the manufacture of a phone. You would be hard pressed to tell the difference in weight between one type of storage chip and another with the same form factor and pin out but twice or four times the storage capacity. Likewise the price is actually not that much different after a short period of time with older parts actially getting more expensive. Similar applies to CPU and other chips.

Which means product differentiation falls on the marketing execs... Which currently boils down to how much functionality can be shoveled in, in the time it takes to get a mobile to market. Thus quantity is high, quality is low, and interaction and complexity sky rocket, none of which is good for stability let alone security. Hence you could say under you building theme that mobile phones are a wooden house with a fatal termite problem, just waiting for kids to hurt themselves when exploring.

But worse, due to the likes of Google and Co there is the idea of "collect it all" alied with "process it all" to be "sold to all". That is they have created a market in "data theft". It does not matter if they call it a "test harness", a "support system", "product improvment" or any other name such as "telemetry", it's purpose is to spy on the user and what they do for the product producers profit.

Which brings us onto the notion of "segregation" which you delightfully describe with,

So just take the computing element and wrap it in some aluminum foil or put it in a heavy-gauge pressure cooker for maximum security.

Whilst that works as people have demonstrated the problem is that both mobile phones and computers are of little benifit without communications. And in the modern consumer world that's "flick with the finger over the screen maximum effort" otherwise Jo Average won't use it...

Which is the second problem, way to many communications paths, protocols and interaction between them (all in the name of convenience).

As I've pointed out in the past communications paths need to be "mandated choke points" where security can be applied fairly ruthlessly. In the process they break down the over all complexity and interaction and make effective auditing possible.

In non consumer equipment where security actually gets mentioned on the pre-product specification features list segregation is a key tool in the designers box. However it has significant costs when the product is designed because you have to "double up" at the very least on core components for each segregated sub component. Which obviously has a knock on effect in terms not just of cost put physical real estate and power consumption. Whilst a military back pack comms-set might have bomb proof security it's neither light nor convenient and has very limited functionality.

Which brings us back to convenience again most people want something convenient and discreet with long battery life with upgrades ever year or so. It all flies in the face of security, so I can not see security getting into consumer communications and computing products without legislation. Currently neither politicians or large corporates who lobby and bribe politicians want consumers to have any kind of privacy, so unless public out cry gets to a point where politicos have to act then it's not going to happen. Worse as we have seen with the work of Diane the Fink politicians will talk loud and long making the right soothing noises come up with a bill title that is pure PR then put hooks in the initial drafts such that at the last minute additions can be made that have the exact opposit effect of what the consumers want...

Thus currently privacy is only going to happen for those that accept the fact that they will need to learn quite a lot that few are prepared to teach. Such as new apparently antisocial behaviours (OpSec etc) and apparently arcane techniques (shielding etc) and methods (codes and ciphers). But more importantly ensure that those they communicate with do likewise.

And this is a problem in that those that practice the mechanics of privacy will be different, and any differences in individuals will be by basic human instinct be treated tribalistic ways[2]. Especially by outsiders with power who will cry "Conspiricy to commit..." etc.

[1] The example I usually quote is the vehicle industry. As a lemon market they were spiraling downwards and following the rule of "Rob Peter to pay Paul" money got spent on marketing whims not engineering advancement. However a few to many deaths and as with the Victorians and exploding boilers public out cry said something had to be done about it. The result was legislation that actually changed the costs metric of vehicle design and very probably actually saved the US vehicle manufacturing for several years. Unfortunately legislation can also work the other was as the glut of Sports Utility Vehicles shows.

[2] A clasic example of the "tyranny of tribalism" is "social media" unlike many I don't use "facecrook", "Whatsapp" or even "Email". I know that they are entirely irrelevant to living and functioning in society as should anyone who is over fourty years old. However there are those that insist that you have to have them and get extreamly unpleasant if you say "they are unnecessary". The reason for their nastyness is two fold, firstly you are an afront to their self belief of authority, secondly you are a caltrap on their road of convenience. I find such people generally vexatious and best avoided as they are developing a cult of personality and that can only go one way, and to over use an old saying "that ain't pretty".

ahuebrguyAugust 15, 2019 6:08 PM

The guys that hacked those phones were so intelligent that they didn't even used a VPN.
So, the PF, federal police, just got to the website they used, like "Gimme their IPs"
Sad and boring...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.