Governments use phone implant tech to stalk activists

by LIAT CLARK

An Italian company's surveillance software has been used to spy on the mobile phones of human rights activists, journalists and politicians using remote controlled implants.

A joint investigation by Toronto-based Citizen Lab and anti-virus software company Kaspersky Lab has revealed that major operating systems iOS, Android, Blackberry and Windows are all vulnerable to Hacking Team's Galileo tool, which can takeover a device's microphone, camera and applications, including location services.  

"All of this stuff is used for espionage purposes by governments -- it's used around the world," said Morgan Marquis-Boire of Citizen Lab, who worked on the investigation. "Any government that has the money to purchase it can do so, with few exceptions. These types of companies won't sell it to North Korea, for example. But this is the democratisation of espionage tools and it's being used to target political figures, not just typical espionage targets."

These types of tools are touted at global surveillance fairs attended by government agencies from across the world. 

Marquis-Boire points to Hacking Team's own customer policy which states, it "understands the potential for abuse of the surveillance technologies" so takes precautions and does not sell to governments or countries blacklisted by the US, EU, UN, NATO or ASEAN. It also reviews all requests. 

DON'T MISS

Spy software sales must be regulated, say campaigners

However, the investigation has shown that political targets have often been the victims. We saw this with Gamma International's Fin Fisher tool, which Citizen Lab found was used to spy on refugee Tadesse Biru Kersmo for his involvement with an Ethiopian opposition group. It has been linked to the torture of activists in Bahrain and the imprisonment of government critics in Morocco and the UAE. Marquis-Boire gives the example of democracy activist Ahmed Mansoor, who inadvertently clicked on an email link that resulted in him being traced, stalked and eventually attacked and beaten. "He had no idea how they were tracing him, but when I analysed his machine this software was found."

Hacking Team, which boasts on its website  "Go stealth and untraceable" and "beat encryption", has now been linked to 326 command and control servers in more than 44 countries, with most located in the US, Kazakhstan, Ecuador, the UK and Canada. You can find out more onhow Citizen Lab traced the servers here, in an earlier report. 

"We can't tell if governments are actively using the malware, because citizens from any country can rent services," said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab. "But we can monitor the victims around the world."

Much of the team's new knowledge has come from a Hacking Team document sent anonymously to Citizen Lab. It has revealed tactics and gives advice on how to stay anonymous (bizarrely, using the Anonymous logo of a headless figure to demonstrate this).

A number of techniques can be used to infect mobile devices. These include social engineering (fake links spread around social networks, that Marquis-Boire says a surprising number of people are still fooled by), exploits, direct USB infections and network infections. 

"Mobile implant are kind of scary because we have a relationship with our mobiles -- that's why it's highly desirable," says Marquis-Boire.

The implants have been shown to hijack Whatsapp, Viber and Skype conversations, cached web pages, calendars and location services. In the acquired document there is a screenshot of the individual being targeted visible as a blob on a map, at the LA county sheriff's car park. 

The system can even act to save battery, automatically turning on the microphone, Wi-Fi and take photos when it's connected to the power supply. It can be set to enable GPS when the system is started.

Golovanov explains how iPhones can be breached. They either need to be jail break devices, or this can happen when they are connected to an infected computer. 

"It cannot be installed on the iPhone without user interaction. So it can be infected by physical access -- say, if an officer asks you to give them your phone -- or remote access when connected to an infected computer. When connected for charging, a guy will push button and infect the device. When it's pushed, this button script will run on the phone and require a jailbreak. The only thing that protects it is the passcode. If it's locked and connected they can't do it. Or keep your software updated."

Sample detections were visible in the document in Italy, China and India.

These kinds of systems, Marquis-Boire warned, are becoming the new normal. 

"Hacking and malware are things law enforcement are not particularly keen on," he says. "However they have a different opinion when they are the ones doing it. They now ask civil anti-virus companies not to detect technologies they use." It's being used increasingly for industrial espionage, but even by governments spying on foreign embassies. In Germany in 2011, it was used to spy on a man suspected of steroid dealing, says Marquis-Boire, showing it has become pedestrian to use these types of communications surveillance techniques.

"This type of software is actually sold as a middle solution in between traditional methods of law enforcement [such as phone tapping] and physical searches.

"Say you're involved in a criminal conspiracy -- it's likely law enforcement will tap your phones. A judge signs a warrant and gives that piece of paper to telecommunications companies. In the US the FBI publishes statistics on how often this happens every year."

Physical searches, he points out, are expensive compared to communications surveillance, which are relatively economical and hugely efficient. It's also "deniable" and not totally understood by the general public. 

"But how often does this happen and in what circumstances? If it's to catch kidnappers, that's good. But tax cheats? Maybe we're not so comfortable with that. Or a journalist reporting on political corruption -- is that legal?"

What if it happened to 50 people, or 500,000 -- when do we start to worry?

"Law enforcement round the world will find this appealing -- but what do you get from home phone lines, when was the last time anyone had a conversation on their home phone line. Everyone lives on smartphones."

He suggests governments start issuing aggregate figures, like the FBI does for phone tapping incidences.

"I'm hesitant about strict regulation because people commissioning production of this technology will be the same people regulating it. But there is a growing role to police these types of surveillance."

http://www.wired.co.uk/news/archive/2014-06/24/galileo-journalism-surveillance