Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide by Cora Currier and Morgan Marquis-Boire.
From the post:
When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn’t be able to unlock evidence on criminals’ digital devices. What they didn’t say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces — easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept.
We’re publishing in full, for the first time, manuals explaining the prominent commercial implant software “Remote Control System,” manufactured by the Italian company Hacking Team. Despite FBI director James Comey’s dire warnings about the impact of widespread data scrambling — “criminals and terrorists would like nothing more,” he declared — Hacking Team explicitly promises on its website that its software can “defeat encryption.”
The manuals describe Hacking Team’s software for government technicians and analysts, showing how it can activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords on targeted devices. They also catalog a range of pre-bottled techniques for infecting those devices using wifi networks, USB sticks, streaming video, and email attachments to deliver viral installers. With a few clicks of a mouse, even a lightly trained technician can build a software agent that can infect and monitor a device, then upload captured data at unobtrusive times using a stealthy network of proxy servers, all without leaving a trace. That, at least, is what Hacking Team’s manuals claim as the company tries to distinguish its offerings in the global marketplace for government hacking software.
…
The flagship package, “Remote Control System (RCS),” runs between 200,000 to 1 million euros, creating a market opportunity for anyone who wants to reverse engineer from the manuals to options for less well heeled users.
As far as the claims of being able to defeat encryption, assuming you paid 1 million euros for software to illegally spy on your own citizens, who are you going to complain to if it fails in some way? Post an angry note on the customer support wiki? It’s the same reason drug dealers rarely have product liability issues.
Becoming aware of cybersecurity issues can improve your security. Appeals to and discussions of abusive stepparents (governments) continues the cycle of abuse.
Police Story: Hacking Team’s Government Surveillance Malware by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, does a deep technical dive on one use of RCS. Excellent reading.
Enjoy!