{"id":49280,"date":"2014-11-03T12:00:19","date_gmt":"2014-11-03T12:00:19","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=49280"},"modified":"2015-05-05T21:29:35","modified_gmt":"2015-05-05T20:29:35","slug":"secret-manuals-show-the-spyware-sold-to-despots-and-cops-worldwide","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2014\/11\/secret-manuals-show-the-spyware-sold-to-despots-and-cops-worldwide\/","title":{"rendered":"Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide"},"content":{"rendered":"

\"laptop-smartphone-feature-hero-b<\/a><\/p>\n

When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained<\/a> that they wouldn\u2019t be able to unlock evidence on criminals\u2019 digital devices. What they didn\u2019t say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces \u2014 easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept<\/em>.<\/p>\n

We\u2019re publishing<\/a> in full, for the first time, manuals explaining the prominent commercial implant software \u201cRemote Control System,\u201d manufactured by the Italian company Hacking Team. Despite FBI director James Comey\u2019s dire warnings<\/a> about the impact of widespread data scrambling \u2014 \u201ccriminals and terrorists would like nothing more,\u201d he declared \u2014 Hacking Team explicitly promises on its website that its software can \u201cdefeat encryption.\u201d<\/p>\n

The manuals describe Hacking Team\u2019s software for government technicians and analysts, showing how it can activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords on targeted devices. They also catalog a range of pre-bottled techniques for infecting those devices using wifi networks, USB sticks, streaming video, and email attachments to deliver viral installers. With a few clicks of a mouse, even a lightly trained technician can build a software agent that can infect and monitor a device, then upload captured data at unobtrusive times using a stealthy network of proxy servers, all without leaving a trace. That, at least, is what Hacking Team\u2019s manuals claim as the company tries to distinguish its offerings in the global marketplace for government hacking software.<\/p>\n

Hacking Team\u2019s efforts include a visible push into the U.S. Though Remote Control System is sold around the world \u2014 suspected clients<\/a> include small governments in dozens of countries, from Ethiopia to Kazakhstan to Saudi Arabia to Mexico to Oman \u2014 the company keeps one of its three listed worldwide offices in Annapolis, Maryland, on the edge of the federal intelligence and law-enforcement cluster around the nation\u2019s capital; has sent representatives to American homeland security trade shows <\/a>and conferences<\/a>, where it has led training seminars<\/a> like \u201cCyber Intelligence Solutions to Data Encryption\u201d for police; and has even taken an investment from a firm headed by America\u2019s former ambassador to Italy. The United States is also, according to two separate research teams, far and away Hacking Team\u2019s top nexus for servers<\/a>, hosting upwards of 100 such systems, roughly a fifth of all its servers globally.<\/p>\n

The company has made at least some sales to American entities, according to comments its outspoken co-founder and CEO David Vincenzetti made in l\u2019Espresso<\/em> in 2011<\/a>. \u201cWe sell Remote Control System to institutions in more than 40 countries on five continents,\u201d he told the Italian newsmagazine. \u201cAll of Europe, but also the Middle East, Asia, United States of America.\u201d In the English-language press, where Hacking Team has been more circumspect about its client list, Vincenzetti\u2019s l\u2019Espresso <\/em>comments about selling implants to U.S. institutions seem to have fallen through the cracks. Asked about them, Hacking Team spokesman Eric Rabe told The<\/em>\u00a0Intercept, <\/em>\u201cwe do not identify either our clients or their locations.\u201d<\/p>\n

Whatever the extent of its U.S. sales, Hacking Team\u2019s manuals deserve an audience in America and beyond. This summer, researchers at the Citizen Lab at the University of Toronto\u2019s Munk School of Global Affairs, including the co-author of this piece, published<\/a> excerpts of the manuals and technical descriptions of Hacking Team\u2019s capabilities. Publishing the manuals in their entirety here will give the public a better understanding of the sophistication of these relatively low-cost and increasingly prevalent surveillance tools. That sort of understanding is particularly important at a time when digital monitoring has spread from large federal agencies to local police departments and as more national governments gain the once-rarified ability to deploy digital implants across borders. Turnkey solutions like RCS effectively multiply the online threats faced by activists, dissidents, lawyers, businessmen, journalists, and any number of other computer users.<\/p>\n

A Niche for Commercial Spyware<\/h3>\n

Within the U.S., there\u2019s relatively little information on the prevalence of\u00a0law enforcement hacking. The FBI only rarely discloses its use in criminal cases. Chris Soghoian, principal\u00a0technologist with the American Civil Liberties Union\u2019s Project on Speech, Privacy and Technology, who has closely tracked the FBI\u2019s use of malware, says that agents use vague language when getting judges\u2019 permission to hack devices. \u201cThis is a really, really, invasive tool,\u201d Soghoian says. \u201cIf the courts don\u2019t know what they\u2019re authorizing, they\u2019re not a good check on its use. If we as a society want malware to be used by the state, we ought to have a public debate.\u201d<\/p>\n

What is clear is that large nations with well-funded intelligence establishments\u00a0have long been capable of the kind of surveillance Hacking Team offers. In 2001, it was first reported that the FBI had developed malware known as Magic Lantern<\/a>, which could take over a computer and log its users\u2019 keystrokes, as a way around encryption. Soghoian says it\u2019s likely that the bureau and American intelligence agencies get more customized spying solutions from contractors other than Hacking Team. Countries\u00a0such as China and Russia\u00a0probably develop their spyware in-house.<\/p>\n

\"ht-defeat-encryption-302-300x100<\/a><\/p>\n

Hacking Team and the German firm FinFisher<\/a> have taken over another niche, as the most prominent purveyors of user-friendly, off-the-shelf spyware for less moneyed\u00a0customers, says Ben Wagner, director of the Center for Internet and Human Rights at the European University Viadrina. A recent leak of FinFisher data showed customer service communications<\/a> between the company and Bahrain, Pakistan, Estonia, and a regional police department in Australia, among other clients. The cost of a Hacking Team installation package, meanwhile, ranges from 200,000 to 1 million euros, Vincenzetti told l\u2019Espresso <\/em>in 2011. Pricey, but not out of reach.<\/p>\n

\u201cIf those countries didn\u2019t have access to Gamma [FinFisher\u2019s former parent company] or Hacking Team, they probably wouldn\u2019t be able to do this kind of surveillance,\u201d says Wagner. \u201cThose are the two that we know about who have really gone for this targeted surveillance market for smaller and midsize countries.\u201d<\/p>\n

Soghoian thinks that \u201cto the extent that Hacking Team has sold in the U.S., it would be to less well-resourced federal agencies or bigger local police teams.\u201d
\nHacking Team has built up enough of a profile to become something of an icon in its home country. \u201cElegant and tan\u201d Vincenzetti has been lauded as a poster-boy for modernizing the Italian economy\u00a0and is touted to stateside investors at events like \u201cItaly Meets the USA.\u201d<\/a> Among those promoting Hacking Team is Innogest, an Italian venture capital firm headed by the former U.S. ambassador to Italy Ronald Spogli. The company is in Innogest\u2019s own portfolio<\/a>.<\/p>\n

Despite the acclaim, Hacking Team\u00a0\u2014 and its competitor FinFisher\u00a0\u2014 have drawn the ire of human rights and privacy activists. \u201cWe have not that many companies doing nasty things for not that much money on a global scale, but with huge human rights effects,\u201d Wagner said.<\/p>\n

Companies like Hacking Team refer to their products as \u201clawful intercept\u201d technology. They need at least the pretense of dealing with legitimate actors because the legality of surveillance software depends on the behavior of its users. That\u2019s all that fundamentally separates their software from tools for crime or repression. But evaluating that legitimacy becomes tougher as prices fall and customers proliferate.<\/p>\n

Hacking Team offers the assurance that its users are all government institutions. Spyware is perfectly legal in law enforcement or intelligence investigations \u201cif used with the proper legal authorization in whatever jurisdiction they\u2019re in,\u201d according to Nate Cardozo, staff attorney at the Electronic Frontier Foundation. Hacking Team\u2019s \u201ccustomer policy<\/a>\u201d also claims that it will not sell to countries listed on international \u201cblacklists\u201d or that it believes \u201cfacilitate gross human rights abuses.\u201d The company won\u2019t disclose what it means by blacklists, how its review process works, or which, if any, customers have been dumped. Hacking Team\u2019s spokesman refused to provide details beyond what is on the company\u2019s website.<\/p>\n

There\u2019s evidence the company is not being particularly selective about to whom it sells. Of 21 suspected Hacking Team users tracked down by Citizen Lab<\/a>, nine had been given the lowest possible ranking, \u201cauthoritarian,\u201d in The Economist<\/em>\u2019s 2012 Democracy Index, and four of those were singled out for particularly egregious abuses \u2014 torture, beatings and rapes in detention, lethal violence against protestors \u2014 by Human Rights Watch.<\/p>\n

Its competitors face similar criticism. Activists in Bahrain and Ethiopia have found FinFisher spyware on their computers. (FinFisher did not respond to an emailed request for comment.)<\/p>\n

The U.S. government has shown an interest in policing the improper use of packaged malware. The Justice Department just recently brought its first case against a spyware developer<\/a>, arresting a Pakistani man who marketed StealthGenie, an app that does some of the same things\u00a0as Hacking Team\u2019s RCS \u2013 monitoring all phone calls, messages, emails, texts and more without the owner\u2019s knowledge \u2014 except for individuals rather than governments. Announcing the charges against StealthGenie\u2019s maker, an assistant attorney general called the spyware \u201creprehensible\u2026expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim\u2019s personal life.\u201d<\/p>\n

How It Works<\/h3>\n

Key to the spread of software like Hacking Team RCS is that it\u2019s designed to be simple for non-experts to use.<\/p>\n

In a brochure, Hacking Team boasts<\/a>, \u201cYou cannot stop your targets from moving. How can you keep chasing them? What you need is a way to bypass encryption, collect relevant data out of any device, and keep monitoring your targets wherever they are, even outside your monitoring domain. Remote Control System does exactly that.\u201d<\/p>\n

Hacking Team manuals, dated September 2013, provide step-by-step instructions for technicians, administrators, and analysts on how to infect a device and set up spying.<\/p>\n

The software can be installed physically, via a USB stick, if the authorities have direct access to the computer (imagine a police stop or an airport search.)<\/p>\n

Or, the infection can happen remotely. It could\u00a0take the familiar form of a phishing attack or email scam \u2013 as a group of Moroccan reporters found out in 2012<\/a>. A document promising them a secret scoop (it was titled \u201cscandale,<\/em>\u201d in French) turned out to be a decoy for Hacking Team software. An Emirati blogger fell victim<\/a> to the same trick. The implant can also be melded with legitimate, useful software that the victim is prompted to download.<\/p>\n

As The Intercept <\/em>has previously reported<\/a>, Hacking Team also installs its bugs via \u201cnetwork injectors\u201d \u2013 physical devices housed with internet service providers, that allow them to intercept ordinary web traffic, like streaming video, and replace it with infectious code. (After we reported that YouTube and Microsoft Live were exploitable in this way, both companies moved to fix the vulnerabilities.)<\/p>\n

\"From<\/a>

From page 107 of the RCS Technician\u2019s Guide.<\/p><\/div>\n

Then there are covert network injections. The spyware installer might lay in wait in a hotel, or a Starbucks, and gain access to your computer by \u201cemulating an access point\u201d \u2013 in other words, pretending to be a free wifi hotspot to which the victim connected previously. The manual also describes how the software can deploy password-busting tools to break into closed wifi networks.<\/p>\n

\"From<\/a>

From RCS Technician\u2019s Guide, page 115.<\/p><\/div>\n

\"From<\/a>

From RCS Technician\u2019s Guide, page 117.<\/p><\/div>\n

The Hacking Team manuals recommend that customers buy a code signing certificate from Verisign (now Symantec), Thawte, or GoDaddy\u2013 companies that offer a stamp of assurance that signals to operating systems and anti-virus scanners that the software is legitimate. Getting what Symantec calls its \u201cdigital shrinkwrap\u201d added to Hacking Team software makes it less likely to be detected. (Symantec declined to comment on how it handles malware in issuing certificates. GoDaddy and Thawte did not respond.)<\/p>\n

Via one of those methods, the \u201cagent\u201d \u2014 ie., the bug \u2014 is implanted on any of these devices:<\/p>\n

\"From<\/a>

From RCS Technician\u2019s Guide, page 39.<\/p><\/div>\n

And set up to start recording:<\/p>\n

\"From<\/a>

From RCS Technician\u2019s Guide, page 71.<\/p><\/div>\n

The \u201canalyst\u201d can then explore and take virtually anything from the target\u2019s phone or computer, at least according to the manual.<\/p>\n

\"06-analyst-guide-p59<\/a><\/p>\n

\"07-analyst-guide-p60-540x502<\/a>

From RCS Analyst\u2019s Guide, page 59-60.<\/p><\/div>\n

Here our analyst selects an investigation \u2013 code-named \u201cSwordfish,\u201d and described as a \u201cTerrorist Attack in Singapore.\u201d<\/p>\n

\"From<\/a>

From RCS Analyst\u2019s Guide, page 32.<\/p><\/div>\n

Opening that up, he sees the targets in swordfish \u2013 \u201cAlejandro Reade,\u201d \u201cJoey Fargo,\u201d and \u201cJimmy Page\u201d \u2013 \u201chead of the terrorist cell.\u201d<\/p>\n

\"From<\/a>

From RCS Analyst\u2019s Guide, page 34.<\/p><\/div>\n

Here\u2019s what he\u2019s looking at on Jimmy\u2019s computer: his desktop, Skype account, Firefox browsing. All of that can be exported from the bugged device to the spy\u2019s computer, undetected.<\/p>\n

\"From<\/a>

From RCS Analyst\u2019s Guide, page 49.<\/p><\/div>\n

But before he sends everything off to his higher-ups, he can have a listen, to decide if it\u2019s relevant:<\/p>\n

\"From<\/a>

From RCS Analyst\u2019s Guide, page 56.<\/p><\/div>\n

And can even translate it:<\/p>\n

\"From<\/a>

From RCS Analyst\u2019s Guide, page 48.<\/p><\/div>\n

Once he\u2019s got all that, he maps out the various people and places tied to his target.<\/p>\n

\"13-analyst-guide-p66-540x103<\/a><\/p>\n

\"From<\/a>

From RCS Analyst\u2019s Guide, pages 66-67.<\/p><\/div>\n

Entities are automatically linked by the software based on their contacts \u2013 either as a \u201cknow,\u201d a \u201cpeer,\u201d or an \u201cidentity\u201d (ie., two addresses associated with the same person.)<\/p>\n

\"15-analyst-guide-p68-540x380<\/a>\"16-analyst-guide-p70-640x406<\/a><\/p>\n

\"17-analyst-guide-p71<\/a><\/p>\n

\"16-analyst-guide-p70-540x343<\/a>

From RCS Analyst\u2019s Guide, pages 68, 70, and 71.<\/p><\/div>\n

Here are Jimmy and his friends in an industrial lot in Los Angeles<\/a>:<\/p>\n

\"From<\/a>

From RCS Analyst\u2019s Guide, page 76.<\/p><\/div>\n

\"From<\/a>

From RCS Analyst\u2019s Guide, page 81.<\/p><\/div>\n

And here\u2019s the man himself, with all his vital stats. Web sites and physical locations get similar profiles. That photo, the manual notes, will default to the \u201cfirst image captured by the webcam.\u201d<\/p>\n

\"From<\/a>

From RCS Analyst\u2019s Guide, page 85.<\/p><\/div>\n

For more on how this all works, see Citizen Lab\u2019s report<\/a>, and explore the full set of documents below.<\/p>\n

Manuals<\/h3>\n

Hacking Team RCS 9 Analyst\u2019s Guide (PDF<\/a>)<\/p>\n

Hacking Team RCS 9 Administrator\u2019s Guide (PDF<\/a>)<\/p>\n

Hacking Team RCS 9 Technician\u2019s Guide (PDF<\/a>)<\/p>\n

Hacking Team RCS 9 System Administrator\u2019s Guide (PDF<\/a>)<\/p>\n

Hacking Team RCS Invisibility Report (PDF<\/a>)<\/p>\n

Hacking Team RCS 9.0 Changelog (PDF<\/a>)<\/p>\n

Hacking Team RCS 9.1 Changelog (PDF<\/a>)<\/p>\n

_________________________________<\/p>\n

Top Photo: Pablo Blazquez Dominguez\/Getty Images; Vincenzetti: Google+<\/em><\/p>\n

Email the authors: cora.currier@theintercept.com<\/a>, morgan@firstlook.org<\/a><\/em><\/p>\n

Go to Original \u2013 firstlook.org<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

There are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces \u2014 easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-49280","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/49280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=49280"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/49280\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=49280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=49280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=49280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}