Even companies that specialize in selling tools worth millions of dollars designed to break into devices are unable to fully protect them from getting out into the wild.
That’s one lesson from this week’s indictment of a former employee of Israeli cyber surveillance company NSO Group, a company best known for selling smartphone-cracking tools to governments and law enforcement agencies, who allegedly stole company spyware and tried to sell it on the dark web for $50 million. And it could have implications for the encryption debate here in the United States as policymakers consider requiring tech companies to create tools that allow them to bypass strong encryption during investigations.
Software and device makers such as Apple have pushed back on law enforcement’s calls to build anything that resembles a “back door” into encryption. The alleged NSO Group theft is a proof point for arguments that once these vulnerabilities are created, there’s always a chance they can slip into the wrong hands and put consumers at risk — no matter how well protected.
“There’s nothing preventing an Apple employee from doing the exact same thing in a world where there’s mandatory key escrow for exceptional access to smartphones,” said Riana Pfefferkorn, a cryptography fellow at the Stanford Center for Internet and Society. “Once the deed is done by an insider, then what was supposed to be a tool only for the ‘good guys’ is out there for the ‘bad guys’ as well.”
While it’s not an apples-to-apples comparison, the NSO Group leak illustrates a high-stakes example of an “insider threat.” Per Forbes’s Thomas Fox-Brewster, here’s how the 38-year-old defendant allegedly did it:
“According to the [Israeli Justice Ministry’s] indictment, which doesn’t name the employee, the accused disabled McAfee security software on his computer before shifting NSO source code to an external hard drive. Once he’d stolen the material, he Googled possible avenues for sale before heading onto Tor, the network that provides an avenue to the dark web, the attorney general alleged. The ex-staffer then claimed to be part of a hacker crew that had broken into NSO to cover his tracks as he sought to find a buyer, Israel’s authorities alleged, before stating the actions of the suspect could’ve jeopardized the security of the state. That harm came from the fact that the NSO tools were used by Israel’s armed forces, the indictment revealed.”
Reuters quotes Israeli authorities as saying that the former employee’s alleged actions threatened national security and “endangered NSO and could have led to its collapse.” NSO Group told Reuters that the information hadn’t been shared with any third party and no customer data was compromised.
While it remains unclear which tool was stolen, the company’s products include spyware known as Pegasus, which can be installed on a cellphone from afar without the user’s knowledge and has the potential to record calls, intercept text messages, track a device’s movements and scan other data.
Its already controversial when deployed by governments: The United Arab Emirates reportedly tried to use it to spy on a pro-democracy activist in 2016. And the Mexican government has purchased tens of millions of dollars’ worth of the spyware, using it to eavesdrop on lawyers, journalists and government critics, as the New York Times reported last year. But just imagine if it was exposed and used by a malicious actor who bought it off the dark web.
And imagine if that kind of leak happened at a company forced to create a tool to defeat its own strong encryption.
Apple CEO Tim Cook’s letter in February 2016 feels particularly salient now. At the time, he was pushing back on the idea of creating a “master key” during a dispute with the FBI in 2016 over access to the cellphone of the gunman in the mass shooting in San Bernardino, Calif.:
“In today’s digital world, the ‘key’ to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge. The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”
Experts note the alleged NSO Group theft highlights the risks — and the stakes— when companies store such powerful tools designed for break-ins.
“The NSO story demonstrates the importance of considering insider threats when assessing the risks and trade-offs of an exceptional access mandate,” Pfefferkorn said. “The insider threat can be intentional and malicious, as with the NSO employee. But there is also the risk of blackmail or extortion, as well as inadvertence — remember when an Apple employee left a prototype iPhone in a bar?”
Even the U.S. government has struggled to protect some of its own hacking tools. Just last year, WikiLeaks published a huge cache of the CIA’s hacking arsenal the agency uses to conduct espionage overseas. Prosecutors have accused a former employee of leaking the trove of information.
“When you think about insider threats it’s easy to imagine a scenario where an entity like NSO Group would be betrayed by an insider,” said Katie Moussouris, CEO of the cybersecurity company Luta Security. “But you could also imagine a scenario where it would happen in a large corporation. Even people with security clearances have turned traitor on United States before.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: Jon Huntsman, the U.S. ambassador to Russia, said on Thursday that President Trump “will drive the discussion on malign activity and election meddling” when he meets with Russian President Vladimir Putin in Finland later this month. “He knows the facts and the details and he’s discussed it,” Huntsman said of Trump, according to a transcript of the ambassador’s comments to reporters. “We all talk about it a little differently, but the president has talked about it in his own way.”
Huntsman also said the meeting between Trump and Putin, which is scheduled for July 16 in Helsinki, will allow the United States to address Russia’s interference in U.S. politics and other issues in a “direct” manner. “You hear it a lot on the talk shows, you read about election meddling in popular punditry,” Huntsman said. “But the fact of the matter is that we have not had the kind of conversations, direct conversations, across-the-table conversations, about things like election meddling and malign activity, that really do need to take place.”
But Huntsman’s comments stood in contrast with Trump’s previous comments on the matter. Trump has repeatedly shown skepticism about Russian interference in the past U.S. presidential election. As recently as last week, he expressed frustration with the U.S. intelligence community’s conclusions that Russia interfered in the 2016 election and ultimately sought to help elect him. “Russia continues to say they had nothing to do with Meddling in our Election!” Trump wrote in a June 28 tweet.
PATCHED: Putin wanted Russian-made equipment to power a data collection program storing the content of Russians’ phone calls and texts for six months but telecommunication companies won’t be able to fulfill his request, Reuters’s Maria Kolomychenko and Polina Nikolskaya reported Thursday. Russian companies do not have sufficient capacity to implement the new guidelines on their own and two sources said the firms will need to resort to foreign equipment from vendors such as Cisco, Hewlett Packard Enterprise and Huawei, according to Reuters.
“A handful of Russian companies are approved by the domestic intelligence service, the FSB, to provide combined systems of software and hardware that gather and store the contents of phone calls and text messages,” Kolomychenko and Nikolskaya wrote. “But the systems they are designing in most cases use foreign hardware to store the data, the two sources told Reuters.”
The program is part of a series of counterterrorism laws that Putin signed in 2016, according to Reuters. Security officials designed the legislation without input from technical experts, Kolomychenko and Nikolskaya wrote. “A week after Putin signed the law, Deputy Minister of Economic Development Oleg Fomichev said there was not enough data storage equipment available, in Russia or abroad, to meet the terms of the legislation,” according to Reuters.
PWNED: Cellphone users in developing countries often access mobile Internet services on their devices at the expense of their data privacy, the Wall Street Journal’s Newley Purnell reports. Purnell cites the example of GMobi, a mobile Internet services company from Taiwan that uses an application that’s already built inside mobile devices to collect users’ information on a huge scale in developing nations.
“One such app, included on thousands of Chinese-made Singtech P10 smartphones sold in Myanmar and Cambodia, sends the owner’s location and unique-device details to a mobile-advertising firm in Taiwan called General Mobile Corp., or GMobi,” Purnell writes. “The app also has appeared on smartphones sold in Brazil and those made by manufacturers based in China and India, security researchers say.” The Journal also reports that some online anti-virus companies consider this GMobi app as malware but the company’s chief executive disputes that label.
Marc Groman, a former senior privacy adviser at the White House Office of Management and Budget, told Purnell that companies engaging in those practices are taking advantage of consumers. “They are exploiting developing economies and individuals who can’t afford better devices and clearly tracking them,” Groman, now a private consultant, told Purnell.
— California state lawmakers on Thursday announced a net-neutrality proposal after a previous plan was weakened last month in a State Assembly committee, The Washington Post’s Brian Fung reports. “The California proposal goes further than the now-defunct federal rules.” Fung writes. “The revised bill will contain tougher language that not only bans Internet service providers from blocking and slowing down websites, but for example will also ban ‘abusive’ forms of a practice known as zero-rating, the lawmakers said, which occurs when an ISP exempts its own apps and services from customer data caps but counts other app usage against those monthly limits.”
— Members of email forensic groups that include law enforcement officials explored how they could evade a request to produce online records about phone-cracking tools such as GrayKey, Motherboard’s Joseph Cox reported on Thursday. “The emails in these forensic groups that come from official accounts likely qualify for public release under laws such as the Freedom of Information Act,” Cox wrote. “According to one source, some members were trying to find ways to make the cost of gathering the emails too high, so the government agency would not provide the documents to Motherboard.”
— Trump on Thursday announced in a statement that he plans to nominate William Bryan to serve as undersecretary for science and technology at the Department of Homeland Security. Bryan already holds the position in an acting capacity, according to DHS’s website. In a previous position at the Energy Department, Bryan was involved in helping Ukraine “mitigate impacts from cyber events,” according to DHS.
— More cybersecurity news from the public sector:
A Department of Homeland Security-funded product designed to better protect mobile-phone users from phishing is becoming available to government and private-sector clients, the department said Thursday.
“These high costs, which would particularly harm Americans in remote and low-income areas, cannot be justified by the supposed national security benefits of the proposed rule, because these are speculative,” Huawei said.
— In a response to concerns over whether Google Documents files had leaked online in Russia, Google emphasized in a statement on Thursday that its online app “is working correctly,” according to the Associated Press. “The Russian internet company Yandex said in a statement that some users contacted the company Wednesday to say that its public search engine was yielding what looked like personal Google Documents files, suggesting there may have been a data breach,” the AP reported. “On Wednesday night, Russian social media users started posting scores of such documents, including an internal memo from a Russian bank, press summaries and company business plans. The veracity of those documents could not be independently confirmed.”
— More cybersecurity news from the private sector:
FOR THE N00BS
Trump’s Montana rally, in three minutes:
Watch a deaf and blind fan experience a World Cup game in real time:
North and South Korean basketball players hold friendly match in Pyongyang: