The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals.
The surveillance project was launched by a joint electronic eavesdropping unit called the Network Tradecraft Advancement Team, which includes spies from each of the countries in the “Five Eyes” alliance — the United States, Canada, the United Kingdom, New Zealand and Australia.
The top-secret document, obtained from NSA whistleblower Edward Snowden, was published Wednesday by CBC News in collaboration with The Intercept. The document outlines a series of tactics that the NSA and its counterparts in the Five Eyes were working on during workshops held in Australia and Canada between November 2011 and February 2012.
The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE to identify smartphone traffic flowing across Internet cables and then to track down smartphone connections to app marketplace servers operated by Samsung and Google. (Google declined to comment for this story. Samsung said it would not be commenting “at this time.”)
As part of a pilot project codenamed IRRITANT HORN, the agencies were developing a method to hack and hijack phone users’ connections to app stores so that they would be able to send malicious “implants” to targeted devices. The implants could then be used to collect data from the phones without their users noticing.
Previous disclosures from the Snowden files have shown agencies in the Five Eyes alliance designed spyware for iPhones and Android smartphones, enabling them to infect targeted phones and grab emails, texts, web history, call records, videos, photos and other files stored on them. But methods used by the agencies to get the spyware onto phones in the first place have remained unclear.
The newly published document shows how the agencies wanted to “exploit” app store servers — using them to launch so-called “man-in-the-middle” attacks to infect phones with the implants. A man-in-the-middle attack is a technique in which hackers place themselves between computers as they are communicating with each other; it is a tactic sometimes used by criminal hackers to defraud people. In this instance, the method would have allowed the surveillance agencies to modify the content of data packets passing between targeted smartphones and the app servers while an app was being downloaded or updated, inserting spyware that would be covertly sent to the phones.
But the agencies wanted to do more than just use app stores as a launching pad to infect phones with spyware. They were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations that are used to spread propaganda or confuse adversaries. Moreover, the agencies wanted to gain access to companies’ app store servers so they could secretly use them for “harvesting” information about phone users.
The project was motivated in part by concerns about the possibility of “another Arab Spring,” which was sparked in Tunisia in December 2010 and later spread to countries across the Middle East and North Africa. Western governments and intelligence agencies were largely blindsided by those events, and the document detailing IRRITANT HORN suggests the spies wanted to be prepared to launch surveillance operations in the event of more unrest.
The agencies were particularly interested in the African region, focusing on Senegal, Sudan and the Congo. But the app stores targeted were located in a range of countries, including a Google app store server located in France and other companies’ app download servers in Cuba, Morocco, Switzerland, Bahamas, the Netherlands and Russia. (At the time, the Google app store was called the “Android Market”; it is now named Google Play.)
Another major outcome of the secret workshops was the agencies’ discovery of privacy vulnerabilities in UC Browser, a popular app used to browse the Internet across Asia, particularly in China and India. Though UC Browser is not well-known in Western countries, its massive Asian user base, a reported half billion people, means it is one of the most popular mobile Internet browsers in the world.
According to the top-secret document, the agencies discovered that the UC Browser app was leaking a gold mine of identifying information about its users’ phones. Some of the leaking information apparently helped the agencies uncover a communication channel linked to a foreign military unit believed to be plotting “covert activities” in Western countries. The discovery was celebrated by the spies as an “opportunity where potentially none may have existed before.”
Citizen Lab, a human rights and technology research group based at the University of Toronto, analyzed the Android version of the UC Browser app for CBC News and said it identified “major security and privacy issues” in its English and Chinese editions. The Citizen Lab researchers have authored their own detailed technical report outlining the many ways the app has been leaking data, including some users’ search queries, SIM card numbers and unique device IDs that can be used to track people.
Citizen Lab alerted UC Browser to the security gaps in mid-April; the company says it has now fixed them by rolling out an update for the app. A spokesperson for UC Browser’s parent company, Chinese e-commerce giant the Alibaba Group, told CBC News in a statement that it took security “very seriously and we do everything possible to protect our users.” The spokesperson added that the company had found “no evidence that any user information has been taken” — though it is not likely that surveillance of the leaking data would have been detectable.
The case strikes at the heart of a debate about whether spy agencies are putting ordinary people at risk by secretly exploiting security flaws in popular software instead of reporting them so that they can be fixed.
According to Citizen Lab Director Ron Deibert, the UC Browser vulnerability not only exposed millions of the app’s users to surveillance carried out by any number of governments — but it could also have been exploited by criminal hackers to harvest personal data.
“Of course, the security agencies don’t [disclose the information],” Deibert said. “Instead, they harbor the vulnerability. They essentially weaponize it.” Taking advantage of weaknesses in apps like UC Browser “may make sense from a very narrow national security mindset,” Deibert added, “but it’s at the expense of the privacy and security of hundreds of millions of users worldwide.”
The revelations are the latest to highlight tactics adopted by the Five Eyes agencies in their efforts to hack computers and exploit software vulnerabilities for surveillance. Last year, The Intercept reported that the NSA has worked with its partners to dramatically increase the scope of its hacking attacks and use of “implants” to infect computers. In some cases, the agency was shown to have masqueraded as a Facebook server in order to hack into computers.
The Intercept and CBC News contacted each of the Five Eyes agencies for comment on this story, but none would answer questions on record about any of the specific details.
A spokesperson for Canada’s Communications Security Establishment said that the agency was “mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism,” adding that it “does not direct its foreign signals intelligence activities at Canadians or anywhere in Canada.”
British agency Government Communications Headquarters said that its work was “carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate.”
Australia’s Signals Directorate said it was “long-standing practice” not to discuss intelligence matters and would not comment further.
New Zealand’s Government Communications Security Bureau said that it has “a foreign intelligence mandate” and that everything it does is “explicitly authorised and subject to independent oversight.”
The NSA had not responded to repeated requests for comment at time of publication.