Troublesome Trojans: Firm Sought to Install Spyware Via Faked iTunes Updates
A surveillance firm claims it can distribute its spyware via faked iTunes updates. Apple appears to have moved to eliminate the security gap, but the debate over trojans used by governments, both democratic and otherwise, continues to boil.
It was as if a far-flung secret society had gathered in Berlin at the end of September. Military officials and representatives of security authorities from around the world met in a luxury hotel to discuss threats in the digital world: cyber attacks, electronic espionage and online organized crime. But the most pressing issue on the agenda was technology that can be used to combat these perils.
In the hotel's foyer, companies touted their myriad surveillance technologies. The stand that stood out most was decked out in blue and black and advertised a product called FinFisher. The business cards of the young men working the stand identified them as respresentatives of the firm Gamma International GmbH of Munich. The Gamma representatives, however, were only interested in sharing information about their service with potential customers. A banner hanging above them provided hints, however: something to do with "Governmental IT Intrusion" -- in other words, electronic tools for digital break-ins that can be used by governments and their agencies. The managing director, from Munich, told SPIEGEL the company had no interest in any reporting on its products.
iTunes Used to Install Trojan?
In contrast to their Italian competitor Hacking Team, which was also in Berlin to solicit new customers, the Gamma team even took steps to ensure that journalists left the room when their managing director gave a presentation.
The wariness of the media, it would seem, is not without reason. The FinFisher software on offer, it appears from marketing materials obtained by SPIEGEL, may work in a similar manner to that used by the online criminals they are intended to combat. Indeed, a video promoting FinFisher indicates that the software
Apparently, at least according to a video promoting FinFisher, the software uses Apple's popular iTunes in order to load snooping software onto the computers of the intended suspects.
In recent years, international demand has risen considerably for the kind of Internet surveillance software that Gamma International GmbH and Hacking Team demonstrated in Berlin. Worldwise, suspects are increasingly communicating over the Internet using encryption-protected technology. Agreements that suspects previously made over comparably easy to tap landlines or mobile phones are increasingly being conducted through encrypted Internet telephony services like Skype or through encrypted computer chats. Very often, the only thing security authorities are able to capture are suspects making mobile phone calls in order to set up their next encrypted chat date.
Firms like Gamma International GmbH and Hacking Team offer solutions that promise to solve these problems. But the surveillance offered by their software is anything but simple to implement. One has to succeed in installing the software on the suspect's computer prior to any encrypted communication so that conversations, mails and chats can be secretly channelled to security authorities. To put it more simply, the authorities have to hack into a suspect's computer.
An Electronic Break-In System
The discussion in Germany over so-called " government Trojans" created by the firm DigiTask underscore just how controversial and legally problematic such efforts are. An analysis by the Berlin based hacking organization Chaos Computer Club showed that the software is capable of doing more than German laws on wiretapping permit.
Gamma presents the FinFisher system as the most comprehensive electronic snooping software available on the market. Earlier this year, the company made headlines when protesters stormed the offices of the Egyptian state security service in Cairo and came across detailed offers for various FinFisher applications.
At the time, Mostafa Hussein, a 30-year-old doctor, told SPIEGEL ONLINE of finding a sheaf of documents when he and other protesters stormed the building in March. The documents included a software offer dated June 2010 for a complete package of surveillance software, installation and training for state investigators. The estimated cost was around 330,000, including one year of support. The offer included "Remote Intrusion Software" and "Remote Infection Tools." In other words, programs that could be used to install snooping software on a target computer. The offer contained the logo of Gamma International UK Limited and it also included mentions of programs like "FinSpy" and "FinFly Lite."
Lawyers representing Gamma International UK Limited explained that no products from the FinFisher line had been delivered to the Egyptian government. They said the company only delivers its products to governments and that, in doing so, it adheres to British law and any other relevant regulations. In addition, the company said it could not provide any information about "confidential business relationships and the type of products it offers."
Since then, the secret dealings with technologies for so-called lawful interception have come under increasing scrutiny in Germany and abroad -- not least because the most modern Western surveillance technologies have also been popping up in other authoritarian states like Syria, Libya and Bahrain in recent months. In the hands of dictators, they can easily be used as instruments of repression.
Some of the first details about the FinFisher surveillance software can be found in the material obtained by SPIEGEL. The firm's own advertising videos show that the firm offers a whole palette of possibilities for infiltrating and installing spy software on target computers.
'Full Access to the Target Phone'
The simplest way noted is if the "agent" has physical access to the targeted person's computer. In such instances, it is sufficient to stick a USB stick ("FinFly USB") into the computer. But what can one do when that isn't possible? The company also offers solutions for those instances -- even for mobile devices. The animated promotion video for "FinSpy Mobile," for example, states: "The Target is using a Blackberry phone for his communication." It then sends a message to the target in a format that looks like an update for the phone. "The Target receives a fake update message from FinSpy Mobile," the video states. "The Target accepts the Blackberry Update." And, finally, "The Target System is now infected with FinSpy software. The Headquarter has full access to the Target Phone."
The firm's promotion material also suggests that in an infection through "FinFly ISP," the recipient receives a "fake iTunes update." If the update is clicked on and downloaded, "headquarters" will have full access to the targeted computer -- at least according to the company's promotional materials.
Blackberry developer Research in Motion did not respond to a query from SPIEGEL about what the company thought of the fake update messages.
At Apple, officials seemed unenthused about the apparent actions of the Munich firm and contrite about the vulnerability in its software that the company might be using to distribute spy software. It appears the Munich firm had taken advantage of the fact that, so far, Apple has not sent out its iTunes Update messages in a secure format. FinFisher software was apparently able to latch on to the communications to perpetrate what is known as a "man in the middle attack."
Apple Confirms Attackers Could Fake Updates
"The security and privacy of our users is extremely important and we actively work to find and fix any issues that could compromise their systems," an Apple spokesman answered in response to a query from SPIEGEL.
It appears that Apple has already responded and has sought to eliminate the iTunes vulnerability that may have been used in the FinFisher software. A few days ago, the California-based company released the new iTunes Update 10.5.1 -- a real one, not a fake update from the spy software developer.
"A man-in-the-middle attacker may offer software that appears to originate from Apple," the update listed on Apple's site states. "The issue has been mitigated by using a secured connection when checking for available updates." In other words, the iTunes vulnerability appears to have been eliminated.
© SPIEGEL ONLINE 2011
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH