Soghoian on government surveillance through service update process

Chris Soghoian, principal technologist with the American Civil Liberties Union, explained that government surveillance could exploit service update process.

Chris Soghoian, principal technologist with the American Civil Liberties Union, during the recent TrustyCon conference highlighted the possibility that the government will exploit automated update services to serve malware and spy on users. Is this the next surveillance frontiers?

Instead to exploit consolidated techniques like phishing and watering hole, intelligence agencies and law enforcement could use application updates to deliver malware on victims’ systems.

“The FBI is in the hacking business. The FBI is in the malware business,” “The FBI may need more than these two tools to deliver malware. They may need something else and this is where my concern is. This is where we are going and why I’m so worried about trust.” Soghoian said. 

Soghoian remarked that there are a couple of crucial issues to consider, governments could potentially use update service offered by almost every software provider for its products, but a serious side effect could be the loss of the trust users have in the services.

Without installing updates users will be vulnerable to cyber attacks, identity theft and other criminal activities.

“There are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won’t, and they will stay vulnerable,” “What that means though is giving companies root on our computers—and we really don’t know what’s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.” Soghoian said. 

The update process for Microsoft applications was already exploited for state-sponsored attacks, for example, in the case of Flame spyware when attackers used a sophisticated “collision attack” to forge a Microsoft digital certificate.

Cryptographic hash algorithms theoretically provide a unique result for each input, but attackers succeeded to generate the same hash as outputs for two different inputs (collision). MD5 and SHA-1 are vulnerable to collisions, this means that “SSL certificates, like the one that the Flame attackers forged to sign the malware, use digital signatures, which can be vulnerable to hash collisions.” as reported by Microsoft.

“The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft. However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware. In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack,” Mike Reavey of the Microsoft Security Response Center, said.

Soghoian fears the historical relationship between law enforcement with telecommunications providers, it must be also considered that principal service providers like Facebook, Google and Microsoft have always supported government investigations.

Soghoian cautioned that the government could take advantage of existing features in large consume solutions, he mentioned a rescue feature implemented for Google Android phone locks where if a user fails on their pattern to unlock their phone, Android anyway give the possibility to unlock the deviceSoghoian confirmed that the US Government has requested to Google the password resets for specific handsets in order to access their accounts or devices.

Soghoian also proposed the case of FBI general counsel Valerie Caproni that in 2010 warned Congress of the “Going Dark” problem, illustrating how the wiretapping capabilities were being reduced with the progress of technology.  Caproni singled out “Web-based e-mail, social-networking sites, and peer-to-peer communications” as problems that have left the FBI “increasingly unable” to conduct the same kind of wiretapping it could in the past.

“Going Dark” is the FBI’s codename for its project to extend its ability to real time wiretap communications, it is born inside the bureau, employing 107 full-time expert starting from 2009.

But it is considered more serious the introduction of intentional flaws in products to allow wiretapping, let’s remind the revelation made by Snowden on the case of RSA product, the whistleblower described the presence of allegedly encryption backdoor inserted by RSA in the BSafe software.

In similar way Skype served with a directive from the Attorney General to modify its end-to-end encryption capabilities in order to give the FBI the capability to snoop encrypted communication, and Apple allowed the access to the user’s handset.

The unique actors that could prevent surveillance through product updates are the same service providers, let’s hope the companies refuse government interferences and requests.

“I would hope Google would fight that type of order all the way to the Supreme Court. The same goes for Apple and Microsoft and others,”  “I hope the companies we depend on and trust would fight.” said Soghoian

Pierluigi Paganini

(Security Affairs –  Surveillance, Soghoian)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Burnout in SOCs: How AI Can Help Analysts Focus on High-Value Tasks<gwmw style="display:none;"></gwmw>

SOC analysts, vital to cybersecurity, face burnout due to exhausting workloads, risking their well-being and…

8 hours ago

Operation Destabilise dismantled Russian money laundering networks

Operation Destabilise: The U.K. National Crime Agency disrupted Russian money laundering networks tied to organized…

8 hours ago

Russia-linked APT Secret Blizzard spotted using infrastructure of other threat actors

Russia-linked APT group Secret Blizzard has used the tools and infrastructure of at least 6…

14 hours ago

China-linked APT Salt Typhoon has breached telcos in dozens of countries

China-linked APT group Salt Typhoon has breached telecommunications companies in dozens of countries, US govt…

15 hours ago

Black Basta ransomware gang hit BT Group<gwmw style="display:none;"></gwmw>

BT Group (formerly British Telecom)'s Conferencing division shut down some of its servers following a…

1 day ago

Authorities shut down Crimenetwork, the Germany’s largest crime marketplace

Germany's largest crime marketplace, Crimenetwork, has been shut down, and an administrator has been arrested.…

1 day ago

This website uses cookies.