Chris Soghoian, principal technologist with the American Civil Liberties Union, during the recent TrustyCon conference highlighted the possibility that the government will exploit automated update services to serve malware and spy on users. Is this the next surveillance frontiers?
Instead to exploit consolidated techniques like phishing and watering hole, intelligence agencies and law enforcement could use application updates to deliver malware on victims’ systems.
“The FBI is in the hacking business. The FBI is in the malware business,” “The FBI may need more than these two tools to deliver malware. They may need something else and this is where my concern is. This is where we are going and why I’m so worried about trust.” Soghoian said.
Soghoian remarked that there are a couple of crucial issues to consider, governments could potentially use update service offered by almost every software provider for its products, but a serious side effect could be the loss of the trust users have in the services.
Without installing updates users will be vulnerable to cyber attacks, identity theft and other criminal activities.
“There are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won’t, and they will stay vulnerable,” “What that means though is giving companies root on our computers—and we really don’t know what’s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.” Soghoian said.
The update process for Microsoft applications was already exploited for state-sponsored attacks, for example, in the case of Flame spyware when attackers used a sophisticated “collision attack” to forge a Microsoft digital certificate.
Cryptographic hash algorithms theoretically provide a unique result for each input, but attackers succeeded to generate the same hash as outputs for two different inputs (collision). MD5 and SHA-1 are vulnerable to collisions, this means that “SSL certificates, like the one that the Flame attackers forged to sign the malware, use digital signatures, which can be vulnerable to hash collisions.” as reported by Microsoft.
“The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft. However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware. In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack,” Mike Reavey of the Microsoft Security Response Center, said.
Soghoian fears the historical relationship between law enforcement with telecommunications providers, it must be also considered that principal service providers like Facebook, Google and Microsoft have always supported government investigations.
Soghoian cautioned that the government could take advantage of existing features in large consume solutions, he mentioned a rescue feature implemented for Google Android phone locks where if a user fails on their pattern to unlock their phone, Android anyway give the possibility to unlock the device. Soghoian confirmed that the US Government has requested to Google the password resets for specific handsets in order to access their accounts or devices.
Soghoian also proposed the case of FBI general counsel Valerie Caproni that in 2010 warned Congress of the “Going Dark” problem, illustrating how the wiretapping capabilities were being reduced with the progress of technology. Caproni singled out “Web-based e-mail, social-networking sites, and peer-to-peer communications” as problems that have left the FBI “increasingly unable” to conduct the same kind of wiretapping it could in the past.
“Going Dark” is the FBI’s codename for its project to extend its ability to real time wiretap communications, it is born inside the bureau, employing 107 full-time expert starting from 2009.
But it is considered more serious the introduction of intentional flaws in products to allow wiretapping, let’s remind the revelation made by Snowden on the case of RSA product, the whistleblower described the presence of allegedly encryption backdoor inserted by RSA in the BSafe software.
In similar way Skype served with a directive from the Attorney General to modify its end-to-end encryption capabilities in order to give the FBI the capability to snoop encrypted communication, and Apple allowed the access to the user’s handset.
The unique actors that could prevent surveillance through product updates are the same service providers, let’s hope the companies refuse government interferences and requests.
“I would hope Google would fight that type of order all the way to the Supreme Court. The same goes for Apple and Microsoft and others,” “I hope the companies we depend on and trust would fight.” said Soghoian
(Security Affairs – Surveillance, Soghoian)