When we recently wrote about Google starting to make use of SSL for search rankings, one of our commenters noted that not every site really “needs” HTTPS. While I used to agree, I’ve been increasingly leaning in the other direction, and I may have been pushed over the edge entirely by a new research report from the Citizen Lab by Morgan Marquis-Boire (perhaps better known as Morgan Mayhem), entitled Schrodinger’s Cat Video and the Death of Clear-Text. He’s also written about it at the Intercept (where he now works), explaining how watching a cat video on YouTube could get you hacked (though not any more).
The key point was this: companies producing so-called “lawful intercept” technology, that was generally (but not always) sold to governments and law enforcement agencies had created hacking tools that took advantage of non-SSL’d sites to use a basic man-in-the-middle attack to hack into targeted computers.
Companies such as Hacking Team and FinFisher sell devices called “network injection appliances.” These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people’s everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target’s computer without his or her knowledge. The machine also exploits Microsoft’s login.live.com web site in the same manner.
Fortunately for their users, both Google and Microsoft were responsive when alerted that commercial tools were being used to exploit their services, and have taken steps to close the vulnerability by encrypting all targeted traffic. There are, however, many other vectors for companies like Hacking Team and FinFisher to exploit.
I’d bet pretty good money that both of these companies also target some popular ad networks. For reasons that are still beyond me, many large ad networks still refuse to support SSL — which is also why so few media sites support SSL. In order to do so, you have to drop most ad networks. Between ad networks and popular media targets, it’s likely that there are plenty of opportunities for network injection going on.
Provided that the attacker can persuade a sufficiently large carrier to install a network injection apparatus, they can be reasonably certain of the success of any attack. While an attacker would still need an exploit to escape from the context of the target’s browser, one of the browser plugins (such as flash, java, quicktime, etc.) or similar is likely to provide a low cost avenue for this. This type of capability obviates the need for spear-phishing or more clumsy attacks provided the target is in the attacker’s domain of influence.
This type of approach also allows for the ‘tasking’ of a specific target. Rather than performing a manual operation, a target can be entered into the system which will wait for them to browse to an appropriate website and then perform the required injection of malicious code into their traffic stream. As such, this could be described as ‘hacking on easy mode’.
The key point made by the new report is not about the ideas behind network injection. That’s been well-known for a while, and the NSA’s and GCHQ’s “Quantum Insert” packet injection system has been talked about recently. The main revelation here is that there are commercial vendors selling this technology to all sorts of law enforcement folks, meaning that it’s probably widely used with little oversight or transparency. And that should be a pretty big concern:
These so-called “lawful intercept” products sold by Hacking Team and FinFisher can be purchased for as little as $1 million (or less) by law enforcement and governments around the world. They have been used against political targets including Bahrain Watch, citizen journalists Mamfakinch in Morocco, human rights activist Ahmed Mansoor in the UAE, and ESAT, a U.S.-based news service focusing on Ethiopia. Both Hacking Team and FinFisher claim that they only sell to governments, but recently leaked documents appear to show that FinFisher has sold to at least one private security company.
With all the attention on NSA/GCHQ surveillance, it’s good that people are recognizing just how powerful some of these tools are. But we ought to be quite concerned about how ordinary law enforcement around the globe is making use of these tools as well, often with much less oversight and even less accountability.