clock menu more-arrow no yes

Filed under:

The hack that took down a global spyware vendor

At the end of last month, Hacking Team seemed untouchable. The company occupied a controversial niche in the security space, contracting out surveillance software to law enforcement agencies around the world. If your phone got stuck with a wiretapping implant, there's a good chance it came from them. That made them notorious among the security community — they were exploiting the same flaws that coders were working to close — but their law enforcement ties made them hard to prosecute. They only sold to police and governments, even if the governments were some of the most corrupt and repressive in the world. When researchers caught them spying on journalists in Ethiopia, the fallout was minimal at best. There was every indication they could keep this going forever.

Now, the whole company seems to be on the cusp of toppling over. Sunday night, attackers compromised Hacking Team’s internal system and released 400 gigabytes of data in an open torrent, containing everything from email archives to one unlucky soul's email encryption key. The fallout has been immediate, resulting in a full shutdown of the company's services until the damage can be contained, shutting down programs everywhere from Russian intelligence to the South Korean army. But the longterm effects may be even more profound. One of the world’s most prominent spyware vendors has been stopped in its tracks, and a company that thrived on secrets now has almost none of them left.

Shutting down programs from Russian intelligence to the South Korean Army

The biggest problem is a technical one: surveillance implants only work if people can't find them. But the dumped data includes detailed source code for Hacking Team's products, which will make them much easier to find in the future. Researchers can use that source code to build anti-virus signatures, or flag traffic coming from Hacking Team servers. Hacking Team held legitimate developer credentials for iOS and other ecosystems, which can also be used for monitoring.

One anonymous researcher even uploaded the code to a public GitHub page where like-minded coders could piece through it together. "I'm interested in keeping the source code, exploits and Hacking Team's actions as visible as possible," he said. (The GitHub page was shut down within 24 hours of launch, but has since been restored.) It's going to take a lot of work, but without the leak, the project wouldn't have been possible at all.

Surveillance implants only work if people can't find them

The open code also means software companies can start patching the holes that let Hacking Team break through in the first place. Companies like Hacking Team typically exploit undisclosed vulnerabilities in software — also known as "zero-days," so named because software companies have had zero days’ notice to fix the flaws — to ensure that an implant can be reliably installed without the user catching on. Releasing the source code means those valuable vulnerabilities are now up for grabs. Browser vendors are already offering cash for any undisclosed vulnerabilities contained in the leak, and similar vulnerabilities are likely to pop up for Android, Blackberry, and other phones. Once they're discovered, they'll be patched, and Hacking Team will be left to start over.

Once the technical damage is fixed, the political fallout could be even harder to overcome. Before the leak, Hacking Team critics could only link Hacking Team to its clients with technical evidence, and the company could always claim the country was using the software without company permission. Even then, researchers could only track down a fraction of the countries that Hacking Team was working with. Thanks to the leak, there's a full list, with the FBI, DEA, and Australian police alongside heavily sanctioned countries like Bahrain, Ethiopia, and Sudan. In Sudan's case, there's hard documentation of the deal alongside official denials to the UN that Hacking Team ever worked with the country. It's damning, and enough to drum up the kind of international backlash that research groups like Citizen Lab have been working towards for years.

For the first time, Hacking Team will be outgunned by its critics

The result is one of the most politically effective hacks we've seen, worlds more effective than the Sony Pictures circus. Wikileaks has focused on spyware vendors like Hacking Team for years as part of its Spy Files series, but the group has never come up with anything as damning and immediately impactful as this. Hacking Team may still recover from the attack, coming back with new source code and a fresh company name, but it will take serious effort and not a little luck. For the first time, the company may be outgunned by its critics.

The broader implications are harder to predict. Customs bureaus around the world are already implementing controversial export rules that target companies like Hacking Team, and the leaks may give more strength to the new rules. US agencies like the FBI may have to dial back their surveillance rules, now that they’ve been unmasked as Hacking Team customers. But the strangest takeaway may be the reaffirmed power of the anonymous leaker who smuggled out all the data in the first place. This wasn’t a whistleblower like Snowden or a garden-variety mischief maker — what little we know points to a freelance troublemaker who had already scored smaller hits on FinFisher. This was just a committed attacker who believed that noble ends justified some digital breaking and entering. As we’ve seen in the past two days, that’s a powerful force, and it won’t get less powerful any time soon.