Hacking Team breach focuses attention on merchants of spyware
The intrusion at Italian security software firm Hacking Team, and the subsequent release of over 400 gigabytes of the company鈥檚 data, has focused new attention on the often shadowy world of firms selling听sophisticated surveillance tools to government and law enforcement agencies, including those with dubious human rights records.
Hacking Team is one of several听companies听that have been in the spotlight over the past few years for selling spyware tools that many say have been used to conduct surveillance on听ordinary citizens, journalists, and rights activists around the world. Earlier this week, unknown hackers broke into Hacking Team's network and looted executive e-mails, customer lists, and proprietary software from its systems in an astounding heist.
The leaked documents show its customers have included countries such as Sudan, Morocco, Saudi Arabia, and US agencies such as the FBI.
In 2013,听 labeled the firm as a corporate enemy of the Internet for selling hacking products to governments that violate human rights. But Hacking Team is not alone. Other so-called Digital Era mercenaries identified by Reporters Without Borders include UK-based Gamma Group International, Trovicor of Germany, Amesys of France, and Blue Coat of the US. What's more, according to the watchdog group, its list听is by no means exhaustive.
Most of these vendors are based in Western nations and their products are being used by governments around the world to spy on data in computer hard disks, recover usernames and passwords, access messaging content, and monitor conversations taking place on voice over Internet protocol services.
鈥淚n the hands of authoritarian regimes, it can be turned into formidable censorship and surveillance weapons against human rights defenders and independent news providers,鈥 according to听Reporters Without Borders.听
, Hacking Team said enough of its source code had been publicly posted by the hackers to allow anyone to deploy the company's surveillance tools against targets of their choice.
听"Before the attack, Hacking Team could control who had access to the technology which was sold exclusively to governments and government agencies," the company said. "Now, because of the work of criminals, that ability to control who uses the technology has been lost."
For the moment at least, all of Hacking Team's customers have suspended use of the Remote Control System tool that was compromised in the breach, the statement said. But Hacking Team engineers are working to update the software so customers will be able to start using it again soon.
In a post Edward Snowden era, the activities of firms such as these have stirred considerable outrage among privacy and rights advocates. But there are few publicly available facts about these companies such as the听revenues they generating from sales, who they are selling to, their profitability, and the overall size of the market opportunity.
Data leaked in the Hacking Team breach showed that at least some of the company鈥檚 customers paid or are paying in the middle to high six-figures for its products. But it's unclear how those numbers compare with that from other vendors of similar products.
The leaked details about Hacking Team鈥檚 operations are sure to fuel calls for stronger controls on the export and sale of hacking tools by software vendors. Growing concerns over the issue have already prompted changes in a multinational, multilateral export control regime called the to which the US is a signatory.听
The pact is designed to establish greater transparency and control over the export and transfer of certain weapons and dual-use technologies. It was amended in 2013 to include controls for surveillance software of the sort sold by the Hacking Team and others.
The European Union has agreed to implement the amendments, so tools such as those sold by Hacking Team are subject to stricter licensing restrictions. As an EU-based entity, Hacking Team is bound by these rules and the company could run into serious trouble if it is found to have deliberately flouted the law.
But more action is needed especially in the US where there is some concern over how the software subject to export restrictions will be defined, says Edin Omanovic, research officer at Privacy International in London. The EU, for example, exempts all software that is in the public domain from export restrictions.听But the US has proposed taking听away that exemption in the case of some software tools such as intrusion software.
As a result, there are broad and growing concerns that software used for legitimate security research purposes, such as penetration testing, will come under new export controls, Mr. Omanovic says.
The Department of Commerce鈥檚 proposed implementation of the changes to the Wassenaar Arrangement uses an overly broad description of the tools that need to come under export control, says the Electronic Frontier Foundation.
As proposed, the Commerce Department鈥檚 list of controlled technologies includes systems and software that can be use to conduct legitimate penetration tests for identifying hardware and software vulnerabilities. Many of the tools that vulnerability researchers routinely use to develop proof of concept attacks and exploits would be controlled and there would be new restrictions on how and what vulnerability research could be shared, the EFF notes.
A better approach would be to eschew sanctions and export control altogether, says Nate Cardozo, staff attorney at EFF.
"When companies turn a blind eye, there are already legal tools available to hold them accountable without increasing the export control load," Mr. Cardozo says. If Hacking Team for instance sold surveillance tools to Sudan, the company can already be held accountable under existing laws, he said.
Hacking Team describes its interception products as 鈥渙ffensive technology" for government agencies and law enforcement authorities. Among other things, the company鈥檚 tools can be used to stealthily monitor systems, remotely activate computer microphones and cameras and get around measures like encryption that people might use to protect their data and communications. The company has claimed that it has discretion in how its technology is used by customers and has previously insisted that it never sells to governments that are blacklisted by the US or the EU.
The leaked documents, however, suggest otherwise and show that Hacking Team鈥檚 clients may have included the government of Sudan, a country under heavy United Nations sanctions. In several tweets following the intrusion at the company, Hacking Team employee 海角大神 Pozzi insisted that the leaked documents revealed little more than the sale of custom security software for its clients.听
But to many within the security community, Hacking Team data dump offered a clear denouement of its practices. What they are doing, says听Bruce Schneier,听noted security expert and chief technology officer of Resilient Systems, "is like selling shock batons to South Africa in the 1980s."
听
