Hacking, Fate-Sharing and Going Dark

By Nicholas Weaver
Friday, July 28, 2017, 4:41 PM

It is with deliberate contempt that I describe vendors of “lawful” interception malcode such as Hacking Team, FinFisher, and NSO group as ascribing to the “Wehrner von Braun School of Rocketry”.  They state that selling exclusively to governments frees them from responsibility as to how the tools are misused, on the assumption that all state use abides by the laws of the jurisdiction.  But tool misuse by state actors has implications beyond any particular jurisdiction. That's in part because of negative “fate-sharing”, where the legitimate investigations of certain states and entities can be compromised by actual or even potential misuse of the tools by licensed third parties.

Google’s recently announced takedown of the “Lipizzan” Android malware illustrates this principle in action.  The company detected a new piece of spyware that initially operated as fake applications in the Google Play store.  Having detected this spyware, Google proceeded to use its tools to automatically remove it from all infected Android phones.  There is some weak attribution that Google revealed indicating that this was “lawful intercept” malcode written by a previously little known Israeli startup called Equus.

We have no way of knowing which of the 100 removed installations represented abusive use, which represented testing, and which disrupted significant ongoing investigations.  Google absolutely did the right thing by disabling this malware, but the potential collateral damage is significant and does highlight the limitations of hacking to access otherwise inaccessible communication.

This introduces a particular problem for law enforcement.  If law enforcement relies on the same tools used by rather repressive regimes, its ongoing investigations can be compromised by the actions of those regimes.  For example, when the UAE got caught attacking Ahmed Mansoor with NSO-group spyware, this potentially compromised an unknown number of other investigations relying on the same tools.  And given the shady nature of these companies it made perfect sense for Google to do the same for the Lipizzan malcode.

This isn’t to discourage law enforcement from hacking in accordance with the appropriate judicial safeguards.  I still think it is the best option available for investigations where prospective content is essential in the face of modern secure communication.  But it is important to remember that hacking tools can be particularly brittle, and tools which are also used by less reputable actors can be significantly more brittle.