Law enforcement and military organisations are driving the industrialisation of hacking tools and services, according to vulnerability assessment and IT security consultancy SensePost.
Organisations such as Zerodium and the Hacking Team provide reliable and repeatable ways to compromise systems and devices, said Charl van der Walt, chief strategy officer at SensePost.
“They give customers a reliable and scalable way to compromise things that would take expert hackers months to achieve,” he told attendees of Security Focuses 2015 in London.
Zerodium is known to buy threats and recently awarded $1m to security researchers who met its challenge of finding a way to jailbreak Apple’s latest iOS 9 mobile operating system remotely.
The brief was to deliver an exclusive, browser-based and untethered jailbreak for iOS 9 that allows a “remote, privileged and persistent installation of an arbitrary app on a fully updated device.”
The attack had to be “unknown, unpublished and unreported”, work on a range of devices – including iPhones, iPad Airs and iPad Minis – and needs to be able to bypass iOS security controls, including ASLR, sandboxes and bootchain.
In addition, the initial vector had to be able to be completed through a webpage targeting the mobile browser or an application reachable through the browser, or through text/multimedia file delivered through SMS or MMS.
“The buyers of such attacks are military and police organisations that are willing to pay to enable taskforces to get into iOS 9 devices,” said Van der Walt.
This is leading to industrialisation of such attacks, which he said is driving up residual risk that is impossible to mitigate against.
Van der Walt urged information security professionals to engage the courts on how cyber weapons and other cyber tools are controlled.
“There needs to be discussion around balancing the need of security forces to use such tools and the need for information security professionals to understand the threats,” he said.
In the absence of such understanding, Van der Walt said organisations can only assess the risks without knowing the full extent of the threat, put in protections to drive down the known risk, be able to detect attacks when they happen and be able to respond quickly to shut them down.
Van der Walt’s comments come just days after the UK government published its draft Investigatory Powers Bill aimed increasing police and security surveillance powers.
The draft bill makes explicit provision for all of the powers available to the security and intelligence agencies to acquire data in bulk, and includes a provision for communications service providers to retain records of which websites internet users have visited and provide access to their equipment for accessing communications under equipment interference warrants, which will need to be authorised by a judical commissioner.
Van der Walt’s comments also coincide with claims by the anonymity network Tor that researchers at US Carnegie Mellon university were paid by the FBI to launch an attack on the Tor network.
Tor, which enables the dark web that cannot be reached by traditional search engines and is often used to hide illegal activities, claimed that the FBI was “outsourcing police work” and paid the university “at least $1m”, reports the BBC.
There are sites on the Tor network that offer legitimate content, services and goods, but it also used for criminal activities such as the selling drugs and images of child abuse.
In late 2014, a joint US and European operation took down dozens of Tor sites, including the Silk Road 2, which was one of the world’s largest online drug-selling sites.
It is this operation the Tor Project is claiming was undertaken by researchers at Carnegie Mellon. “This attack sets a troubling precedent,” the Tor Project wrote in a blog post.
“Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute,” the Tor Project said.
The main concern is that there is no indication that the researchers had a warrant or any institutional oversight by Carnegie Mellon’s Institutional Review Board.
The Tor Project said it is unlikely that there was a valid warrant because the attack was not narrowly tailored to target criminals or criminal activity, but instead appears to have “indiscriminately” targeted many users at once.
“We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor – but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people’s privacy,” the Tor Project said.