Last week I was contacted by an agent of Mobily, one of two telecoms operating in Saudi Arabia, about a surveillance project that they’re working on in that country. Having published two reasonably popular MITM tools, it’s not uncommon for me to get emails requesting that I help people with their interception projects. I typically don’t respond, but this one (an email titled “Solution for monitoring encrypted data on telecom”) caught my eye.
I was interested to know more about what they were up to, so I wrote back and asked. After a week of correspondence, I learned that they are organizing a program to intercept mobile application data, with specific interest in monitoring:
- Mobile Twitter
- Viber
- Line
I was told that the project is being managed by Yasser D. Alruhaily, Executive Manager of the Network & Information Security Department at Mobily. The project’s requirements come from “the regulator” (which I assume means the government of Saudi Arabia). The requirements are the ability to both monitor and block mobile data communication, and apparently they already have blocking setup. Here’s a sample snippet from one email:
From: Yasser Alruhaily <…….. .. .@mobily.com.sa>
Date: Thursday, May 2, 2013 1:04 PM
Subject: Re: As discussed last day .further discussion
we are working in defining a way to deal with all such requirements from regulator and it is not only for Whatsapp, it is for whatsapp, line, viber, twitter etc..
So, what we need your support in is the following:
- is there any technical way that allow for interception these traffic?
- Is there any company or vendor could help us on this regard?
- is there any telecom company they implement any solution or workaround?
One of the design documents that they volunteered specifically called out compelling a CA in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception. A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities.
Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over 5 billion in revenue, so I’m sure that they’ll eventually figure something out.
What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter – I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working, and were surprised by how easy it was. The bar for most of these apps is pretty low.
In The Name Of Terror
When they eventually asked me for a price quote, and I indicated that I wasn’t interested in the job for privacy reasons, they responded with this:
I know that already and I have same thoughts like you freedom and respecting privacy, actually Saudi has a big terrorist problem and they are misusing these services for spreading terrorism and contacting and spreading their cause that’s why I took this and I seek your help. If you are not interested than maybe you are on indirectly helping those who curb the freedom with their brutal activities.
So privacy is cool, but the Saudi government just wants to monitor people’s tweets because… terrorism. The terror of the re-tweet.
But the real zinger is that, by not helping, I might also be a terrorist. Or an indirect terrorist, or something.
While this email is obviously absurd, it’s the same general logic that we will be confronted with over and over again: choose your team. Which would you prefer? Bombs or exploits. Terrorism or security. Us or them. As transparent as this logic might be, sometimes it doesn’t take much when confirming to oneself that the profitable choice is also the right choice.
If I absolutely have to frame my choices as an either-or, I’ll choose power vs. people.
Culture Over Time
I know that, even though I never signed a confidentiality agreement, and even though I simply asked questions without signaling that I wanted to participate, it’s still somewhat rude of me to publish details of correspondence with someone else.
I’m being rude by publishing this correspondence with Mobily, not only because it’s substantially more rude of them to be engaged in massive-scale eavesdropping of private communication, but because I think it’s part of a narrative that we need to consider. What Mobily is up to is what’s currently happening everywhere, and we can’t ignore that.
Over the past year there has been an ongoing debate in the security community about exploit sales. For the most part, the conversation has focused on legality and whether exploit sales should be regulated.
I think the more interesting question is about culture: what do we in the hacker community value and prioritize, and what is the type of behavior that we want to encourage?
Let’s take stock. One could make the case that the cultural origins of exploit sales are longstanding. Since at least the 90’s, there has been an underlying narrative within the hacker community of not “blowing up” or “killing” bugs. A tension against that discipline began with the transition from a “hacker community” to a “security industry,” and the unease created by that tension peaked in the early 2000’s, manifested most clearly by the infamous AntiSec movement.
Fundamentally, AntiSec tried to reposition the “White Hat” vs “Black Hat” debate by suggesting that there are no “White Hats,” only “Green Hats” – the color of money.
As someone who also regretted what money had done to the hacker community, I was largely sympathetic with AntiSec. If I’m really honest with myself, though, my interest in the preservation of 0day was also because there was something fun about an insecure internet at the time, particularly since that insecurity predominantly tended to be leveraged by a class of people that I generally liked against a class of people that I generally disliked.
In short, there was something about not publishing 0day that signaled affiliation with the “hacker community” rather than the “security industry.”
The Situation Today
In many ways, it’s possible that we’re still largely operating based on those original dynamics. Somewhere between then and now, however, there was an inflection point. It’s hard to say exactly when it happened, but these days, the insecurity of the internet is now more predominantly leveraged by people that I dislike against people that I like. More often than not, that’s by governments against people.
Simultaneously, the tension between “0day” vs “publish” has largely transformed into “sell secretly” vs “publish.” In a sense, the AntiSec narrative has undergone a full inversion: this time, there are no “Black Hats” anymore, only “Green Hats” – the color of money.
There are still outliers, such as Anonymous (to the extent that it’s possible to be sympathetic with an unguided missile), but what’s most significant about their contribution is that they’re not using 0day at all.
Forgetting the question of legality, I hope that we can collectively look at this changing dynamic and perhaps re-evaluate what we culturally reward. I’d much rather think about the question of exploit sales in terms of who we welcome to our conferences, who we choose to associate with, and who we choose to exclude, than in terms of legal regulations. I think the contextual shift we’ve seen over the past few years requires that we think critically about what’s still cool and what’s not.
Maybe this is an unpopular opinion and the bulk of the community is totally fine with how things have gone (after all, it is profitable). There are even explicitly patriotic hackers who suggest that their exploit sales are necessary for the good of the nation, seeing themselves as protagonists in a global struggle for the defense of freedom, but having nothing to do with these ugly situations in Saudi Arabia. Once exploits are sold to US defense contractors, however, it’s very possible they could end up delivered directly to the Saudis (eg, eg, eg), where it would take some even more substantial handwaving to think that they’ll serve in some liberatory way.
For me at least, these changes have likely influenced what I choose to publish rather than hold, and have probably caused me to spend more time attempting to develop solutions for secure communication than the type of work I was doing before.
It’s Happening
Really, it’s no shock that Saudi Arabia is working on this, but it is interesting to get fairly direct evidence that it’s happening. More to the point, if you’re in Saudi Arabia (or really anywhere), it might be prudent to think about avoiding insecure communication tools like WhatsApp and Viber (TextSecure and RedPhone could serve as appropriate secure replacements), because now we know for sure that they’re watching.
For the rest of us, I hope we can talk about what we can do to stop those who are determined to make this a reality, as well as the ways that we’re already inadvertently a part of that reality’s making.