Surveillance

Bombshell Report About Americans Helping UAE Hack Phones Is a Warning Against Compromising Encryption

Hacking tools end up in the hands of some dangerous people. So, apparently, do our government hackers.

|

Encryption notification
Daniel127001 / Dreamstime.com

Reports of former U.S. intelligence officers helping the United Arab Emirates spy on journalists and government critics should inspire some serious introspection among Western government leaders who want to compromise citizen cybersecurity in the name of fighting crime and terrorism.

Reuters reported yesterday that a handful of former United States intelligence officers, including former National Security Agency (NSA) analysts, have been working for a clandestine team in the UAE to help the authoritarian government spy on its enemies and rivals. The targets included not just rival foreign government officials (like Qataris) but human rights activists critical of the government. The targets even included Americans.

"I am working for a foreign intelligence agency who is targeting U.S. persons," former NSA analyst Lori Stroud told Reuters. "I am officially the bad kind of spy." Stroud left the NSA in 2014—partly due to her role in recommending whistleblower Edward Snowden as a contractor to the NSA in 2013 and what ultimately followed—and went to work for the UAE.

She joined a program called Project Raven, which she initially thought would be defensive counterterrorism efforts intended to protect the UAE from hackers and threats. Then she very quickly learned otherwise. This was an aggressive program to infiltrate and hack the UAE's enemies.

Project Raven exploited a security flaw with iPhones that allowed them to install malware on it without the user knowing or even having to do anything. The tool, named Karma, didn't allow snooping on the calls themselves, but did allow hackers to collect photos and location information and harvest saved passwords.

It should not come as a surprise that the UAE is attempting to hack into the phones of dissidents and activists. Apple actually released an emergency update for its iPhones in 2016 because of malware tools the UAE had been using to try to breach the phone of a human rights advocate in the country.

The Reuters report provides us with another reason why voters should reject government calls to compromise cybersecurity in the name of fighting crime and terrorism.

To be specific, I'm referring to the constant insistence by government officials and law enforcement leaders that phones and online communication platforms and apps should have some sort of back door, or mechanism for the government to bypass encryption. In America, in the United Kingdom, and in Australia, we have political leaders and heads of law enforcement and intelligence operations insisting that tech companies must help them compromise security to keep criminals and terrorists from "going dark"—using encrypted communications to hide from surveillance.

Privacy experts and tech companies habitually warn these leaders that you cannot compromise cybersecurity in such a way that only the "right" people have access to the communications of only terrorists. Any key that can be used to bypass encryption is inevitably going to find its way into the wrong hands and be used against good people. These bad actors could be criminals looking to engage in identity theft or scams. Or they could be dangerous governments like the UAE looking to punish human rights activists with the help of American alumni of the NSA.

Somebody alert Australia's Parliament that their anti-encryption legislation could actually kill people.

NEXT: Virginia's Fairfax County Has Finally Decriminalized Keeping Hedgehogs as Pets

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. If you can’t trust the government who can you trust?

    1. Tony.

  2. Ain’t it funny that the United States, having thrown off the chains of monarchy and state religion centuries ago, now sells it’s soul propping up royal families wrapped in the cloak of theocracy?

    1. >>>chains of monarchy and state religion centuries ago

      now subversive

  3. I have a problem with the governments exploiting cybersecurity, but shouldn’t the government at least be able to override security in cases of terrorism or dangerous drug dealers or murderers or child molesters or celebrity nudes?

    1. Are you contemplating suicide-by-cop?

      1. Why would I chance some public union employee to do his job when I could just rely on a studded leather belt and Vietnamese hotel closet to take care of business?

        1. A true libertarian til the end..

    2. The government should be able to get a warrant for the devices and files within, and try tonde develop tools to crack the security for their own purposes. But you can’t give the government a back door that doesn’t go to lots of other people.

    3. What about murdered terrorist nudes?

  4. Reports of former U.S. intelligence officers helping the United Arab Emirates spy on journalists and government critics should inspire some serious introspection among Western government leaders who want to compromise citizen cybersecurity in the name of fighting crime and terrorism.

    Only as to how they let this information loose.

  5. The U.S. government isn’t satisfied with their own illegal wiretapping, they want all of our information and terrorism was always just an excuse.

  6. >>>”I am officially the bad kind of spy.” Stroud

    can we shoot her now?

  7. “Stroud left the NSA in 2014…”

    So one wonders how the Democrats will blame this on Trump. Probably post the “Americans spying for UAE” headline and leave out all the dates.

    1. Was she hired by GW Bush? Because they could go back to the classics.

  8. “The tool, named Karma, didn’t allow snooping on the calls themselves, but did allow hackers to collect photos and location information and harvest saved passwords.”

    Just as a head’s up to any human rights activists out there . . .

    If you have a password for important stuff, e.g., bank stuff, work stuff, tax stuff, family stuff, home address, plots to overthrow your authoritarian government and your coconspirators’ identities, etc., for goodness’ sake, don’t put a password like that on your phone.

    The only passwords that belong on your phone are passwords for your subscription to whatever website, magazine, or newspaper. If it’s important enough to worry about what would happen if someone else got to it, it’s important enough that you can until you get to a computer to access it.

    Additionally, and for all the same reasons, don’t do something crazy like use these password companies (like LastPass) that store your password information online. All those companies have experienced serious breaches. Passwords cannot be stored safely online.

    1. Good man, brother.

  9. I recommend checking out KeePassXC, which doesn’t store your passwords online. You can install a plug-in for your browser so that it will read the password database on your hard drive and automatically input your usernames and passwords for you, but that’s another point of vulnerability you don’t need. It takes three clicks to copy and paste your password. If your passwords are worth protecting, they’re worth the “hassle” of three measly clicks.

    There are things you can do to make your passwords even safer. You can use Qubes and run KeePassXC from a virtual machine that doesn’t have access to your network card, but that’s turning the dial up to 11. You can get to 8 or 9 on the dial by simply not putting passwords online or on your phone.

    You know who has access to the data on your phone? Google, Apple, your wireless company, your ISP, as well as anyone and everyone who’s worked for them since you bought your phone and signed up. And we haven’t even started talking about the NSA, fourteen eyes, or criminal organizations in Russia, North Korea, and elsewhere.

    Don’t trust people who aren’t smart enough to keep passwords off their phones with information that might get you dragged away by the secret police in the middle of the night.

    1. P.S. If the employees of Signal can’t tell who you’re communicating with, much less who you are, where you are, what you’re saying, etc., chances are the intelligence services have a hard time telling, too.

      “By design, Signal does not have a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars,” Joshua Lund, a Signal developer wrote. “The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom.”

      http://arstechnica.com/tech-po…..rypto-ban/

    2. It takes three clicks to copy and paste your password. If your passwords are worth protecting, they’re worth the “hassle” of three measly clicks.

      By “cutting and pasting” your password, that means at some point they’re on a screen unencrypted. That’s a potential vulnerability. Plus, it’s in memory (clipboard) after the fact.

      If you’re Diane Reynolds just trying to keep low level snoopers out of your stuff, this is fine. If you’re a potential target for national intelligence agencies foreign or domestic, you need to think about tradecraft, or tradecraft-ey type activity.

      No security is perfect, of course, but one needs to think about how comfortable you are typing a password into a box in a browser if you really believe that the device you’re typing on is “compromised”.

      1. “By “cutting and pasting” your password, that means at some point they’re on a screen unencrypted. That’s a potential vulnerability. Plus, it’s in memory (clipboard) after the fact.”

        If you check out the program, you’ll find that when you highlight an entry, it shows part of your username, but it doesn’t show the password itself unless you go in and set it show the password. You can just highlight an entry, right click the entry, and copy it–all without the password ever showing up on your screen. You just see a series of dots where the password would be.

        As for the password sitting in your clipboard/memory, 1) it disappears from memory after you paste it, it doesn’t remain in memory for long and 2) I’m talking about doing this primarily from a desktop PC at home or even your own laptop you trust.

        Furthermore, KeyPassXC won’t open at all without my two-factor authentication method, which, in addition to a password, involves having access to a digital key (KeyPassXC can create for you)–which I keep in a USB drive on my physical key chain. It’s a hell of a lot easier to start my motorcycle or get in my front door without the keys than it is to a) get past the encryption on my hard drive and b) open my password program without the physical key chain that has my house key.

        1. BTW, Ken, thanks for pointing out Lavabit. I thought Lavabit had shut down, I didn’t realize it had started up again and I’m considering signing up.

          I’ll take a look at KeyPassXC.

        2. The only person who will ever see my passwords is me and the organization I’m using–be it a bank, a broker, an email service, a VPN, whatever. A hacker would have an easier time resetting my password than getting any of my passwords from my password program. It’s certainly much, much better than storing your passwords online.

          Like you said, no security is perfect, but storing your passwords online is a terrible way to keep them safe. Putting passwords on your phone is terrible, too. Those are places where your important passwords simply shouldn’t be. The people who are storing passwords on their phones that this ex-NSA lady is hacking–she can’t get passwords from your phone if your phone doesn’t have them.

          I hate to see people get complacent about this stuff because they feel hopeless. That’s how the authoritarians want us to feel. The fact is that you can make better choices and better protect yourself. That’s true empowerment. A smart human rights activist might even be able to communicate with others and avoid detection completely. Certainly, the first step is making sure you use reasonable precautions to protect your passwords from the likes of this ex-NSA lady.

          1. I’m reading and just downloaded KeePassXC which is pretty cool. Fumbling in the interface now. But help me understand, how can I access that password list universally. Ie, a lot of passwords I need may be at work, but I also need them on my phone. How does KeepassXC deal with that since it’s just a windows program. I found a KeePass for android, but without reading for an hour, I’m not sure how or if there’s interoperability.

            1. To get it from whatever format the passwords are in from work, you might export the passwords from your work program as a .csv file and then import them into KeePassXC as a .csv file.

              To move between two devices, I would copy the .kdbx file onto the new device and then open that with KeePassXC.

  10. “I am working for a foreign intelligence agency who is targeting U.S. persons,” former NSA analyst Lori Stroud told Reuters. “I am officially the bad kind of spy.”

    No you are a traitor. And I am left to wonder how much money the Russians paid this bitch to get Snowden inside the NSA.

    1. she thinks she’s finally cool or something? wtf

      1. I bet anything she is a good American Progressive in her politics. That is how she rationalizes spying on Americans and assisting a no shit authoritarian foreign government.

        1. bragging about it gets you bullets in the back of the head and a suicide diagnosis

    2. I don’t know about Snowden, and I don’t know that she got him on at the NSA knowing that he would go rogue, but if she’s still working for the secret police in UAE against Americans and/or American interests–and doing so with the full knowledge, now, that this is what she’s doing, then the charge of treason may be entirely apropos.

      All that being said, I’m not sure this is entirely unlike what the 14 eyes countries do.

      Denmark isn’t legally allowed to spy on its own citizens within its own borders, so we spy on the people of Denmark within Denmark for them while they spy on American citizens in the U.S. for us. Some American is collecting that information from Denmark, with the full knowledge that they’re facilitating spying on Americans.

      She may have been doing for the NSA what she’s doing in the UAE now. Someone at the NSA must be keeping track of the intelligence on specific Americans in 14 eyes countries even the NSA isn’t collecting it themselves. For all we know, the information she’s collecting may be ending up with the NSA.

      1. Denmark isn’t legally allowed to spy on its own citizens within its own borders, so we spy on the people of Denmark within Denmark for them while they spy on American citizens in the U.S. for us. Some American is collecting that information from Denmark, with the full knowledge that they’re facilitating spying on Americans.

        I will not speak to how it actually works but what you are describing is illegal as hell under US law. The US intelligence community cannot collect information on US persons. Collection means keeping and using the information not just actually collecting it in the conventional sense. Accepting it from Denmark counts as collecting it. Unless there is a foreign nexus or the collection is incidental to collection on foreign persons, the IC can’t legally collect information on US persons no matter what the original source.

        1. My understanding is that it’s supposed to be okay under the auspices of the UKUSA and various other agreements.

          http://en.wikipedia.org/wiki/Five_Eyes

          I am not familiar with the inner workings of the NSA, our intelligence services, or our international agreements to share intelligence, but if I were concerned about data privacy, I’d look for email providers and VPN services that aren’t located in any of the 14 eyes countries.

          1. We share intelligence all of the time. That is not illegal. But the contents of that intelligence that is shared has to be information that we are legally authorized to collect.

            1. Even if we were merely talking about, for example, Denmark spying on Americans in Denmark while the United States were spying on Danes in the U.S, wouldn’t we still be talking about Americans being spied on everywhere within those 14 eyes countries and that intelligence ending up with the U.S. government?

              That might be legally defensible if only for surveillance purposes rather than to procure legally admissible evidence for trial.

              If you don’t want your email to be scrutinized by the U.S. government, you might do well to pick an email service that’s based outside the 14 eyes countries. Same thing goes for VPN. I don’t know that some future authoritarian government under Alexandria Ocasio-Cortez will put people on a no-hire list because they wrote emails once that were clearly against gay marriage, but I’d rather not have to worry about that.

              If the Fourth Amendment doesn’t work for internet stuff (like it should), I can still depend on my own choice not to subject myself to the risks I know about.

              1. Even if we were merely talking about, for example, Denmark spying on Americans in Denmark while the United States were spying on Danes in the U.S, wouldn’t we still be talking about Americans being spied on everywhere within those 14 eyes countries and that intelligence ending up with the U.S. government?

                If it is an American person, meaning a citizen or LTR, the American IC cannot collect on them period unless it is done incidentally or they are connected to a foreign nexus. That applies world wide. And “collecting” includes accepting intelligence from other nations. So, no they could not legally accept information Denmark collected on an American in Denmark unless there was some kind of foreign intelligence nexus.

            2. In the DOD collection is governed by DOD Directive 5240.1-R. It is really easy to go to jail if you abuse these powers (people do) because it can make bosses get fired and also possibly go to jail if their subordinates to it. People get up in arms (as they should be) about getting collected on but in reality there are a lot of institutional controls in place to prevent it.

        2. what you are describing is illegal as hell under US law.”

          Since when did the law really matter to our spy agencies. samples NSA monitoring all calls Clapper lying about spying on the senate and of course the DOJ spying on Trumps campaign

  11. End to end encryption, even if not hacked, still leaves users’ “meta data” exposed.

    In other words, relatively low level observers, either legally or illegally, can easily find out who is communicating with whom, how often (time wize), how much (lengthwise), and at what specific times…

    1. And the metadata is where the real value is most of the time anyway. Listening to the contents of someone’s phone calls or reading their emails is only valuable if the person spells whatever you are looking for out, which almost never happens. The way terrorists or in this case dissidents are caught is usually by connecting them known bad actors. And you do that with metadata.

    2. I think that situation is improving.

      See my comment with the quote from the guy at Signal above.

      Check out Lavabit.

      “When using the maximum security settings, even an attacker breaking into DIME servers would have no feasible way to access customer emails, leaving client-side attacks as likely the only potential points of vulnerability.”

      http://en.wikipedia.org/wiki/Lavabit

      Levinson was the guy who shut down his service rather than hand over the keys in compliance with a subpoena. His new protocol means that there is no metadata to give in the event of another subpoena.

      I would also argue that with a service like Protonmail, which is based in Switzerland, the message never really leaves the company’s servers (if the sender chooses). The recipient gets a link from Protonmail to a password protected message on their servers in Switzerland, so I don’t know that there is any metadata associated with that. Again, Protonmail doesn’t keep server logs, but even if a Swiss court did comply with a U.S. subpoena, there might not be any metadata to divulge.

      We cannot have anything like privacy using Google, Apple, Microsoft, Facebook, or Amazon products, but the solution is still innovation and exercising our consumer choice. I wish people cared more about their privacy. There may be a big enough market for those of who do to stay one step ahead of the eavesdroppers.

      1. P.S. The prospect of Slack like services to make it possible for people to communicate privately is still emerging–even if it doesn’t emerge directly from Slack itself. They have competition.

      2. Levinson was the guy who shut down his service rather than hand over the keys in compliance with a subpoena. His new protocol means that there is no metadata to give in the event of another subpoena.

        He did turn over the keys. He turned them over in printed form using a tiny font as was held in contempt of court. That contempt charge was later upheld on appeal.

        I’m having trouble figuring out what the ultimate fallout is or was.

        1. Here’s a more details play-by-play of what happened with Levinson and Lavabit.

          The judge found him to be in contempt and ordered Levison to hand over the keys in electronic form or be fined $5,000 for every day he didn’t comply. He racked up $10,000 in fines before he did what the court ordered. But he also did something else: he immediately shuttered Lavabit, preventing the government from now getting the data it wanted and signaling to customers and the rest of the world, in the only way he could, that something was amiss.

Please to post comments

Comments are closed.