PGP ID: 0xBD83B92B2F4BFD99
Fingerprint: 7B85 0961 8D82 0DF6 39241BB6 BD83 B92B 2F4B FD99
Latest posts by Kyle Rankin (see all)
- Tamper-evident Boot Update: Making Heads More Usable - March 9, 2018
- Librem adds tamper-evident features, now most secure laptop under full customer control - February 27, 2018
- The Great Puri.sm Outage of 2018 - February 20, 2018
Spyware has long been a privacy and security risk for personal computers and has been used by a number of groups—ranging from creeps who spy on and blackmail people through Remote Access Trojans, to marketers who want ever more data about you for targeted ads (such as through the Superfish malware we’ve seen preinstalled on some “big brands” computers), to government intelligence agencies.
The Register recently reported on an investigation by the EFF and Lookout into the “Dark Caracal” spyware network. According to the EFF, this spyware has already captured hundreds of gigabytes of data. More troubling, this spyware network is being rented out to nation states that may not be able to develop this capability in-house. Who knew government spies had their own international app store?
The Dark Caracal toolkit contains malware that targets Windows and Android platforms. In particular, Lookout discovered that Dark Caracal uses a particular piece of Android malware called Pallas that disguises itself as a legitimate Signal or WhatsApp app and tricks the unsuspecting user into installing it. Instead of relying on a rootkit, it just uses the fact that chat apps usually have access to a wide variety of permissions on your phone, so most people don’t question all the permissions the malware wants. Once installed, it uses those permissions to get audio, text messages, files, and other data via completely legitimate means and uses the network connection to send it back to the attacker.
Purism, Post-Its and Personal Privacy
Dark Caracal relies on Windows and Android malware, so you might wonder why I’m writing about it at Purism given not only is our Librem 5 phone not out yet, but PureOS is a completely different platform and isn’t vulnerable to this spyware toolkit. What makes spyware like this relevant is that we have focused on protecting customer privacy from the beginning (it’s even part of our corporate charter). Stories like this give us an opportunity to audit the privacy and security protections we put in our products to see how they’d fare if we had been a target.
By performing a tabletop thought exercise against spyware in the wild even if we aren’t vulnerable ourselves, we can rate the protections we have in place against a real-world attack and proactively harden things further based on any gaps we might find. It’s always easier if you start with security as a focus from the beginning instead of tacking it on at the end, so this exercise is not just useful for our existing Librem laptops but is particularly helpful as we develop the Librem 5.
The first thing to examine is the software delivery mechanism. Malicious lookalike applications are a constant problem in mobile app stores, even more so if you add third party stores into the mix. One advantage GNU/Linux distributions have long had against other operating systems is that all of a particular distribution’s applications come from its own official repository and are signed by its developers. It’s much more difficult for a malicious application to end up in the official repository and pass the signature check, so when you use your distribution’s tool to install LibreOffice, you can be assured you are getting the real thing.
We get an additional advantage due to our dedication to Free Software. Like with other GNU/Linux distributions, all applications in PureOS come from a central PureOS repository and are signed with official PureOS keys. Unlike many GNU/Linux distributions, PureOS is a FSF-endorsed distribution so all of the software in PureOS must be Free Software. PureOS doesn’t include packages that download proprietary codecs, unsigned Flash plugins or any other binary-only code from elsewhere on the Internet. This means you can examine the source for every package in PureOS to check for malware or backdoors.
This is why it’s important to be extra careful when adding third-party repositories or installing software with
curl | sh because you bypass trusted code signing and lose many of the protections built into a GNU/Linux distribution’s native packages. Fortunately, because PureOS is derived in part from Debian, it can take advantage of the vast number of packages available in Debian’s free repository, so you are much less likely to need to install software from a third party.
Hardware Privacy Protections
For most vendors you would focus only on software protections against spying because that’s your only option. Fortunately we can go one step further because we also build privacy protections into the hardware itself in the form of kill switches. Purism devices include hardware switches that allow you to cut power to radio hardware (WiFi) and to the webcam and microphone. Unlike a software hot key, these hardware switches disconnect power from the hardware so it can’t be bypassed by malicious software. Dark Caracal attacked both desktops and phones and so we should consider what effect our hardware privacy features would have on the spyware in both cases.
On a traditional laptop infected with Dark Caracal, the attacker would be able to stream video from the webcam. Depending on the sophistication of the spyware, it could possibly capture video with the LED light off, a phenomenon that has been demonstrated multiple times in recent years. Even if the victim added the high-tech spying countermeasure of covering the webcam with tape, the attacker could still capture audio off of the microphone and stream it along with the rest of the data over the WiFi connection.
On Librem laptops, the radio kill switch disables WiFi and the webcam/mic kill switch—you guessed it—disables the webcam and microphone together. We recommend users take advantage of the kill switches, in particular the webcam/mic switch, to disable the hardware when you aren’t using it. With the webcam/mic kill switch, even if spyware found its way on your machine, the attacker wouldn’t be able to capture any video or audio from the machine as long as the switch was off.
Customers especially concerned about their privacy or in a high-risk environment could take the additional precaution of using the radio kill switch to keep WiFi powered off and only turning it on briefly when they needed a network connection. In that case the attacker would have to wait until a network connection showed up and use that limited window to upload the data.
Like with the Librem laptops, the Librem 5 phone will have kill switches, but as you’ll see, they impact a phone’s privacy even more dramatically than on a laptop. For example, the webcam/mic kill switch will protect you in much the same way as in a laptop, but unlike with a laptop, it gives you spyware protection you just wouldn’t have with a traditional phone because most phones just don’t have a good way to disable the microphone (in fact they rely on it being always on for voice commands). While you could tape over the camera like in a laptop, almost no one does. With a kill switch, you can leave your camera and mic off and conveniently turn it on when you need to take a selfie or make a call.
The radio kill switch would protect you in a similar way as on a laptop, but the Librem 5 also has an additional baseband kill switch. This switch powers off the cellular radio completely, not using software like in traditional airplane mode but using hardware so you know for sure it’s off. With the baseband off, you also prevent spyware from using your cellular beacon to track your location or your cellular network to send out your personal data and rack up a large cellphone bill.
It’s hard to add security and privacy protections after the fact—even harder if your company relies on customer data for its revenue. Because we value customer privacy, we continually work to increase privacy protections in our products not just in a reactive way based on a specific threat but in a proactive and general-purpose way that applies to all kinds of threats. Even though Purism products weren’t vulnerable to Dark Caracal, you can see how some of the additional protections we put in place would help keep you safer even if they were.
While this government-sponsored spyware was interesting because of its scope and because it was rented out to other governments, spyware like it is sadly not unique. Everyone from governments to tech companies to hackers to creepy stalkers all want a piece of your personal data and they all use different kinds of spyware to get it. Some of the greatest minds in our generation are focused on the problem of how to capture and store more and more of your data. At Purism we recognize that this data is your data, and we work every day to protect it.