Introducing QUANTUM-as-a-Service

Imagine that your device could be silently commandeered and used to spy on you simply because you surfed the web. No need for anyone to have possession of it and physically install something. No need to trick you into downloading spyware, clicking on a malicious link, or entering your credentials into a phony login page.  Attackers just wait for you to visit any unencrypted website (http rather than https, that is) and — boom — you’re owned.

Now imagine this capability was commercialized and available for sale to operators all over the world…

Imagine no more.

In a new Citizen Lab report, titled Bad Traffic, we present our discovery of how operators appear to use technology manufactured by a company called Sandvine (formerly Procera) to help deliver exactly this type of nation-state malware in Turkey and Syria. Bizarrely, we also discovered that the same Sandvine technology was configured by operators apparently to commandeer unwitting Internet users in Egypt, but not to spy on them. Instead, there we found user requests appeared to have been manipulated by operators to covertly raise money through online ads and cryptocurrency mining scams.

Known as “packet injection,” and undertaken by Deep Packet Inspection (DPI) devices, the techniques we uncovered at work in Turkey and Egypt are similar to those revealed in the Edward Snowden disclosures, codenamed “QUANTUM.” QUANTUM attacks are considered among the most powerful weapons in the NSA’s (and its Five Eyes allies’) toolkit. One was reportedly employed by the UK’s GCHQ to get inside the computers of Belgium’s largest telco, Belgacom, by redirecting senior Belgacom technicians to fake Linkedin pages where their computers were silently infected with malware.  As the Belgacom operation demonstrates, QUANTUM attacks typically involve two components: a first, where packets are injected into Internet requests; and a second, in which a separate server controlled by the attackers (codenamed FOXACID by the NSA) injects spyware (Figure 1).  We found Sandvine Packetlogic devices were being used by operators to perform the first component, with spyware of the operator’s choice (presumably Turkish authorities) involved in the second.

Figure 1: Top Secret NSA Slide QUANTUM INSERT Diagrams

Pulling off a QUANTUM attack is relatively simple if you control the network of a group of users. Computer scientist Nick Weaver demonstrated a QUANTUM attack at our 2015 Citizen Lab Summer Institute. However, to be able to execute QUANTUM attacks at the national scale requires control or cooperation of a major telecommunications provider, something only national governments can practically do.  

In another Snowden disclosure, Canada’s spy agency, CSE, noted in a top-secret presentation that “it’s no lie, quantum is cool,” but then added “it’s easy to find.” Well, maybe for them. For researchers like us, it’s not so easy. Our report is the first case where nation-state spyware injection has been empirically documented “in the wild.” Credit goes to the Citizen Lab’s Bill Marczak, whose remarkable detective work included scanning every one of the billions of IPv4 addresses on the Internet to search for the unique fingerprint he developed for Sandvine’s PacketLogic device. We also verified the fingerprint in a laboratory setting using a second-hand PacketLogic device we purchased. Marczak’s sleuthing identified spyware injection targeting Türk Telekom subscribers in at least five provinces in Turkey, and hundreds of users across the border in Syria who were receiving their Internet access through WiFi connection points leased from Türk Telekom. The same methods helped uncover the Egyptian mass injections for profit scheme, which we have dubbed “AdHose”.

Figure 2: AdHose Packet Injection Diagram 

One imagines that the NSA, GCHQ, and their allies spent many years and considerable scientific and financial resources developing QUANTUM capabilities in house. Today, commercial DPI technology combined with spyware in the ways we have documented allows a government to simply order them up.  With QUANTUM-as-a-Service, many more governments will now be playing in the Five Eyes’ league  — governments like Turkey and Egypt, which Human Rights Watch describes respectively as “the world leader in jailing journalists and media workers,” and “continuing near-absolute impunity for abuses by security forces under the pretext of fighting ‘terrorism.’”

The prospect of QUANTUM capabilities being sold “off-the-shelf” to any government or government-controlled telco should give everyone pause, especially because the type of DPI sold by companies like Sandvine, as presently advertized, falls through the regulatory cracks. It is classic “dual-use” technology, marketed as benign-sounding “quality of service” or “quality of experience” functionality: helping Internet Service Providers manage network traffic, speed up the delivery of videos for higher-paying clients, and block forbidden applications. The 51 member-state, dual-use technology Wassenaar Arrangement targets “IP network communications surveillance” items for export controls, but specifically exempts “quality of service” and “quality of experience” systems. However, as our report shows, Sandvine’s technology (which appears at present to fall under this exemption) can also surreptitiously redirect users to sophisticated spyware, or permit the hijacking of browsers to mine cryptocurrency for profit. Its power is in the hands of the local operator — operators that answer to autocratic rulers like Turkey’s Erdogan or Egypt’s el-Sisi.

It is worth noting that Sandvine is owned by Francisco Partners, the same investment group that also happens to own Israeli spyware vendor NSO Group, another company whose misused services have been the subject of numerous Citizen Lab reports.  In response to our letters to these companies, Sandvine and Francisco Partners both claimed that they have stringent business ethics and other internal checks to prevent abuse of their services. Not good enough checks, it seems.

Until its acquisition by Francisco Partners last year, and its subsequent combination with Procera, Sandvine was headquartered in Waterloo, Canada. At the time of the proposed sale, I argued that the takeover warranted closer scrutiny by the federal government. In light of Citizen Lab’s report, I wonder if anything will be done by relevant authorities in Canada and the United States? Targeted injection of spyware at the nation-state level represents a major public safety risk, and technologies that facilitate such injection should be regulated accordingly.

While we wait for governments to act, there’s more that can be done right now to protect users. Properly encrypting websites by default would certainly frustrate these sorts of attacks. However, Google and Firefox stats show around 20-30% of all websites are still not encrypted by default. That needs to change.

Until such time, keep an eye out for the headers of the websites you visit. If it reads “http” without the “s”, and there’s no little lock icon up in the address bar that says “secure,” you too may be vulnerable to this type of attack.

CBC Current Panel on Nokia-Siemens Lawsuit

I was interviewed by CBC’s The Current on September 17 regarding Isa Saharkhiz’s lawsuit against Nokia Siemens Networks and the broader implications of cyber espionage.

The radio clip also features a panel discussion with the son of the jailed journalist, Mehdi Saharkhiz, and Tony Rutkowski, Cybersecurity Rapporteur for the United Nations’ International Telecommunications Union.

Listen to the interview and panel discussion here from CBC Radio.

Amnesty Slams Cisco

The Amnesty Irrepressibe.info campaign is continuing to raise awareness and debate about Internet censorship practices around the world. Part of the purpose of the campaign is to focus on western companies who provide technologies of censorship and surveillance. There is a ZDNet UK article about the topic, with some of my comments on the matter, and the same old responses from Cisco about how they just sell the technology, not determine how it is used. Whatever their level of support actually is, they cannot deny that they know how the technology is actually being deployed in China and elsewhere around the world.

It is interesting to see how you end up being represented in these stories. For the record, here is my exchange on the matter with the reporter:

ZDNET: Can you comment on Cisco’s involvement in China?
1. How do you know that the Chinese authorities use Cisco routing technology and hardware?

RD: I know that Chinese authorities use Cisco routing technology because Cisco themselves say that they do. Cisco does not deny that its technology is being used, as evidenced by the testimony to US Congress of Mark Chandler, Senior Vice President and General Counsel of CiscoSystems. You can read it yourself here:

http://wwwa.house.gov/international_relations/109/cha021506.pdf

ZDNET: 2. Does Cisco configure the routers for the Chinese, or actively help to block access to the Internet? Does Cisco supply any other kind of service to the authorities?

RD: In the same testimony as noted above, Mr. Chandler says:

“Cisco does not customize, or develop specialized or unique filtering
capabilities, in order to enable different regimes to block access to information…”

However, this is contradicted by the testimony of Ethan Gutman, which you can find here:

http://wwwa.house.gov/international_relations/109/gut041906.pdf

so it is a matter of making an educated guess. Some one is not telling the truth. My educated guess is that it would be unlikely for any company to have a major contract of this sort without supplying support for one of its primary service functions.

ZDNet:3. If Cisco supplies the hardware, is this detrimental to the local population, and why? Is Cisco aware of it being detrimental?

RD:I believe not only is it detrimental to the population of China, it is a violation of human rights, as outlined in the UN Declaration of Human Rights. As to whether Cisco is aware of it being detrimental, you would have to ask them.

USA Today and Radio Canada International

The debates over corporate responsibility when it comes to Internet filtering and surveillance are growing in leaps and bounds, thanks in part to the work of the OpenNet Initiative. Kevin Maney’s column in USA Today points out that the recent debates over Google and Yahoo in China are only the tip of the iceberg, with references to our recent research.

Meanwhile, I did a radio interview with Radio Canada International’s Valerie Morand on the Citizen Lab’s research and development of the Psiphon circumvention tool. You can access the piece here, for the European version and here, for the African version.

HERE is a locally archived version. My piece begins at about the 20 minute mark.

Announcing The Open Net Initiative!

A new approach to university-based research striving to become the eyes and ears of digital censorship worldwide

“The Open Net Initiative represents a new approach to university-based research,” says Cambridge University’s Rafal Rohozinski. “We fuse cutting-edge intelligence-derived techniques with a networked model of analysis that includes some of the brightest minds in this field – we are striving to become the eyes and ears on digital censorship worldwide.”

The Open Net Initiative (ONI) was formed in 2004 with support from the Soros Foundation’s Open Society Institute and represents a partnership among groups at three leading global universities: Cambridge, Harvard, and Toronto. As Harvard’s Jonathan Zittrain explains, “The aim of the ONI is to excavate, analyze, and report censorship and surveillance practices in a rigorous, ongoing fashion. In order to fully understand the Internet’s evolution, we must be able to map it empirically.”

The ONI employs a unique interdisciplinary methodology that combines information derived from a global network of local researchers with advanced technical network probes to create a detailed picture of what goes on beneath the surface of the Internet.

As University of Toronto’s Ronald Deibert explains, some techniques of interrogation have been deliberately borrowed from the world of intelligence. “The tools we employ to probe the subterranean layers of the Internet are not necessarily new,” says Deibert. “The combination of electronic surveillance and human-based information gathering has long been the hallmark of state intelligence practices. What we are doing with the ONI is taking these tools and turning them inside-out, so to speak, focusing them back on the ‘watchers’ to measure their practices against general principles of human rights, and open the lid on the World Wide Web.”

ONI researchers in the UK, Canada and United States lead discrete aspects of the research, and jointly analyze the resulting data. Technical research is centered on University of Toronto’s Citizen Lab, legal and statistical analysis is led by Harvard University’s Berkman Center for Internet & Society, while managing human-based information gathering activities is the responsibility of the Advanced Network Research Group at Cambridge University.

Additional research and writing work conducted by the Berkman Center in this field is supported by a grant from the John D. and Catherine T. MacArthur Foundation and other sources, while the work of the Citizen Lab and Advanced Network Research Group is supported by the Ford Foundation.

ONI research reports, bulletins, and advisories will be released periodically and can be found on the ONI website: <http://www.opennetinitiative.net/>.

CONTACT:

Ron Deibert,  
Director, Citizen Lab, Munk Centre for International Studies, University of Toronto,                                
[email protected]

Jonathan Zittrain and John Palfrey
Berkman Center for Internet and Society, Harvard Law School, Harvard University,
[email protected]  and [email protected]

Rafal Rohozinski,                                                                                                    
Director, Advanced Network Research Group, Cambridge Security Programme, University of Cambridge,
[email protected]