Rogue Exodus Spyware Developer Finally Charged
CreatedThursday, 16 January 2020
Created bySuper User
Last modifiedFriday, 17 January 2020
Revised bySuper User
Favourites1489 Rogue Exodus Spyware Developer Finally Charged /index.php/en/content_page/item/1489-rogue-exodus-spyware-developer-finally-chargedClick to subscribe
After successfully creating a health care app for doctors to view medical records, Diego Fasano, an Italian entrepreneur, got some well-timed advice from a police officer friend: Go into the surveillance business because law enforcement desperately needs technological help.
In 2014, he founded a company that creates surveillance technology, including powerful spyware for police and intelligence agencies, at a time when easy-to-use encrypted chat apps such as WhatsApp and Signal were making it possible for criminal suspects to protect phone calls and data from government scrutiny.
The concept behind the company's product was simple: With the help of Italy's telecom companies, suspects would be duped into downloading a harmless-seeming app, ostensibly to fix network errors on their phone. The app would also allow Fasano's company, eSurv, to give law enforcement access to a device's microphone, camera, stored files and encrypted messages.
Fasano christened the spyware "Exodus."
"I started to go to all the Italian prosecutors' offices to sell it," explained Fasano, a 46-year-old with short, dark-brown hair and graying stubble. "The software was good. And within three years, it was used across Italy. In Rome, Naples, Milan."
Even the country's foreign intelligence agency, L'Agenzia Informazioni e Sicurezza Esterna, came calling for Exodus's services, Fasano said.
But Fasano's success was short lived, done in by a technical glitch that alerted investigators that something could be amiss. They followed a digital trail between Italy and the US before unearthing a stunning discovery.
Authorities found that eSurv employees allegedly used the company's spyware to illegally hack the phones of hundreds of innocent Italians - playing back phone conversations of secretly recorded calls aloud in the office, according to legal documents. The company also struck a deal with a company with alleged links to the Mafia, authorities said.
The discovery prompted a criminal inquiry involving four Italian prosecutor's offices. Fasano and another eSurv executive, Salvatore Ansani, were charged with fraud, unauthorized access to a computer system, illicit interception and illicit data processing.
Already, the unfolding story of eSurv has renewed questions about the growing use of spyware. It has also brought attention to the largely unregulated companies that develop the spyware technology, which is capable of hacking into a device that nearly everyone carries in a pocket or purse, often storing their most sensitive information.
The demand for such technology has been driven in part by the rise in popularity of encrypted mobile phone apps and the reality that it is getting harder for law enforcement to glean evidence without the assistance of Silicon Valley giants such as Apple Inc., which is currently at loggerheads with the FBI over access to an iPhone used by an accused terrorist.
In recent years, spyware developers such as Israel's NSO Group and Italy's Hacking Team have been criticized for selling their products to repressive governments, which have used the technology to, among other things, track activists and journalists. (Both companies have said they sell their equipment to law enforcement and intelligence agencies to fight crime and terrorism.)What makes the allegations against eSurv so astounding is that, if true, the company became involved in the spying itself-and did so right in the heart of Europe.
Giovanni Melillo, the chief prosecutor in Naples who is overseeing the case, has worked on some of the country's highest-profile investigations, from the feared Camorra organized crime group to international money laundering and drug trafficking schemes. But he said the allegations against eSurv are unusual, even for a veteran prosecutor like him.
"I think that no prosecutors in Western countries have ever worked on a case like this," Melillo said in a recent interview at his Naples office. This story is based on interviews with Italian authorities and a review of 170 pages of documents outlining the evidence collected, much of it never before reported.
In the city of Benevento, about 40 miles northeast of Naples, technicians working for the prosecutor's office in 2018 were using Exodus to hack the phones of suspects in an investigation. That October, one of the technicians noticed that the network connection to Exodus was frequently dropping out, according to Italian authorities.
The technician did some troubleshooting and found a glaring problem. The Exodus system was supposed to operate from a secure internal server accessible only to the Benevento prosecutor's office. Instead, it was connecting to a server accessible to anyone on the internet, protected only by a username and password, the authorities said.
The implications were enormous: hackers could potentially gain access to the platform and view all of the data that Italian prosecutors were covertly harvesting from suspects' phones in some of Italy's most sensitive law enforcement investigations. (Authorities don't know if the server was in fact ever hacked.)
The prosecutor's office quickly took steps to shut down Exodus, and in October 2018, they ordered the seizure of eSurv's equipment.
The investigation was eventually handed off to the prosecutor's office in nearby Naples, which is responsible for handling major computer crimes in the region. The Naples prosecutor began a more in-depth probe-and found that eSurv had been storing a vast amount of sensitive data, unencrypted, on an Amazon Web Services server in Oregon.
The data included thousands of photos, recordings of conversations, private messages and emails, videos, and other files gathered from hacked phones and computers. In total, there were about 80 terabytes of data on the server-the equivalent of roughly 40,000 hours of HD video.
"A large part of the data is secret data," said Melillo. "It's related to the investigation of Mafia cases, terrorist cases, corruption cases."
Prosecutors filed criminal charges against eSurv for unlawfully collecting and storing private communications, transferring them overseas, and failing to keep secure "sensitive personal data of a judicial nature."
But, according to authorities, a far worse discovery was yet to come.
When Fasano began thinking about creating a police surveillance tool, he recruited a small team to explore the possibilities. They eventually developed a spyware tool that would allow police to hack Android phones by luring suspects into downloading what looked like an ordinary app from the Google Play store.
The police, with cooperation from mobile phone networks, would shut down a targeted person's data service, Fasano said. They would then send them instructions to use Wi-Fi to download an app to restore service. ESurv designed the app to look as though it was associated with telecommunications providers, with names such as "Operator Italia."
The app didn't contain spy software, allowing it to bypass Google's automated virus scans. But once a person downloaded it, the app served as a gateway through which eSurv could place spyware onto a person's phone. The spyware would then covertly take total control: recording audio, taking photos and giving police access to encrypted messages and files, Fasano said.
ESurv developed different versions of Exodus that could target iPhones, as well as laptops and desktop computers using Microsoft Corp.'s Windows and Apple Inc.'s OS X operating systems, Fasano said. Google said it had removed all versions of the Exodus app from its app store. Microsoft said it wasn't aware of any samples of Exodus targeting the Windows platform. Apple didn't respond to a message seeking comment.
ESurv created its spyware in Catanzaro, a city of narrow cobbled streets in southern Italy known for its silk and velvet production and its ties to the 'Ndrangheta, the most powerful Mafia group in Europe. The company employed about 20 people, most of whom were involved in another part of the business-selling video surveillance technology. The work of developing and expanding Exodus was left to a small group of employees who worked in a separate room. They called themselves the Black Team.
The Black Team was led by Ansani, the 43-year-old technical director who was charged with Fasano, according to testimony from former employees given during the police investigation. They used the spyware to target law-abiding Italian citizens, bugging their phones and recording their private conversations, according to prosecutors. The reasons for the spying remain unknown.Ansani, who denied the charges to police, declined to comment, saying in an email, "Investigations are currently being carried out by the Public Prosecutor. Therefore, as you know, I cannot issue any statement."
In one instance, the Black Team hacked the phone of a 49-year-old woman from Crotone, a port city on the coast of Calabria, according to the prosecutor's filings. The team collected the woman's personal text messages to family and friends, and covertly recorded more than 3,800 audio clips using her mobile phone's built-in microphone, chronicling the woman's life and interactions as she went about her daily business, the filings say.
In all, the Black Team spied on more than 230 people who weren't authorized surveillance targets, according to police documents. Some of the surveillance victims were listed in eSurv's internal files as "The Volunteers," suggesting they were unwitting guinea pigs.
Ansani would sometimes sit at his computer and wear headphones, listening to conversations covertly collected from people's phones, the employees said. On other occasions, Ansani would loudly play the recordings through his computer speakers and show other employees images that Exodus had collected, the employees told police. Under its strict agreement with authorities, eSurv didn't have permission to view or listen to this information, the employees said.
After reviewing evidence about the Black Team in May, a judge concluded that Exodus appeared to have been "designed and intended from the outset to operate with functions that are very distant from the canons of legality." The judge approved a warrant to place Ansani and Fasano under house arrest; the investigation is continuing and additional charges could be filed, according to Italian authorities.Ansani told police that he didn't carry out unlawful surveillance and couldn't access data from hacked phones or computers. Police later discovered that he had possessed "superuser" credentials at eSurv that gave him the ability to review recordings, private messages, photographs and other data Exodus vacuumed up from people's devices, according to legal documents and Italian authorities.
Fasano, eSurv's founder, who is fighting the charges against him, said in an interview that he had no knowledge of unlawful surveillance and that he had delegated responsibility for Exodus to Ansani.
Inside the prosecutor's office in Naples, a 14-floor building a short distance from the city's business district, a task force of investigators is combing through the vast amount of data seized from eSurv.
The investigators are still trying to work out whether eSurv's employees were unlawfully monitoring people for a malicious purpose such as blackmail, whether it was just some sort of cruel game, or whether there is another explanation.
The case has shocked prosecutors in Italy, according to Melillo, and forced them to change their protocols. In Naples, the prosecutor's office will no longer work with private surveillance companies unless they first pass tests showing that their systems are secure and conform to stringent standards.
Melillo said he is concerned other companies may be conducting their own illegal surveillance. ESurv's hacking technology, he said, was "just the top of a big iceberg. We don't know yet the part of iceberg that is under the water."
"It's like a gun. Once you have sold it, you don't know how it will be used."
About 35 miles south of Naples, in Salerno, a spin-off investigation is focusing on whether a contractor that eSurv was working with, STM, may have been using Exodus to carry out its own unlawful spying operations. According to a person with knowledge of the Salerno investigation, STM obtained the Exodus spyware from eSurv and allegedly used it to assist Eugenio Facciolla, a prosecutor at the center of a corruption scandal.
The prosecutor's office in Salerno has charged Facciolla with forging documents in an effort to obstruct or mislead a police investigation into an 'Ndrangheta-led illegal logging operation, which involved chopping down thousands of trees in some of Italy's national parks, according to the person and Italian media reports.
Facciolla worked for a different prosecutor's office, in Castrovillari, that paid STM more than 700,000 (about $780,000) for help carrying out surveillance in criminal investigations, said the person. But the Salerno prosecutor is looking at the possibility that Facciolla went rogue-and enlisted STM to help with illegal, off-the-books surveillance operations, said the person.
Nicola Gratteri, one of Italy's leading anti-mafia prosecutors, said he identified connections between STM and people working for the 'Ndrangheta. "From telephone tapping, I discovered that some of my subjects had something to do with this company," said Gratteri.
STM didn't respond to messages seeking comment.
Gratteri said he passed on the information about STM to the prosecutor's office in Salerno, which is investigating the matter but declined to comment for this story. The use of Exodus and other spyware, Gratteri suggested, had gotten out of control. In the hands of corrupt police or prosecutors, he said, it could be used to target people like him.
"I think I am an interesting subject for those not on the side of justice," he said.
Italy's High Council of the Judiciary, which manages the appointment of prosecutors, said in November that it was removing Facciolla from his office in Castrovillari, on the grounds that he had "abused his functions." Facciolla is appealing that decision and said that the accusations against him were "false."
"I have been fighting crime for decades," he told Bloomberg News in a statement.
Fasano acknowledged providing Exodus to other companies, including STM, which signed a partner agreement with eSurv in January 2018 worth about 50,000 (about $61,000). However, Fasano said he didn't know how STM used the technology.
"It's like a gun," said Vincenzo Ioppoli, Fasano's lawyer. "Once you have sold it, you don't know how it will be used."
The investigation is expected to be completed later this year, according to the Naples prosecutors. Fasano and Ansani were kept under house arrest for three months and released. They are awaiting the next stage of their legal proceedings, which will likely conclude with a trial, according to Fasano.
Fasano said that his wife has left him due to troubles caused by his legal case and that he is struggling to make his mortgage payments because eSurv has shut down its operations. (His wife didn't return a message seeking comment.) He said he's had offers for new jobs but only from companies in the surveillance industry. He said he's done with the spyware business and regrets getting into it in the first place.
"I don't want to work in this kind of market anymore," said Fasano, lamenting his fate ahead of a meeting about his case in October. "Privacy, for me, it is a very, very important thing. I made a big mistake."
The Foul Apple
BlackHats say: Everything Apple is insecure and can't be secured!
For illustrative purposes only.Image Credit: Istock
Laser pointers are great for taunting cats and inflicting irritation. But they're also quite effective at hacking Alexa, Siri or Google Assistant, researchers say - even from hundreds of feet away.
Microphones in smart devices translate sound into electrical signals, which communicate commands to the device. But as researchers at the University of Michigan and University of Electro-Communications in Tokyo have discovered, microphones will respond the same way to a focused light pointed directly at them. It's a surprising vulnerability that would allow an attacker to secretly take over many popular voice-controlled devices with nothing more than a $13.99 laser pointer and some solid aim.
"It's possible to make microphones respond to light as if it were sound," Takeshi Sugawara, one of the lead researchers on the study, told Wired. "This means that anything that acts on sound commands will act on light commands."
Since many voice-command systems don't require authentication, an attacker wouldn't need a password or PIN to take over a device with a light command; they just need to be in the object's line of sight. In a paper released Monday, researchers detailed how they could easily commandeer smart speakers, tablets and phones without being in the same building, just by pointing a laser through a window. In one case, they took over a Google Home on the fourth floor of an office building from the top of a bell tower at the University of Michigan, more than 200 feet away. And they say the trick could theoretically be deployed to buy things online undetected, operate smart switches in homes and endless other unsettling applications.
"Once an attacker gains control over a voice assistant a number of other systems could be open to their manipulation," a breakdown of the study on the University of Michigan's website says. "In the worst cases, this could mean dangerous access to e-commerce accounts, credit cards, and even any connected medical devices the user has linked to their assistant."
Researchers spent seven months testing the trick on 17 voice-controlled devices enabled with Alexa, Siri, Facebook Portal and Google Assistant, including Google Home, Echo Dot, Fire Cube, Google Pixel, Samsung Galaxy, iPhone and iPad. They successfully levied attacks using ordinary laser pointers, laser drivers, a telephoto lens and even a souped-up flashlight.
The researchers weren't sure exactly why these microphones respond to light as they do sound; they didn't want to speculate and are leaving the physics for future study. They notified Google, Amazon, Apple, Tesla and Ford about the vulnerability.
Spokespeople for Google and Amazon said the companies are reviewing the research and its implications for the security of their products but said risk to consumers seems limited. An Amazon spokeswoman pointed out that customers could safeguard Alexa-enabled products with a PIN, or use the mute button to disconnect the microphone. (Amazon founder Jeff Bezos owns The Washington Post.)
Apple did not immediately respond to requests for comment.
Other undetectable means of exploiting voice-command devices have been revealed by researchers, but their powers have been more limited. In 2016, researchers at the University of California at Berkeley showed it was possible to cloak commands in white noise, music or spoken text. In 2017, researchers in China showed it was possible to give commands to smart devices at frequencies inaudible to the human ear, but a transmitter needs to be relatively close to the object for the method to work.
There are no known instances of someone using light commands to hack a device, researchers said, but eliminating the vulnerability would require a redesign for most microphones. But there are limitations to the stealth of a light command attack, researchers found. With the exception of infrared lasers, lasers and other lights are visible to the naked eye and could easily be noticed by someone near the device. Voice-command devices also generally give audible responses, but an attacker could still change the device's volume to continue operating it undetected.
For now, researchers say the only foolproof way to protect against light commands it to keep devices out of sight from windows, away from prying eyes - and prying laser beams.
Image Credit: AFP
San Francisco: A self-proclaimed hacker who held over 300 million iPhones to ransom after gaining access to their iCloud details and threatening to factory reset their iPhones has pleaded guilty to blackmailing the Cupertino-based tech giant.
Kerem Albayrak, 22, claiming to be a member of the 'Turkish Crime Family' hacking group, tried to blackmail Apple after threatening to delete hundreds of millions of Apple accounts, Forbes reported on Sunday.
Albayrak was sentenced last week to two-year suspended jail term, along with 300 hours of unpaid work and an electronic curfew for six months, at Southwark Crown Court in London.
"While iPhone users have recently been warned that they need to update to iOS 13.3 or risk getting locked out of their devices, Albayrak proposed to delete their data instead," said the report.
He threatened to factory reset more than 319 iCloud accounts, effectively holding iPhone user data to ransom, as well as "other" Apple accounts.
Apple contacted law enforcement agencies in the US and the National Crime Agency (NCA) led the investigation in the UK.
In March 2017, the National Cyber Crime Unit arrested Albayrak at his home in north London. The team also seized his digital devices, such as smartphones, computers, and hard drives.
"Hacker who tried to blackmail Apple by threatening to delete 319 million accounts has been sentenced following an NCA investigation," tweeted the NCA.
Albayrak demanded that Apple made a payment of $75,000 in crypto-currency or $100,000 worth of iTunes gift cards.
In an online post, Albayrak claimed his hacking group would "have enough power to factory reset 150 accounts per minute per script," and that they could process 17 scripts per server.
The US investigators said "there were no signs of a network compromisea.
For illustrative purposes only. Hackers in August broke into Twitter CEO's account and posted a flurry of rogue tweets.Image Credit: Supplied
San Francisco: The hacker, a minor who hacked Twitter CEO Jack Dorsey's account by the 'SIM swapping' technique in August and sent out numerous anti-semitic and Nazi-related tweets has been arrested.
Authorities arrested the individual who is part of The Chuckling Squad, a hacker group behind Dorsey's hack that has also claimed responsibility for hacks of other celebrities, including actress Chloe Grace Moretz, Motherboard reported on Sunday.
"He was a member of Chuckling Squad but not anymore. He was an active member for us by providing celebs/public figure [phone] numbers and helped us hack them," a leader in the hacking group known as "Debug" was quoted as saying.
Debug said the group kicked out the member behind Dorsey hacking in October.
In that hack, the individual obtained Dorsey's phone number.
"The rest of the hack was completed by themselves and other Chuckling Squad leaders known as Aqua and NuBLoM," informed 'Debug'.
"We applaud the efforts of all the law enforcement agencies involved in this arrest," said Santa Clara County District Attorney's Office, which manages the Regional Enforcement Allied Computer Team (REACT).
Hackers in August broke into Twitter CEO's account and posted a flurry of rogue tweets, including racial slurs.
The micro-blogging platform later said that it secured Dorsey's account which became a victim of 'SIM swapping' or 'SIM jacking' where a mobile number is transferred to a new SIM card.
"The phone number associated with the account was compromised due to a security oversight by the mobile provider," Twitter has said in a statement.
"This allowed an unauthorised person to compose and send tweets via text messages from the phone number," the company added.