Mobily, a Saudi Arabian telecommunications company with 4.8 million
subscribers, is working on a way to intercept encrypted data sent over
the Internet by Twitter, Viber, and other mobile apps, a security
researcher said Monday.
Moxie Marlinspike, the pseudonymous cryptographer who has identified
several security bugs in the secure sockets layer protocol used to
protect website transactions, said he learned of the project after
receiving an e-mail from company officials. Carrying the subject line
"Solution for monitoring encrypted data on telecom," it said the project
was required by "the regulator." Marlinspike believed this meant the
government of Saudi Arabia. In follow-up e-mails, the Mobily officials
said they were looking for ways to bypass the protections built into the
SSL and Transport Layer Security protocols so telecom workers could
monitor messages spreading terrorism.
"One of the design documents that they volunteered specifically
called out compelling a [certificate authority] in the jurisdiction of
the UAE or Saudi Arabia to produce SSL certificates that they could use
for interception," Marlinspike wrote in a blog post.
"A considerable portion of the document was also dedicated to a
discussion of purchasing SSL vulnerabilities or other exploits as
possibilities."
Mobily representatives didn't respond to an e-mail seeking comment for this article.
Marlinspike, who recently left Twitter after working in the company's security department, continued:
"Their level of sophistication didn’t strike me as particularly
impressive, and their existing design document was pretty confused in a
number of places, but Mobily is a company with over five billion in
revenue, so I’m sure that they’ll eventually figure something out.
What’s depressing is that I could have easily helped them intercept
basically all of the traffic they were interested in (except for
Twitter—I helped write that TLS code, and I think we did it well). They
later told me they’d already gotten a WhatsApp interception prototype
working and were surprised by how easy it was. The bar for most of these
apps is pretty low."
Marlinspike said it was "rude" of him to publish the details of a
private correspondence but that it was "substantially more rude of them
to be engaged in massive-scale eavesdropping of private communication."
He warned readers about the influence wealthy governments are having on
hackers and security researchers. That is primarily driven by the large
scale purchase of security exploits used to compromise computers and
eavesdrop on citizens. For a good understanding of how it all works, see
this article published Friday by Reuters reporter Joseph Menn.
"Really, it’s no shock that Saudi Arabia is working on this, but it
is interesting to get fairly direct evidence that it’s happening,"
Marlinspike wrote. "More to the point, if you’re in Saudi Arabia (or
really anywhere), it might be prudent to think about avoiding insecure
communication tools like WhatsApp and Viber (TextSecure and RedPhone
could serve as appropriate secure replacements), because now we know for
sure that they’re watching. For the rest of us, I hope we can talk
about what we can do to stop those who are determined to make this a
reality, as well as the ways that we’re already inadvertently a part of
that reality’s making."
No comments:
Post a Comment
What do you Think about This Article? Share Your Comments Here