A top-secret NSA document, which was recently shared by Edward Snowden with the CBC, shows a joint plan to by intelligence agencies in the US, UK, Canada, Australia and New Zealand to hijack Google's and Samsung's app stores to install malware that could be used for surveillance purposes. These five countries, known as the five eyes, also exploited weaknesses in certain apps for the purpose of tracking suspected terrorists.
The document, dated from 2012, shows that a joint team from the five eyes countries held several workshops in Canada and Australia throughout 2011 and 2012. The team was attempting to intercept signals between a user's device and a server when an app is downloaded or updated. Ultimately, their goal was to implant spyware on people's devices, in order to track their Internet usage. The joint team apparently respected an agreement not to spy on each other's citizens during this operation, and targeted app servers hosted in France, Switzerland, the Netherlands, Cuba, Morocco, the Bahamas and Russia, according to the document.
The five eyes team also discovered security weaknesses in UC Browser, a mobile browser popular in China and India which is gaining popularity in North America. According to Citizen Lab, a human rights and technology research organization, the browser uses a form of encryption which is susceptible to publicly available tools. Secure apps like UC Browser normally encrypt communication with servers when they install or update, in order to keep certain detail about the user private. Due to a weakness in the encryption used by UC Browser, government agents as well as hackers could easily get access to information like locational data and device IDs.
Alibaba, the Chinese technology giant which owns UC Browser, issued a statement that they had no knowledge of the security weakness and noted that this issue predated the acquisition of UC Browser by Alibaba. The statement encourages users to update to the latest version of UC Browser to avoid security risks. CBC had informed Alibaba of the security risks in mid-April, and in response to it they released a software update to address the issue.
Canada's intelligence agency refused to comment on its capabilities when questioned by the CBC, but only stated that their mission to collect intelligence to protect Canadian citizens and that they do not direct their actions at Canadians or within Canada. Britain's GCHQ commented that all of its work is within a strict legal framework. The American NSA, as well as intelligence agencies from Australia and New Zealand, refused to comment.
Do you think the NSA has found a way to implant spyware on devices in the time since this document was created? Leave your comment below.