When We Undermine IT Security, We’re Undermining Ourselves
Our volunteer Jesse Schooff sees a disturbing trend in how governments and law enforcement approach IT security apparatuses.
Ottawa is currently embroiled in a potential espionage scandal – and like most recent espionage stories, it’s one rooted in technology security. On April 3rd, journalists for CBC News revealed that, using a device called the CryptoPhone, they had detected multiple instances of someone spying on cellphones around Canadian parliament and other government buildings.
CryptoPhone is an enhanced-security cellphone which – in addition to making encrypted calls – can detect devices called IMSI catchers (also colloquially known as StingRays). IMSI catchers impersonate cell towers, but when cell phones connect to them, the catchers can intercept data, including voice calls and text messages.
IMSI catchers are troubling for a number of reasons. Because they’re masquerading as part of the cell network, normal GSM encryption won’t protect users against them. They also collect data indiscriminately, meaning that individuals not targeted by a warrant may have their privacy breached, just because they happened to be in an area where the device was used. In testing, the devices have been shown to interfere with 911 calls, so a nearby person in distress might not be able to reach help when they need it most.
Canadian police and intelligence have been known to use such devices (much to the concern of OpenMedia and civil liberties groups). On April 5, the RCMP went public for the first time with details about their use of IMSI catchers.
It would be bad enough if it were Canadian law enforcement who were deploying these devices in places where they could scoop up data from the cellphones of parliamentarians, ambassadors, and employees at National Defense HQ. But the RCMP and CSIS claim that in this case, they’re not responsible, and have launched investigations into who is using the devices on Parliament Hill. The other possibilities are sobering: foreign spies? Organized criminals?
This story has a common thread which runs through many contemporary issues intersecting computer security and law enforcement: the false idea that we can make ourselves safer by dismantling or weakening our tech-security apparatuses.
There are several prominent examples of this:
Encryption
Law enforcement has been vociferously complaining in recent years about the problem of “going dark” – the idea that their ability to intercept electronic communications has been hampered by encryption. Even presuming this is actually a problem (it’s not), weakening encryption in practical terms either means asking for the impossible, or breaking a technology which as fundamental to IT infrastructure as concrete and steel are to buildings. In the latter case, that means putting everything – bank accounts, our emails, our government’s data, everything – at greater risk of being hacked by spies or criminals.
Hoarding Zero Day Bugs
A vastly underappreciated aspect of the recent CIA leaks was the fact that the agency was hoarding zero-day vulnerabilities (in addition to buying zero-days from hacking firms and trading them with other intelligence agencies). A recent Freedom of Information Act request by Vice:Motherboard showed that the DEA has purchased zero-days. Zero-day bugs are unknown to the public or the manufacturer of the affected software/hardware, and thus, not fixed yet. When the bug allows a hacker to do something they’re not supposed to, that bug is a security vulnerability.
The Obama administration put forth a practice of not allowing intel agencies to stockpile large numbers of zero-days. Why? Because the administration knew that systems affected by the bugs were used by government too. When a bug isn’t fixed, it can be exploited by anyone: your own spies, foreign spies, criminals, etc. The best policy is for all levels of society, including government, to submit bugs to tech companies so that they can get fixed as quickly as possible, and thus keep everyone safe. Not only has it been shown that the CIA wasn’t doing that, but law enforcement has even encouraged companies to create insecure software which could make everyone’s systems less secure.
Teaching People to Hand Over Their Passwords
This is less about a specific technology and more about procedure. Phishing e-mails show that hackers’ first attack vectors often aren’t technology, but humans. Why go to the trouble of “real” hacking when you can trick users? This is why system administrators have spent decades grooming users, teaching them never to give out their passwords. This grooming is being undone at our national borders, as custom agents routinely demand that users hand over phone passcodes and Facebook passwords.
IMSI Catchers
Arriving back where we started, IMSI catchers exploit what is arguably a vulnerability in the GSM standard: the fact that cellphones implicitly trust cell towers to handle their decrypted data. In an ideal world, this would be fixed by telecoms and manufacturers in the next version of the GSM implementation. One wonders how much pressure companies will face from law enforcement NOT to fix this vulnerability. What’s more, a recent investigation by Al Jazeera showed that the manufacturers of IMSI catchers aren’t picky about who they sell to. So IMSI interception puts us all – including government – at risk of hackers who are spies, criminals, terrorists…
By now, savvy readers have noticed a pattern: IT security vulnerabilities exploited by domestic spies or law enforcement can also be exploited by the very people that our spies and police are tasked with protecting us from. This is due to a very simple fact: computers don’t know the difference between “good guys” and “bad guys”. Or to put it less simplistically, computers can’t understand the difference between lawful access and illegal access. Rather, computers only understand who has a key, and who does not.
The internet is a transformative, amazing invention of humankind. It brings the world to our doorstep. But the world includes lots of nasty people. In an era where we’re increasingly worried about ransomware attacks, foreign spies, hackers, terrorism, and criminals, how can we with good sense undermine the very technologies and practices that we use – that we need – to keep our data safe?
As an IT pro, I see before me a world of bridges and skyscrapers where government and law enforcement are telling industry to make faulty concrete, to deliberately smelt bad steel. Spies are cutting away load-bearing girders, because those girders obstruct the spies’ panopticon view. Our citizens are using these metaphorical bridges and buildings every day. The broad implications of this are terrifying.
With the detection of unknown IMSI catchers on Parliament Hill, parliamentarians, ambassadors, and government officials have potentially been the victims of the same kind of spying which the Canadian public now faces from our own police and spies. We can’t keep Canada’s technology and data secure if we undermine the tools and practices that IT security professionals have relied on for decades.
The solution to keeping Canadians safe in the digital age is not to weaken tech security, but rather to make it even stronger. We do this by building upon the knowledge and practices that IT pros have spent the last several decades cultivating. We do it by making Canada a world leader in IT security practices. Good IT security will keep the Canadian public safe, and it will keep the Canadian government safe. Weak and undermined IT security – as proposed by spies and law enforcement – will do the opposite. It’s impossible to have it both ways.
To my fellow Canadians citizens concerned about the current crisis, all of us at OpenMedia are asking that you add your voice to our petition at StopStingrays.org.
Jesse Schooff is a veteran IT professional and technical communicator. As a volunteer blogger for OpenMedia he specializes in issues of privacy and information security. You can find more of his writing at geekman.ca