Canada and its spying partners exploited weaknesses in one of the world's most popular mobile browsers and planned to hack into smartphones via links to Google and Samsung app stores, a top secret document shows.
Electronic intelligence agencies began targeting UC Browser — a massively popular app in China and India with growing use in North America — in late 2011 after discovering it leaked revealing details about its half-billion users.
Their goal, in tapping into UC Browser and also looking for larger app store vulnerabilities, was to collect data on suspected terrorists and other intelligence targets — and, in some cases, implant spyware on targeted smartphones. The 2012 document shows that the surveillance agencies exploited the weaknesses in certain mobile apps in pursuit of their national security interests, but it appears they didn't alert the companies or the public to these weaknesses. That potentially put millions of users in danger of their data being accessed by other governments' agencies, hackers or criminals.
"All of this is being done in the name of providing safety and yet … Canadians or people around the world are put at risk," says the University of Ottawa's Michael Geist, one of Canada's foremost experts on internet law. The top secret document was analyzed in collaboration with U.S. news site The Intercept, a website that is devoted in part to reporting on the classified documents leaked by U.S. whistleblower Edward Snowden.
The so-called Five Eyes intelligence alliance — the spy group comprising Canada, the U.S., Britain, Australia and New Zealand — specifically sought ways to find and hijack data links to servers used by Google and Samsung's mobile app stores, according to the document obtained by Snowden. Over the course of several workshops held in Canada and Australia in late 2011 and early 2012, a joint Five Eyes tradecraft team tried to find ways to implant spyware on smartphones by intercepting the transmissions sent when downloading or updating apps.
Privy to huge amounts of data
The Five Eyes alliance targeted servers where smartphones get directed whenever users download or update an app from Google and Samsung stores. Samsung and Google declined to comment. The servers provide key access points to massive amounts of data flowing from millions of smartphones around the world. "What they are clearly looking for are common points, points where thousands, millions of internet users actively engage in, knowing that if they can find ways to exploit those servers, they will be privy to huge amounts of data about people's internet use, and perhaps use bits and pieces of that to make correlations," says Geist.
Making that connection was a much desired goal of the agencies because of the growing use of smartphones and the wealth of data they contain. Respecting agreements not to spy on each others' citizens, the spying partners focused their attention on servers in non-Five Eyes countries, the document suggests. The agencies targeted mobile app servers in France, Switzerland, the Netherlands, Cuba, Morocco, the Bahamas and Russia. Canada's electronic surveillance agency, the Communications Security Establishment, refused to comment on its capabilities, saying that would constitute a breach of the Security of Information Act.
"CSE is mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism," the agency said in a written statement. "CSE does not direct its foreign signals intelligence activities at Canadians or anywhere in Canada." Britain's counterpart, GCHQ, said all its work "is carried out in accordance with a strict legal and policy framework." The U.S. National Security Agency and New Zealand surveillance agency did not respond. Australia's signals intelligence agency refused to comment.
Millions of users have 'no idea'
As the Five Eyes team sought ways into the mobile app store servers, they also uncovered security gaps in the popular UC Browser, owned by the powerful Chinese tech giant Alibaba Group. It is the world's most popular mobile browser behind those pre-installed on smartphones. As the team discovered, the UC Browser app leaked its users' phone numbers, SIM card numbers and details about the device to servers in China. In that stream of data, Five Eyes analysts found one country's military unit using the app as a covert way to communicate about its operations in Western countries.
They touted this signals intelligence coup as providing an "opportunity where potentially none may have existed before," the document says. Citizen Lab, a human rights and technology research group in Toronto, says that the UC Browser app was still leaking data until recently, and that was putting millions of users' data at risk. "Of course, the user of this application has no idea that this is going on," says Ron Deibert, director of the Citizen Lab, which is based at the University of Toronto's Munk School of Global Affairs. "They just assume when they open a browser that the browser's doing what it should do. But in fact, it's leaking all this information." Citizen Lab analysed the Android version of the app and found "major security and privacy issues" in its English and Chinese editions.
National security vs. privacy
Secure apps typically encrypt a smartphone's communication with a server for such purposes as downloading or updating apps to prevent outsiders from gaining access to sensitive details about a user. But Citizen Lab recently found Android versions of UC Browser leaking search queries, SIM card numbers and device IDs without any such protection. Some of it leaks even when the app is at rest. Also, the app was transmitting the smartphone's location with encryption that the Citizen Lab says is easy to hack with publicly available tools. All these details allow a government agency, hacker or criminal to track a person's movements and find out their habits, their relationships and even their interests.
Citizen Lab reviewed the update and found that the Chinese language version of the app — which leaked more data than the English one — still doesn't encrypt search terms. The case raises questions about whether government agencies, even covert ones, should carry some responsibility for informing citizens of weaknesses they've unearthed in devices, operating systems and online infrastructure.
For his part, Geist argues that there is an expectation that the federal government will protect Canadians. "We should be troubled by the notion of our spy agencies — and in a sense our government — actively looking for vulnerabilities or weaknesses in the software that millions of people are using," said Geist. "That feels in many respects like a significant abdication of what I think most would expect from our government."
But not everyone agrees. "The fact that certain channels and devices are vulnerable is not ultimately the problem of signals intelligence," says Christian Leuprecht, a Royal Military College professor and fellow at Queen's University's Centre for International and Defence Policy. If Canadians are concerned with encryption standards and privacy issues, he says, they can lobby governments to crack down on network operators, manufacturers and developers. "Because the same way that our signals intelligence agency can follow data, devices and servers in other countries, remember that our adversaries are trying to do the exact same thing here."
110 Reykjavik, Iceland