Are Automated Update Services the Next Surveillance Frontier?

Automated update services that provide users with security patches and feature enhancements are also a potential hunting ground for intelligence agencies and law enforcement surveillance activity.

SAN FRANCISCO – As more Web-based services are encrypted, privacy advocates are concerned the next wave of aggressive surveillance activity could target automated update services that essentially provide Internet companies root access to machines.

Chris Soghoian, principal technologist with the American Civil Liberties Union, said today at TrustyCon that current malware delivery mechanisms such as phishing schemes and watering hole attacks could soon be insufficient for intelligence agencies and law enforcement such as the NSA and FBI.

“The FBI is in the hacking business. The FBI is in the malware business,” Soghoian said. “The FBI may need more than these two tools to deliver malware. They may need something else and this is where my concern is. This is where we are going and why I’m so worried about trust.”

Update services from Microsoft such as Windows Update Services have already been exploited in nation-state attacks such as Flame. Flame was a terribly complex attack that made use of collision attack to forge a Microsoft digital certificate to spoof the update service and allow infected computers to receive malicious updates from the phony service.

Soghoian said his concern is that the government will not only exploit the convenience of these update services offered by most large providers, but also that it will erode the trust users have in the services leaving them vulnerable to cybercrime, identity theft and fraud.

“There are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won’t, and they will stay vulnerable,” Soghoian said. “What that means though is giving companies root on our computers—and we really don’t know what’s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.”

Soghoian provided historical context to back up his overall claim that whatever access the government has to the intelligence is never enough. Going back to the early days of wiretapping 100 years ago, Soghoian said the government and law enforcement has always enjoyed a cozy relationship with telephone companies and today with telecommunications providers. Transparency reports published by Google, Facebook, Twitter, Microsoft and other giant Internet companies offer a window into the number of law enforcement requests these companies get for user data, as well as government requests related to matters of national security.

Soghoian also shared testimony going back as far as 2010 from former FBI general counsel Valerie Caproni, now a U.S. District Court judge in New York, who warned Congress repeatedly about how changes in technology will lead consumers to use Internet services that would be difficult monitor.

Soghoian cautioned that the government could take advantage of existing features in technology to get their way, citing as an example a feature in Google Android phone locks where if a user fails on their pattern to unlock their phone, Android will offer the user a prompt for the Google account credentials synched with the device. Soghoian said through Freedom of Information Act requests, it’s been revealed the government has asked for password resets on particular users in order to access their accounts or devices.

More concerning still is the government’s ability to use a court order to add features that do not exist in products currently. Skype, he said, was served with a directive from the Attorney General to modify its end-to-end encryption capabilities in order to give the FBI access to encrypted communication, something that was revealed in the Snowden documents.

“We still don’t know what Skype did and when, and what law was used,” Soghoian said, adding that Edward Snowden’s secure email provider Lavabit was also served with a similar court order for its SSL keys. Rather than remain complicit, Lavabit closed its doors. If update services are the next surveillance frontier, Soghoian hopes the respective companies remain vigilant, because the APIs used to deliver code can be used to deliver code to specific people.

“I would hope Google would fight that type of order all the way to the Supreme Court. The same goes for Apple and Microsoft and others,” he said. “I hope the companies we depend on and trust would fight.”

Suggested articles