Documents purportedly lifted from Indian government servers contain explosive allegations: that leading Western firms including Apple Corp., Research in Motion and Nokia provided the government with secret access to mobile devices their mobile operating systems- access that the Indian government then used to spy on official, high-level conversations about trade relations between the U.S. and China.
The documents, apparently leaked from the Indian Directorate General of Military Intelligence and dated October 6, describe an Indian government program dubbed RINOA SUR to get secret access to mobile devices running software by Apple, Research in Motion and Nokia (RINOA). The leaked documents suggest that Indian intelligence officers used the secret access to conduct surveillance of communications between members of the U.S.-China Economic and Security Review Commission (USCC), a U.S. government Commission that reports to Congress on the state of bilateral relations with the U.S. and the People’s Republic of China.
The leaked documents have not been verified by either the Indian government or the USCC. They first came to light after Christopher Soghoian, a fellow at Open Society Foundation and the Center for Applied Cybersecurity Research, published a link to scanned images of documents using a Twitter account. They are rumored to be part of a hoard of documents obtained by a domestic hacking group called the Lords of Dharmaraja. Among other things, that hack is alleged to have netted the group source code for the Symantec Norton Antivirus Product – code that was provided to the Indian government under an agreement between the government and Symantec.
In an e-mail statement, USCC Communications Director Jonathan Weston said that the Commission was aware of the reports of the leaked documents and had “contacted relevant authorities to investigate the matter,” but was unable to comment further. Weston declined to name the authorities that were notified of the breach.
Requests for comment from Apple, RIM and Nokia were not returned prior to publication of this story.
If legitimate, the leaked documents would be a serious security and intelligence failure for the Indian government, suggesting that sensitive and secret intelligence documents were residing on systems that were vulnerable to attack and data theft. It would also be direct evidence that government requests to private software firms for so-called “lawful intercept” capabilities are being used for intelligence gathering, not merely law enforcement.
The use of lawful intercept has become a contentious topic between civil liberties advocates and governments in the West as well as Asia. In October, the German government acknowledged that it employed a Trojan horse program dubbed “Quellen-TKU” to monitor a wide range of communications to and from persons of interest. The Trojan was allegedly installed by German police during customs checks. The popular revolts in Egypt also revealed the cooperation of a UK firm, Gamma, in helping authorities there spy on citizens using a program dubbed Finfisher.
Countries like Dubai and India have also pressured Western technology firms, including Research in Motion, to provide them with tools to decrypt encrypted communications from their mobile devices.