Feeds

Marlinspike: Saudi mobe network tried to recruit me to sniff citizens' privates

Gov plans to probe tweets, chat, claims crypto guru

Protecting against web application threats using SSL

Claims that a Saudi mobile network is attempting to spy on citizens emerged after the telco apparently tried to recruit top cryptographer Moxie Marlinspike - who promptly went public.

The cryptography expert and former hacker, who left Twitter's security team in January, said he had been asked to help Mobily in its state-backed project to monitor encrypted chat sent by Twitter, Viber, WhatsApp and other third-party smartphone natter apps.

Just two months ago, the Saudi telecommunications regulator was reported to have warned that encrypted messaging services including Skype, Viber and WhatsApp could be blocked if they did not provide the government the means to monitor the apps. Saudi papers at the time said the affected firms had been given one month to respond.

Marlinspike has published emails exchanged between himself and someone who appears to be a high-ranking executive at the mobile telco, who apparently tried to hire the noted software engineer. The network is investigating the claims, we're told. A spokesman told the WSJ that Marlinspike's "account of of his contacts with Mobily 'is not 100% accurate'."

Mobily, one of two telecom operators in Saudi Arabia, is believed to be under pressure from a regulator within the kingdom to wiretap the aforementioned apps. Its bosses, it is claimed, sought technical knowhow from Marlinspike, who created a tool that intercepted secure web traffic to highlight shortcomings in HTTPS and SSL.

But the expert would have been a rather poor recruitment target: he co-founded Whisper Systems, a company which provided free encrypted cellphone comms technology to dissidents in Egypt during the time of the Arab Spring uprising. And he devised the Convergence SSL system to strengthen the bedrock of cryptography HTTPS web browsing is built on.

Whisper was bought by Twitter in 2011, and Marlinspike worked on the social network's software security team after the acquisition. All of this makes Marlinspike a highly unlikely recruit for a state-sponsored surveillance project.

Nonetheless, according to the engineer and keen sailor, Mobily sent him an email titled Solution for monitoring encrypted data on telecom that outlined its requirements for the dragnet lawful interception project. Despite the telco's apparent lack of communications security skills, with the funds available at its disposal, it will eventually come up with a mobile snooping system that works, Marlinspike lamented on his blog. He claimed:

One of the design documents that they volunteered specifically called out compelling a CA [Certificate Authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception. A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities.

Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over 5 billion in revenue, so I’m sure that they’ll eventually figure something out.

What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter – I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working, and were surprised by how easy it was. The bar for most of these apps is pretty low.

The discussion between the Mobily employee and Marlinspike progressed until, we're told, the SSL expert was asked for a price quote - at which point he declined stating he wasn't interested in the job for privacy reasons.

Undaunted, according to the published emails, the Mobily pitchman responded that the project was needed in order to spy on the local jihadis, going so far to suggest that Marlinspike was "indirectly helping those who curb the freedom with their brutal activities" by not getting involved with the wiretap project.

Marlinspike has little doubt that other telecom providers in multiple countries are running surveillance projects similar to the one described above, hence his decision to publish the messages.

"I’m being rude by publishing this correspondence with Mobily, not only because it’s substantially more rude of them to be engaged in massive-scale eavesdropping of private communication, but because I think it’s part of a narrative that we need to consider," he said. "What Mobily is up to is what’s happening everywhere, and we can’t ignore that."

In his blog post Marlinspike went on to talk about changes in hacking culture, increased commercialism, governments and defence contractors splashing cash all over exploit marketplaces to becoming the biggest consumers of attack code, and private citizens becoming a principal target. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.