Marlinspike: Saudi mobe network tried to recruit me to sniff citizens' privates
Gov plans to probe tweets, chat, claims crypto guru
Claims that a Saudi mobile network is attempting to spy on citizens emerged after the telco apparently tried to recruit top cryptographer Moxie Marlinspike - who promptly went public.
The cryptography expert and former hacker, who left Twitter's security team in January, said he had been asked to help Mobily in its state-backed project to monitor encrypted chat sent by Twitter, Viber, WhatsApp and other third-party smartphone natter apps.
Just two months ago, the Saudi telecommunications regulator was reported to have warned that encrypted messaging services including Skype, Viber and WhatsApp could be blocked if they did not provide the government the means to monitor the apps. Saudi papers at the time said the affected firms had been given one month to respond.
Marlinspike has published emails exchanged between himself and someone who appears to be a high-ranking executive at the mobile telco, who apparently tried to hire the noted software engineer. The network is investigating the claims, we're told. A spokesman told the WSJ that Marlinspike's "account of of his contacts with Mobily 'is not 100% accurate'."
Mobily, one of two telecom operators in Saudi Arabia, is believed to be under pressure from a regulator within the kingdom to wiretap the aforementioned apps. Its bosses, it is claimed, sought technical knowhow from Marlinspike, who created a tool that intercepted secure web traffic to highlight shortcomings in HTTPS and SSL.
But the expert would have been a rather poor recruitment target: he co-founded Whisper Systems, a company which provided free encrypted cellphone comms technology to dissidents in Egypt during the time of the Arab Spring uprising. And he devised the Convergence SSL system to strengthen the bedrock of cryptography HTTPS web browsing is built on.
Whisper was bought by Twitter in 2011, and Marlinspike worked on the social network's software security team after the acquisition. All of this makes Marlinspike a highly unlikely recruit for a state-sponsored surveillance project.
Nonetheless, according to the engineer and keen sailor, Mobily sent him an email titled Solution for monitoring encrypted data on telecom that outlined its requirements for the
dragnet lawful interception project. Despite the telco's apparent lack of communications security skills, with the funds available at its disposal, it will eventually come up with a mobile snooping system that works, Marlinspike lamented on his blog. He claimed:
One of the design documents that they volunteered specifically called out compelling a CA [Certificate Authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception. A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities.
Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over 5 billion in revenue, so I’m sure that they’ll eventually figure something out.
What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter – I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working, and were surprised by how easy it was. The bar for most of these apps is pretty low.
The discussion between the Mobily employee and Marlinspike progressed until, we're told, the SSL expert was asked for a price quote - at which point he declined stating he wasn't interested in the job for privacy reasons.
Undaunted, according to the published emails, the Mobily pitchman responded that the project was needed in order to spy on the local jihadis, going so far to suggest that Marlinspike was "indirectly helping those who curb the freedom with their brutal activities" by not getting involved with the wiretap project.
Marlinspike has little doubt that other telecom providers in multiple countries are running surveillance projects similar to the one described above, hence his decision to publish the messages.
"I’m being rude by publishing this correspondence with Mobily, not only because it’s substantially more rude of them to be engaged in massive-scale eavesdropping of private communication, but because I think it’s part of a narrative that we need to consider," he said. "What Mobily is up to is what’s happening everywhere, and we can’t ignore that."
In his blog post Marlinspike went on to talk about changes in hacking culture, increased commercialism, governments and defence contractors splashing cash all over exploit marketplaces to becoming the biggest consumers of attack code, and private citizens becoming a principal target. ®
Sponsored: Global DDoS threat landscape report