Citizen Lab says Sandvine network gear aids government spyware

Sandvine insists report is inaccurate and misleading

Sandvine interface

Internet users in Turkey, Egypt and Syria who attempted to download legitimate Windows applications have been redirected to nation-state spyware through deep-packet inspection boxes placed on telecom networks in Turkey and Egypt, according to a report issued Friday by security research group Citizen Lab.

Citizen Lab, a Canada-based security and human rights research group run out of the University of Toronto's Munk School of Global Affairs, said it has found Sandvine PacketLogic devices being used on the networks of Türk Telecom and Telecom Egypt for distributing malware designed for varying purposes, ranging from political censorship to cryptocurrency mining.

"The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns," the report says.

Targeted internet users in Turkey and Syria who attempted to download Windows applications from official vendor websites, including Avast Antivirus, CCleaner, Opera, and 7-Zip were silently diverted to malware-infested versions of the software through HTTP redirects, the report says.

"This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default," the report says.

In Turkey and Syria, the malware in question is said to be similar to spyware known as StrongPity.

Citizen Lab claims those targeted in Turkey and Syria who downloaded applications from CBS Interactive's Download.com were also redirected to downloads containing spyware. The group says that Download.com, despite claiming to offer secure downloads, does not appear to support HTTPS.

A spokesperson for CBS Interactive's CNET did not immediately respond to a request for comment.

In Egypt, the Sandvine boxes appear to have been employed for a money-making scheme referred to as AdHose, which, according to Citizen Lab, involves distributing either affiliate ads or browser cryptocurrency mining scripts. The network hardware is also supposedly being used to censor sites like Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic.

Sandvine and its owner, Francisco Partners, has been engaged in a back-and-forth with Citizen Lab in recent weeks over concerns that the pending report is technically flawed and misrepresents the company's products.

In a March 7 letter, Sandvine asked the University of Toronto to delay publication of the report, claiming that Citizen Lab's allegations are not technically feasible and are intentionally misleading.

What's more, the firm charges that Professor Ronald Deibert, who heads Citizen Lab, relied on unethical research methods and misappropriated company technology by acquiring a second-hand Sandvine box for testing.

In a letter sent on Thursday in response to Sandvine's objections, attorneys representing the University and Citizen Lab disputed the network hardware company's claim about the inability of its technology to function as described in the report, defended Citizen Lab's methods, and questioned the networking firm's unwillingness to respond to questions about its commitment to human rights and ethical business practices.

"You state, broadly, that Sandvine takes seriously its commitment to corporate social responsibility and ethical use of its products," the letter states. "However, you have not responded to any of the specific questions asked of Sandvine by Citizen Lab in letters dated February 16 and March 1, 2018."

In response to an inquiry from The Register, a spokesperson for the company in an email said:

"Sandvine is deeply committed to ethical technology development and we hold our business processes and behavior to the highest standards. We institute strong safeguards to ensure adherence to our principles of social responsibility, human rights, and privacy rights. We have a Business-Ethics Committee that conducts a comprehensive review of all potential regulatory compliance engagements to identify risk of product misuse prior to any sales. We investigate all allegations of misuse and have a place on our website to report such allegations.

"Based on a preliminary review of the report, certain Citizen Lab allegations are technically inaccurate and intentionally misleading. Despite repeated requests, Citizen Lab refused to provide us with a copy of their report or any underlying data prior to its release, which made it impossible for us to investigate their allegations of misuse of our product and denied us any opportunity to fully respond to the claims in the report.</ br>

"Our investigation of these allegations remains ongoing. We have never had, directly or indirectly, any commercial or technology relationship with any known malware vendors, and our products do not and cannot inject malicious software. While our products include a redirection feature, HTTP redirection is a commodity-like technology that is commonly included in many types of technology products. This standards based protocol is present across a wide variety of networking elements that an end user’s traffic would traverse and is widely deployed and used every day by corporations, security products and telecom providers (just to name a few) for legitimate and lawful purposes."

The Citizen Lab report concludes that companies like Sandvine that do business with regimes that flout democratic norms need to take responsibility for potential uses of their products that violate human rights. It also says that its findings underscore the need for website operators to support HTTPS connections. ®

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018