Legalizing spyware. What can go wrong?
Summer has finally arrived, time for everybody to forget the monotony of the city and head to the beaches to relax and a few unforgettable parties.
It's also the favorite period of the year for the government to pass all their controversial and creepy laws that don't have their place in a civilized State.
On Wednesday 5 of July 2023, the French parliament adopted the law "Orientation et programmation du ministère de la justice 2023-2027 " (reform of the judiciary ministry 2023-2027) with 80 votes for and 24 against, which was initiated by the government through an accelerated procedure on May 3, 2023.
For reference, we have 577 Members of Parliament (MPs)...
This law, with its article 31 and among other things, legalizes the usage of spyware on any device (not only smartphones, but also cars, babyphones, doorbells, connected TVs, "smart" fridges, speakers, buttplugs...) by police forces, to track the location of suspects and remotely record audio and images.
Either a malicious act or shortsightedness, this law is first and foremost dangerous for the security of our country and its citizen.
Let's see what can go wrong, before we hear the usual "Who could have predicted that?".
Vulnerabilities should be (dis)closed, not hoarded
Magic technology that would allow the "good guys" to hack the "bad guys" but not the "bad guys" to hack the "good guys" simply doesn't and will never exist. It's wishful thinking.
If a vulnerability exists, it can be used by anyone with the resources to exploit it, and in today's interconnected and globalized world it means a lot of people.
What can go wrong when your enemies will exploit the vulnerabilities that you voluntarily leaving in your infrastructure and defense systems?
What can go wrong when predators will use these vulnerabilities to target children?
Any vulnerability that can be used by "legal spyware" can equally be weaponized to spread ransomware or any kind of other nasty malware.
In may 2017 the WannaCry ransomeware brought the world into chaos . The worm used an exploit developed and hoarded by nobody else that the NSA and was leaked by a mysterious group called the The Shadow Brokers2. Hospitals, factories, offices, no system was sparred.
Analysts now estimates that the total economic losses from the cyberattack could have reached up to many Billions of US Dollars.
What can go wrong with incentivizing the hoarding of vulnerabilities by the people whose raison d'être is to protect us?
It's about scale
High-Tech spy gear is expensive. It's a natural defense against police overreach and widespread abuse3.
Making invasive measures hard to abuse is a feature not a problem.
Otherwise, it becomes easy to expand the spying on political opponents, tinder matches and spouses' ex-husbands as it's virtually free to do so? We could even make a few bucks selling these surveillance capabilities on the dark web, like this time when a French intelligence officer was caught selling fake IDs and location data to criminals4.
Any vulnerability that can be remotely triggered can also be exploited at scale. Put another way, if malware authors or your enemies find the remotely exploitable vulnerabilities that you are leaving wide open, they can make a worm that will spread to hundred of thousands to millions of machines as it has already happened in the past.
What can go wrong?
Planting false evidences
Police planting false evidences to incriminate innocent is not a new thing. Here is a recent video (Youtube)7 from France where police agents are planting a small bag of cannabis (illegal in France) to wrongly accuse an innocent. But they didn't stop here, they then steal the phone of his friend trying to record the scene to get proofs of the wrongdoing, violent the two men, and finally produce false testimonies on oath.
Without the CCTV records of the scene, these guys would have been crushed by the justice system and would have had absolutely no chance to be listened by any judge.
What can go wrong when the same police gain even more powers to manipulates digital devices and evidences?
The problem with the digital is that it's possible to leave no traces of wrongdoing. A capable enough attacker is going to remove all its traces (logs) and tamper the data (modifying timestamps for example).
The only way I see to accurately detect planting digital evidence on a device would be with advanced network monitoring where we would be able to see that the C&C (Command & Control) server of the spyware would have sent "too much" data to the infected device. Indeed, in theory the spyware should receive very few data from the C&C (only commands), so too much inbound traffic would indicate some upload to the device.
But monitoring the network of a mobile device is easier said than done due to the many networks a mobile devices can connect to in a single day. In practice, a victim of such a abuse would have little no chance to prove its innocence.
And this is before talking about parallel construction8.
What can go wrong?
What about tomrrow's technology?
One deputy, as a joke, tried to amend the law to exclude sextoys from the spying. On one hand I salute the easy way to have fun and bring attention to the problem, on the other hand I wonder why nobody talked about the real deal: this law legalizes the hacking of future technology that doesn't exist or isn't widespread yet. I can guarantee you that it will have some "unexpected" consequences.
Today our smartphones and connected homespeakers can already access almost all our most intimate secrets, but what about tomorrow's technology? What about neurotechnology? As we already discussed it last week, it's coming way faster than you are expecting with AR/VR headsets, earbuds and wristband with electrodes
What can go wrong when the police will hack into your neural data?
What can go wrong when criminals, using the vulnerabilities hoarded by police forces will hack into your brain activity data?
What can go wrong when an hostile State will use the same vulnerabilities to hack your country and "influence" the elections?
Really, what can go wrong??
Again, any vulnerability that can used by the police can be used by criminals and enemies.
What is the biggest risk: your local street dealers getting away with selling some cannabis because police detectives couldn't hack into their phones or an enemy State targeting and destroying your digital infrastructure and democratic process?
For thee but not for us
Finally, the cherry on top of the cake is that lawyers, rulers (PMs, ministers...) and journalists have excluded tehemselves from these invasive measures.
What can go wrong when the politician class, which actually should be the most surveilled as the most prone to corruption, remove itself from the surveillance they impose on the productive class?
Can you run a country with only politicians and bureaucrats? The last time that the ruling class gave themselves too much privileges in France, it didn't end well.
"You become attracted to the power, then you become addicted to the power, then you're devoured by the power." Kill The Messenger, 2014
Some closing thoughts
Over the years, surveillances laws have all proved to be slippery slopes. First they are introduced after terrorist attacks or similar events, such as the algorithmic video surveillance introduced to prepare for the Olympic Games of 2024 in Paris. Then they are used to track smaller offenses such as majijuana dealing, to finally be used against peaceful protesters rallying against reforms they disagree with, political opponents and ex-husbands/wives9.
As always, when a major hack will happen as a consequence of this inconsequence (it's not if but when), we will hear politicians: "Who could have predicted that?" or "Think about the children"10. But it will be already too late and the life of thousands to millions of people will have already been affected in a way that could have been prevented.
Now you may wondering how these spyware work under the hood, and how vulnerabilities can be exploited to better defend against them. In my book Black Hat Rust we build a RAT (for Remote Access Tool), then we make it cross-platform in chapter 12 and add advanced features in chapters 11 and 13 such as end-to-end encryption. We also see in chapters 6 and 7 how to find and exploit vulnerabilities and implement shellcode directly in Rust (instead of assembly) in chapter 8.
You can read it now here: https://kerkour.com/black-hat-rust