Five of the world's major nations have exploited weaknesses in UC Browser in their plan to hack into smartphones via links to Samsung and Google app stores according to a document obtained by CBS News shows. Electronic intelligence gathering agencies in Australia, Britain, Canada, New Zealand, and the National Security Agency (NSA) in the US have been planning their hacks for some time, based on an alleged need for intelligence in the war on terror. The countries also hoped to place spyware on certain smartphones during the project, called "Irritant Horn."
The surveillance endeavor was the project of the Network Tradecraft Advancement Team, an electronic eavesdropping group that employs, among others, spies from each of the five countries in the "Five Eyes" alliance. NSA whistleblower Edward Snowden obtained the document and it was published Wednesday by CBC News in collaboration with The Intercept. It outlines the proceedings from 2011 and 2012 workshops held in Canada and Australia for purposes of developing strategy.
The Five Eyes tradecraft collaboration sought ways to intercept the transmissions from smartphones when users update or download apps in order to implant spyware on the phones. These "man-in-the-middle" attacks would allow the agencies to place spyware, but the presence of the opportunity is itself telling.
The tactic of exploiting weaknesses in mobile apps to access private data was dangerous. The servers targeted by the intel-gathering team exchange data from millions of smartphones worldwide. In fact, these agencies failed to warn the public that the weaknesses existed, leaving millions vulnerable to hacking by other governments' agencies, criminals, and hackers with a range of motives.
Toronto human rights and technology research group Citizen Lab says that the UC Browser app was continuing to place the data of millions of users at risk as until recently it was still leaking data in the same way, sometimes at rest. They also found "major security and privacy issues" in the Chinese and English editions of the Android version of the app. The group indicates that nothing more than tools that are readily available for public use is needed to hack the app.
"Of course, the user of this application has no idea that this is going on," says Citizen Lab's director, Ron Deibert. "They just assume when they open a browser that the browser's doing what it should do. But in fact, it's leaking all this information."
While it may seem obvious or even justifiable to some that government agencies want to track the online movements of users to determine their habits, interests, and relationships, they are not alone in finding this information desirable. Criminals and hackers are equally interested in this kind of detail and regularly put this sort of data to their own uses.
"What they are clearly looking for are common points, points where thousands, millions of internet users actively engage in, knowing that if they can find ways to exploit those servers, they will be privy to huge amounts of data about people's internet use, and perhaps use bits and pieces of that to make correlations," says Michael Geist of the University of Ottawa, one of Canada's foremost Internet law experts.
"All of this is being done in the name of providing safety and yet ... Canadians or people around the world are put at risk," Geist adds.
The agencies targeted mobile app servers in Africa, especially the Congo, Sudan, and Senegal, as well as the Bahamas, Cuba, France, Morocco, the Netherlands, Russia, and Switzerland. The document implies that this focus was based not only on interest but also on respecting mutual agreements not to spy on each others' citizens.
The Communications Security Establishment, Canada's electronic surveillance agency, refused to comment on its ability to carry out these kinds of operations based on the Security of Information Act.
"CSE is mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism," the agency said in a written statement. "CSE does not direct its foreign signals intelligence activities at Canadians or anywhere in Canada."
Government Communications Headquarters (GCHQ), the UK counterpart of NSA and CSE, said only that all its work "is carried out in accordance with a strict legal and policy framework."
Neither the NSA nor its Australian or New Zealander surveillance agencies did not comment to CBC News. Samsung and Google also declined to comment when contacted by CBC.
CBC News and the US news site The Intercept analyzed the top secret document. The Intercept is dedicated in part to reporting on the classified and top secret documents leaked by Edward Snowden, the now-famous American whistleblower.
Back in April Citizen Lab told the creator of the app, Alibaba, that the app was leaking. When CBC contacted the company it released a fix-but not before. When it reviewed the update, Citizen Lab found that the Chinese language version of the app still fails to encrypt search terms. The Chinese version leaks more data than the English version in any case.
"We take security very seriously and we do everything possible to protect our users," said Alibaba in a written statement. "We have no evidence that any user information has been taken."
This revelation prompts the question: do government agencies, even spy agencies, bear any responsibility for warning the public when they are vulnerable?
"Of course, the security agencies don't [disclose the information]," says Deibert. "Instead, they harbour the vulnerability. They essentially weaponize it."
Geist maintains that the public rightfully expect the federal government to protect them, including from dangers like these.
"We should be troubled by the notion of our spy agencies-and in a sense our government-actively looking for vulnerabilities or weaknesses in the software that millions of people are using," said Geist. "That feels in many respects like a significant abdication of what I think most would expect from our government."