Last week, an Indian hacker crew successfully broke into a secured Indian military government network. The group, the Lords of Dharmaraja, posted documents that infer Apple, Nokia, and Research In Motion gave the Indian government backdoor access to their devices in exchange for mobile phone market rights. Indian government officials say the files are forgeries; however, they fit in perfectly with what we know about mobile phone surveillance in 2012.
Fast Company has reported extensively on smartphone and computer security fears. In the documents, which have been posted on multiple mirrors, India military intelligence refers multiple times to a system known as RINOA SUR. According to ZDNet India’s Manan Kakkar, the RINOA portion of the acronym refers to “RIM, Nokia, Apple,” while the SUR portion is unknown. The documents describe a backdoor mobile phone surveillance system in great detail. The documents also infer that network access was granted to the Indian government in exchange for the right to sell to Indian consumers.
The pervasiveness of government smartphone and computer surveillance in the United States is unknown. Several days ago, a federal appeals court revived the Jewel vs. NSA [PDF] lawsuit, which alleges that the National Security Agency (NSA) routinely engages in warrantless surveillance of electronic communications. According to privacy watchdog group EPIC, a secret 2002 executive order granted the NSA the authority to conduct warrantless surveillance of electronic communications. The Jewel vs. NSA lawsuit was filed by Carolyn Jewel, a Los Angeles-area romance novelist who found evidence that showed details about her online activity were being given to the NSA by her Internet service provider.
Other intelligence agencies may be involved in warrantless surveillance of mobile telephone and Internet communications as well. The Electronic Frontier Foundation filed a lawsuit in late October alleging that the PATRIOT Act has “secret interpretations” that allow government agencies to conduct dragnets of e-traffic. Under these interpretations, it seems that large numbers of Americans–both individuals and businesses–can be targeted for surveillance if the FBI has determined they are “relevant to a government investigation.” No warrant is required.
Unfortunately, this isn’t just tinfoil hat chat. Sen. Ron Wyden (D-OR) and Mark Udall (D-CO) have both publicly expressed concern about possible or already-extant surveillance. Udall and Wyden both serve on the Senate Armed Services Subcommittee on Emerging Threats and Capabilities, which helps monitor information warfare and cyberintelligence.
The Lords of Dharmaraja posted about their alleged discovery on Google+ and Pastebin. According to one of the hackers, “Yama Tough”:
As of now we start sharing with all our brothers and followers information from the Indian Militaty (sic) Intelligence servers, so far we have discovered within the Indian Spy Programme (sic) source codes of a dozen software companies which have signed agreements with Indian TANCS programme (sic) and CBI.
Other alleged discoveries made by the Lords of Dharmaraja include portions of original source code for Norton AntiVirus, which Symantec has confirmed was authentic (although from an older 2006 version). A copy of the source code was quickly posted to Pastebin. What the source code for Norton AntiVirus was doing on secure servers belonging to Indian military intelligence is unknown.
But the most disturbing discovery from the Lords’ hacking exploits are documents indicating that the Indian military was spying on the United States. The RIM/Apple/Nokia surveillance documents also contain what appear to be private email excerpts belonging to employees of the U.S.-China Economic and Security Review Commission (USCC). The USCC is a Congressional-mandated commission whose duties include monitoring Chinese cyberwarfare and hacker attacks; Fast Company reported previously that Chinese cyberespionage has been a major concern for India. Most alarmingly, the documents infer the Apple/RIM/Nokia backdoor was used by India to obtain the U.S. government emails.
It is important to remember that the Indian documents are unconfirmed. Foreign intelligence agencies and other parties have used hacker attacks to spread disinformation in the past. However, even if the RINOA SUR documents have been falsified, it’s a safe bet that widespread surveillance of Internet and mobile phone traffic takes place in the United States on a daily basis.
While the NSA and other government agencies may have a mandate to fight the bad guys, they’re only human. The odds are likely that, within the next three years, we will see a corporate espionage case involving data used by unscrupulous government employees. Corporate secrets and sensitive business information are routinely sent by email; without proper encryption such as PGP or Tor, the worst can easily happen.