Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Google Privacy Security

NSA Planned To Hijack Google App Store To Hack Smartphones 94

Advocatus Diaboli writes: A newly released top secret document reveals that the NSA planned to hijack Google and Samsung app stores to plant spying software on smartphones. The report on the surveillance project, dubbed "IRRITANT HORN," shows the U.S. and its "Five Eyes" alliance: Canada, the United Kingdom, New Zealand and Australia, were looking at ways to hack smartphones and spy on users. According to The Intercept: "The top-secret document, obtained from NSA whistleblower Edward Snowden, was published Wednesday by CBC News in collaboration with The Intercept. The document outlines a series of tactics that the NSA and its counterparts in the Five Eyes were working on during workshops held in Australia and Canada between November 2011 and February 2012."
This discussion has been archived. No new comments can be posted.

NSA Planned To Hijack Google App Store To Hack Smartphones

Comments Filter:
  • by danbuter ( 2019760 ) on Friday May 22, 2015 @04:35AM (#49749279)
    Bad part is, this would be middle of the newspaper, at best. Most people in the USA just don't care how badly our government is abusing everyone.
    • Death Penalty for the the NSA already, they are making the KGB, Nazis, and Stormtroopers look like good guys by comparison.

    • Maybe.

      I'm sure there are quite a few who are clueless and / or don't care because they naively believe it doesn't impact them.
      ( There is a reason both parties target young ( read that: inexperienced in how corrupt politics really are ) voters so much. )

      There are also quite a few who DO care, but are pretty much powerless to do anything about it outside of partying like it's 1776.

      We can pretend we're still a Democracy and that voting for X over Y will magically fix things but, in reality, both X and Y are ju

    • Bad part is, this would be middle of the newspaper, at best. Most people in the USA just don't care how badly our government is abusing everyone.

      "The top-secret document, obtained from NSA whistleblower Edward Snowden, was published Wednesday by CBC News in collaboration with The Intercept."

      For those not in the know, CBC News is roughly equivalent to CBS News in the US. So on the one side, it's not going to be in the "middle of the newspaper." On the other, publishing this on the CBC News website is equivalent to publishing this on the CBS News website -- meaning, it didn't even make it into a newspaper in the first place. CBC News does televisi

  • by ledow ( 319597 ) on Friday May 22, 2015 @04:45AM (#49749305) Homepage

    And, since then, almost every Internet service I use has started bringing their stuff out of the US. Not saying that makes us "hack-proof" (not least from our own intelligence agencies) but businesses can't do business with other governments or even large corporations if this kind of thing is suspected to be going on.

    Every week or so, another large company tells me that they've pulled all their EU users and their data to their Ireland datacentre so that only the US people's data can be "collected" by the US authorities and otherwise the NSA are just the same as any other foreign hostile entity trying to get into their systems.

    DropBox was the latest one I got an email from. The government and education services already do everything in-EU anyway because of a lovely thing called the Data Protection Act (which the US really needs to start adopting its own version of), and now even people's photo-sharing sites are doing the same because they just don't want this kind of stuff reflecting on them because they happen to do business in the US too.

    Tell me, people, if China were doing this everybody would be up in arms. But because it's the US, it's okay?

    All they've done is made everybody go from "Maybe the NSA could do this if they wanted" to "We have to assume they are doing this, all day, every day, no matter what the law says", move their data abroad, and massively increase awareness of security and encryption.

    Hell, I'm now suspicious of Elliptic Curve, especially if it relies on published curve parameters rather than them being an inherently configurable part of the exchange (like Diffie-Helman - agree on a curve that nobody has used before but has certain properties and then use that as the basis for encryption) - I have a feeling that all the push to move on COULD be a cleverly orchestrated move to something such agencies "approve" of in secret even if they say it causes them problems in public.

    When you think the trick is happening, maybe it's already been done...

    • by Anonymous Coward

      I think that [moving data to Irish subsidiary] fools nobody, we know that DropBox provided a PRISM interface to NSA, and if DropBox can get the data, then it can get it from Ireland. Ultimately you cannot use DropBox because DropBox is a US company.

      But your basic point is true, US companies are suffering from NSA actions, not so much directly from the hacking, but from the Republidroids pushing through laws to make it legal. So when they push a law giving immunity to corps for providing NSA with 'cyber-secu

      • by Anonymous Coward

        The NSA has collaboration agreements and monitoring points in place at most of the overseas cables, which feeds the XKeyScore programme. This means that even if your data is in (insert generic European country here) then it will still be eavesdropped upon by the NSA if it crosses a country border within the EU. This is what is known as 'the intelligence bazaar of Europe'.

        So even if you don't use Dropbox but say JottaCloud you will still be fucked because the NSA has the ability to insert MIM-servers between

    • by pscottdv ( 676889 ) on Friday May 22, 2015 @06:03AM (#49749523)

      We moved our EU data to EU servers because EU law requires it.

    • Moving Dropbox data to the Republic of Ireland makes it more legal for the NSA to access the data - they're definitely not accessing US citizen's data - not that I imagine it makes much of a difference.

      The difference it does make is that it's harder for the TLAs to get warrants to access the data - they now have to go via a foreign government's legal system, rather than the US rubber stamp system. The Irish government *appears* to have been less than accommodating - as show in the Microsoft email case:

      The US government has claimed a US warrant is sufficient to get emails even when stored in another country, while Microsoft has resisted, arguing the US warrant power does not reach that far. The case has made business rivals into temporary allies and forced Ireland's Minister for Foreign Affairs and Data Protection to ask the European Commission to formally support Microsoft.

      The [eff.org]

    • Re: (Score:2, Insightful)

      by Ryanrule ( 1657199 )
      You know how fucking stupid you are right? All the euro countries the nsa was spying on? Turns out THEY were doing the spying for the nsa, in exchange for access to the big intel pie. All the outrage was just for the sheeple. Those in power already knew. So take it somewhere else bro. Brah.
  • Why not also the iPhone, or has this already been hacked?

  • Hijack the android source code repository. Or maybe any blob there included...
    • At the end of the day the cellular firmware is a closed blob. No idea what's going on there, and with access that low level, you can do anything you want.

  • Cyanogen works better than Android, and you can avoid Google Play.

    • Because there's absolutely no chance that the NSA would ever think to hijack a connection to any other source of apps beyond Google's store?

  • You are witnessing pure evil at work.

    • by Noryungi ( 70322 )

      Nah, just business as usual.

      For pure evil, you have to go to Wall Street.

      • No, they're both evil - the difference [IMO] opinion is that Wall Street does their evil in public and doesn't pretend that it's for your own good.

  • by Anonymous Coward

    There's an ointment for that.

  • this is why debian has the GPG key-signing parties, and why all packages are GPG-signed by the package maintainer when they compile it, why the ftp masters sign the package when it's uploaded, and why the release files which include the checksums of all the packages are also GPG-signed. under this scenario there are an extremely limited number of extremely paranoid methods by which debian may be compromised. even the scenario of "cooperation between long-term sleeper agents within debian's ranks" would have a one-shot opportunity to get away with introducing malicious code, following the discovery of which their GPG keys would be revoked, the perpetrators kicked out of debian, their packages pulled immediately pending a review, and the already-effective procedures reviewed to involve multi-person GPG signing that would make it even harder for compromise to occur in the future.

    now, if you recall, there was an announcement a couple of years back that the development of Mozilla's B2G was declared to be "open" to all, so i contributed with a thorough security-conscious review of how to do package distribution. it turns out that Mozilla is *NOT* open - at all. several other contributors have learned that the Mozilla Foundation is in direct violation of its charter.

    basically, the Mozilla Foundation *completely* ignored the advice that i gave - which was that the use of SSL as a distribution mechanism would be vulnerable to *exactly* the kinds of attacks that we see the NSA attempting to do on google. they went so far as to enact censorship, preventing and prohibiting me from pointing out the severe security flaws inherent in their chosen method of package distribution. i remain deeply unimpressed with many aspects of so-called "open-ness" of well-funded software libre projects.

    • by Uecker ( 1842596 )

      this is why debian has the GPG key-signing parties, and why all packages are GPG-signed by the package maintainer when they compile it, why the ftp masters sign the package when it's uploaded, and why the release files which include the checksums of all the packages are also GPG-signed.

      Sorry, this is almost completely worthless without reproducible builds. (which finally some people started working on in debian) A compromised build host of a single debian developer (of which there are how many?) could easily introduce backdoor into a binary package which could be very hard to detect.

      But because we have gaping security holes in essential crypto and with the low quality of software in general this is a mood point anyway.

  • The success of this sort of thing could cripple the walled garden model. We need a more decentralized software distribution system. Yes, people that are terrible at this sort of thing profit from a walled garden. But it is also a crutch, gives too much power to apple, google, etc, and is apparently a security risk.

  • by ThatsNotPudding ( 1045640 ) on Friday May 22, 2015 @06:40AM (#49749623)
    "NSA Planned..."? Where is the proof they did not go ahead, or are still planning to, via moles or NSL-threatened insiders?

    Such a headline gives the impression we safely dodged a bullet, while still in the midst of a massive firefight (and our side only has sparklers and rubber bands).
  • The report on the surveillance project, dubbed "IRRITANT HORN,"

    Hehheh... the gay names of various NSA projects are always great humor.

  • by Ryanrule ( 1657199 ) on Friday May 22, 2015 @07:35AM (#49749819)
    in other news, wind is windy.
  • Shouldn't it say "NSA _Plans_ To Hijack Google App Store To Hack Smartphones"? I haven't read anywhere that they cancelled the plan.
  • I bet its already compromised, maybe for quite some time. What if this and articles like this are put out to make people think the NSA isn't as far along as they are. /paranoid mode off

  • by koan ( 80826 )

    The project was motivated in part by concerns about the possibility of “another Arab Spring,” which was sparked in Tunisia in December 2010 and later spread to countries across the Middle East and North Africa. Western governments and intelligence agencies were largely blindsided by those events, and the document detailing IRRITANT HORN suggests the spies wanted to be prepared to launch surveillance operations in the event of more unrest.

    It appears in some ways that these agencies have become dependent on their digital surveillance, to the point they are missing exactly what they claim to be looking for.
    I guess if you want to plan a revolution just use paper...

  • How many Linux/Unix repositories have been hacked? What exactly drops in when you update?

  • Sooner or later, every digital device we "own" will also be owned by the NSA, and they will have the ability to brick it. Even your car (thanks OnStar) will be bricked. For what purpose? Who knows? But it's clear that we have more to fear from the pricks at the NSA than we do from any hacker, terrorist or criminal, as the NSA is pure evil.

    • by koan ( 80826 )

      Yes, and soon a cashless society is thrust upon you, and then you can never be without your phone.

  • Can this be counted as a win for Windows phones. The NSA didn't even consider spying on them so they must be secure.
    • by PPH ( 736903 )

      We figure that Microsoft has been compromised since the first DoJ consent decree. So nothing new here.

  • Look, just operate under the general assumption that we live in a Police State that makes Eastern German Stasi look like kindergarten cops.

    Then you'll be a good serf.

    Is it unconstitutional and illegal?

    Of course.

    Will they do anything about it that actually changes anything?

    No.

  • Is anybody surprised?

    *Cricket sounds*

    Ok, now show of hands: Is anybody surprised the US Populace doesn't care?

    *Cricket sounds*
  • Maybe someone will code an app that gives false info to the NSA when polled at regular intervals. Or perhaps gives so much info that it b0rks the NSA spy grid with useless garbage info.:)
    • Maybe someone will code an app that gives false info to the NSA when polled at regular intervals. Or perhaps gives so much info that it b0rks the NSA spy grid with useless garbage info.:)

      PS Or even an app that sends a garbage routine command/request to the NSA compromised servers, you know, the gift that KEEPS ON GIVING.

      • Maybe someone will code an app that gives false info to the NSA when polled at regular intervals. Or perhaps gives so much info that it b0rks the NSA spy grid with useless garbage info.:)

        PS Or even an app that sends a garbage routine command/request to the NSA compromised servers, you know, the gift that KEEPS ON GIVING.

        PPS Or an app that sends a constant command/request to defrag the NSA compromised servers, or run (chkdsk C: /x /scan /f /v /sdcleanup /perf).

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...