14 KiB
14 KiB
| title |
|---|
| #FuckStalkerware at ETH |
hacking a morally bankrupt industry
a talk about stalkerware, hacktivism and ethics
maia arson crimew
content warning: discussion of abuse/controlling behavior
maia arson crimew
- is 24 years old
- uses it(/she) pronouns
- has been a hacktivist since 2019
- got indicted in 2021 ^-^ oopie
- leaked the 2019 version of the US no fly list in 2023
- is a silly "journalist/blogger"
- is literally a kitten
what did it do for the rest of this year
what did it do for the rest of this year
- published thousands of emails revealing the secret US based working group behind much of current international anti-trans legislation
- reported on various hacks by other actors
- a cybersecurity company pwned by a random 4chan user
- kittensec leaking romanian and EU government data
- a write up on various security issues in the streaming platform kick.com
- an exclusive report on how rosgosstrakh got hacked
what did it do for the rest of this year
- investigative internet pop culture journalism
- an ifunny clone that isn't actually what it seems at all
- how a popular tiktok meme account has a dark past and connections to the far right
- guested on various political and pop culture podcasts
- various other media work
- started the #FuckStalkerware project to help combat stalkerware and get an insight into the industry
Note: pocasts such as well there's your problem, the worst of all possible worlds, red planet and many more
media work both giving interviews and portraits about myself and acting as an expert on various topics
let's cover some basics
- what's hacktivism
- what is my motivation
what is stalkerware
what is stalkerware
- commercially available spyware
- often advertised for:
- "parental control"
- figuring out if your partner is cheating on you
- hidden from the target, often pretends to be system application
- usually requires brief physical access, can be remotely installed
what is stalkerware
- reports activity on the victim device, such as:
- text messages sent and received
- phone calls made (sometimes with recording)
- websites visited
- any photos taken
- geolocation
- ambient audio recordings
- sometimes allows remote sending of text messages
why is this bad?
Note: spying on partners is bad, spying on kids is bad, trying to solve social issues with technology, stolen text messages allow theft of 2fa codes and taking over other accounts, privacy is a fucking human right for everyone no matter who they are, what they do or how old they are
why we hack stalkerware providers
- legislation and courts are slow
- we can collectively defend ourselves from abusive technology
- most stalkerware providers have horrible security
example: SpyHide
example: SpyHide
- an iranian stalkerware
- users/victims all over the world
- 750k users
- extremely trivial to hack
example: SpyHide
- exposed .git directory allows stealing dashboard source code using goop
- turns out to be a trashy php monorepo for both frontend + backend
example: SpyHide
trying to find something to exploit
- auth cookies are in the format of
userid.passwordmd5.lang.timezone.db_type- user ids are sequential
- yes, the password as represented in the db with the db salt and all is in the cookie
- db type is either a or b, where b appears to stand for "backup", both my accounts are on type b
example: SpyHide
trying to find something to exploit
for auth via level2 phone app an "app key" is required, which is described by code comments as follows:
// $app_key is generated in level2 app hash(md5_pass.username.private_key)
// $u_id will send from level2 app to identify target user
// $tz is level2 app phone timezone
// $lang is level2 app phone default language
the mentioned private key (which is actually a static salt) is asrome_intermilan_realmadrid.
example: SpyHide
trying to find something to exploit
uploadPhoto,uploadRecordAmbientanduploadRecordCallallow arbitrary file uploads
$allowed = array('3gp');
$objFile = & $file_array["recordcall"];
$filename = $objFile['name'];
$record_id = explode(".",$filename);
$record_id = explode("_",$record_id[0]);
$record_id = $record_id[2];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
// error_log("HACKER:".basename( $objFile["name"] ));
}
-
uploadRecordAmbientanduploadRecordCallactually note that this is a vulnerability and a check for only allowing .mp3 or .3gp files respectively exists but result is ignored - this should work to give us code execution
example: SpyHide
trying to find something to exploit
- one problem left: we need a device id
- reversing a bit more of the code to figure out how to register a device to my test account
- we now have a device with the very numeric id 'maia'
- time to upload a "photo" (base64 encoded webshell)
- as a little extra flex i use directory traveral to place it at /funky.php
example: SpyHide
it's exploitin' time
example: SpyHide
it's exploitin' time
- compress and download all webroots hosted on this server using the webshell
- grabbing all databases using an existing adminer install
example: SpyHide
it's exploitin' time
example: SpyHide
analysis
- over 230gb of exfiltrated data
- source code, databases
- photos, calls and ambient audio recordings from phones
- some account owners have spied on as much as 30 different devices over the course of multiple years, stalking some people accross multiple phone changes
- dataset actually makes it somewhat possible to identify victims, containing some imeis and phone numbers
Note: no journalists, victim support groups or researchers appear to have made use of that fact so far as far as im aware
example: SpyHide
analysis
- a look through email addresses used for registration reveals around 190 users with various government email addresses
- at least 16 us government addresses, incl .mil and various correctional officers
- 5 users from colombian national police
- massive amounts of users from brazilian and philippine departments of education
- spyhide data retention claims are a lie
- photos and recordings from as far back as 2020 found despite claims they are deleted after 3 months
Note: there is no email verification, so data may be skewed
police and correctional officer use implies possible evaluation of commercial spyware for law enforcement use, a pattern observed in other datasets as well
based on code analysis data is only deleted when operator stops paying.
example: SpyHide
analysis
image credit: TechCrunch
Note: a map of all recorded gps location data points in the dataset, showing spyhide being used all over the world with hotspots in europa, brazil, indonesia and the US
example: SpyHide
the result
- SpyHide briefly rebrands as Oospy
- a few days after techcrunch and i published our stories hetzner takes down the spyhide backend server
- paypal is contacted about the paypal account used for spyhide/oospy billing
- paypal payment option disappears, we do not know if paypal took action
- main known developer is confronted about the paypal account
- oospy goes completely offline
- as far as we can tell they have not come back online
- this is not a one time thing (see LetMeSpy)
conclusions
conclusions
- hacking stalkerware works, and gives effective results
- indispensable data for understanding the industry, reporting on it and fighting against it
- it should not be easy and profitable to run a stalkerware business
- more and more just give up instead of rebranding and keeping at it
conclusions
morality
legality ≠ morality
Note: victims need to be freed from, informed about and protected against stalkerware now, not in 10 years when it might be illegal in some places, giving victims and support orgs leverage and evicence to stand against not just their abusers but also the companies enabling and preying on them, we can break the market now
Q & A with maia
i am unable to answer questions regarding legal proceedings concerning me, don't ask. i will also not answer any other question putting me or others at any unreasonable legal risks.