FOXTROT/ALFA: FinFisher Analysis, Assange Wiretapping, The Witcher Owns

Welcome to a special end of the year edition of FOXTROT/ALFA! This is issue 54 for Saturday, 28 December 2019. I know, I usually don’t do these on the weekend but I wanted to write a last newsletter for 2019 and give the year a proper send-off and I’ll be kind of busy Monday and Tuesday. So here it is now, the last collection of tech news for the year – with the 36th Chaos Communication Congress in full swing in Leipzig, it will naturally be a lot of 36C3 stuff.

Attacking a WiFi Connection from a Bluetooth Vulnerability

“Wireless communication is completely broken”, says a security researcher , who was able to turn off a smartphone’s WiFi signal over its Bluetooth connection, in her 36C3 talk. She did this by combining two software vulnerabilities in Broadcom’s Bluetooth chips. With an iOS device, she even managed to crash the whole operating system. The vulnerabilities have been fixed, but a general architectural problem remains in that both Bluetooth and WiFi use the same 2.4 GHz band and often share antennas in devices. Therefore, they need to coordinate who’s sending data when – for example when you’re playing a video over WiFi and you’re listening to it on Bluetooth headphones. The researcher exploited the interface Broadcom uses for both components to talk to each other to attack one module from a vulnerability in the other. This presumably opens the door for similar exploits with other chips in the future.

CCC Analysis of FinFisher Android Trojan

Two experts from the German Chaos Computer Club (CCC) have analysed several malware samples by German/British spyware company conglomerate FinFisher/Gamma International/Gamma Group and published their results for 36C3. FinFisher is being sued by Netzpolitik.org, the Gesellschaft für Freiheitsrechte, Reporters Without Borders and the European Center for Constitutional and Human Rights because they allegedly violated German export restrictions when they sold a version of their Android trojan to Turkey. The trojan was then allegedly used against dissidents in the country. CCC’s Thorsten Schröder and Linus Neumann have now conclusively proven that a) the trojan sample used in Turkey was made by FinFisher and that b) it was made (and crucially: exported) after 18 July 2015, thus violating German export restrictions that went into effect on that day. At least this must be the case since the German government says it hasn’t granted any licenses to export commercial spyware to date.

They proved a) with an exhaustive analysis comparing the Turkish sample to samples leaked in 2014 when FinFisher was hacked and 40 GB of their internal data was published on the internet. The CCC experts then demonstrated b) by examining what third party open source software was bundled with the trojan, when it was released and when the certificate its APK was signed with started to be valid. All in all, a fascinating analysis and attribution done right and also explained very transparently. Reporting by yours truly.

Assange Wiretapping in Ecuadorian Embassy Detailed

Also at 36C3, former CCC spokesperson Andy Müller-Maguhn explained how Julian Assange was being spied on while in exile in the Ecuadorian embassy in London . The now defunct Ecuadorian intelligence agency SENAIN had originally hired the Spanish security company Undercover Global, run by David Morales, to protect Assange’s security and paid at least $5 million for this. But Morales was turned by the CIA, for an additional $200,000 a month. For this money, he furnished the Agency with access to the footage for the embassy and caused the existing cameras to be outfitted with microphones. When Assange used a noise generator to escape surveillance, Undercover Global made the embassy install special foil on the windows so that Assange could again be eavesdropped on using laser microphones. Morales' SENAIN handler was paid $20,000 a month by the CIA to look the other way.

This wiretapping was also how the CIA learned that Ecuador was trying to smuggle Assange out of the embassy with a diplomatic passport in 2017. Assange had been made an Ecuadorian citizen just for the occasion. One day after Assange had been briefed in person on the final plan by the head of SENAIN, Rommy Vallejo, the US issued an international arrest warrant for Assange, foiling the operation.

Something for the Weekend, Sir?

If you’re interested in the hacks and privacy problems with Amazon’s video doorbell company Ring, may I recommend this podcast episode I released today? I go in-depth on how Ring started as a great idea to protect your home from burglars and then turned, with a little bit of help from Silicon Valley investors and your local police department, into one of the biggest Orwellian surveillance nightmares of modern day urban life.

Highlights include:

The source also recounted instances of Ring engineers “teasing each other about who they brought home” after romantic dates.

…and:

Once a hacker has broken into the account, they can watch not only live streams of the camera, but can also silently watch archived video of people – and families – going about their days. Or a hacker can digitally reach into those homes, and speak directly to the bewildered, scared, or confused inhabitants.

HPE’s CEO Talks Cloud and Services

The Register has published an interesting interview with HPE CEO Antonio Neri. The guy “started out at HPE in a Netherlands call centre and rose through the ranks to replace Meg Whitman as the boss of HPE on 1 February 2018” and his main agenda for this interview seems to be to rip Amazon a new one.

“Maybe five years ago or 10 years ago the cost of [public cloud] compute was very attractive to [customers] because they don’t have to deal with labor, power, cooling, de-appreciation, all the things that you normally go through when you deploy infrastructure, and that was appealing.”

Neri claimed AWS, via Outposts, is giving customers a “tentacle” to extend its public cloud into their own data centre. “The reality, they’ve [AWS] already told you, [is it] will cost you more, at least 30 per cent more than moving your data into the public cloud. So it is a way to attract you back to the public cloud. What we want is an open approach, a true, multi-cloud approach where you have choices, you have the flexibility to move data and apps to where it makes more sense, whether it is for security purposes or for experience purposes or cost purposes.”

In other news, HPE is going all-in on subscription, like everyone else.

By 2022, HPE wants to sell its entire portfolio as a service though its hardware and software will still be able to be bought in the classic way.

The Witcher is Really Successful

The Witcher is great. It’s my top show of the year and that includes all movies I’ve seen as well (which weren’t that many, I admit). The current streaming numbers seem to agree with me:

Toss a coin to your Witcher, because despite some negative critical reviews, the show is a bona fide hit with audiences. Netflix’s The Witcher is currently the third most in-demand original series by a streaming platform in the US, behind Stranger Things and Disney’s The Mandalorian.

Well, maybe that is because it’s actually a good show? Because the audience can actually tell, you know? And they generally don’t give a fuck about whatever agenda professional critics are pushing that day – is it still gender at the moment, I lose track of these things…?

I’m glad to see the people running the show get it, as well.

For showrunner Lauren Hissrich, the reaction that matters more is clearly the one from the audience. “Many people have sweetly written me, upset about the Witcher reviews,” she wrote on Twitter the day after the show premiered. “Know this: Who do I care about? ‘Professional’ critics who watched one episode and skipped ahead? Or REAL fans who wanted all eight in one day, and are starting their rewatch? I am fucking THRILLED.”

Here’s to hoping The Witcher never changes. Ah. I should probably re-watch it. It’s been a week after all.

Disco Elysium is Great

I really like Disco Elysium. And now the vultures at The Register have finally played it too and they seemed to like it as well. Not as much as I did , but that’s OK.

Play Disco Elysium, it rocks! Eh… I mean it’s Disco, of course.

Also Noteworthy

Some other stories I came across that might be worth a read:

And here’s a bonus bullshit one that isn’t:

See you again in 2020! Have a good slide, as we say here in Germany.

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.