Mobile Spyware: Finally criminal?

Commercial Mobile Spyware apps have been around for over a decade. They've been on every platform with the best(if one can call it that) support on the most popular Operating Systems. They're usually sold as tools to help one monitor their children or keep track of a spouse or significant other. Tracking the latter groups lean toward a gray or even a black/illegal area.

The FBI has come along to the idea that folks selling spyware(or at least mobile spyware) are committing a crime. Specifically since your phone is a telecommunications device, installing spyware on it is the same as wiretapping.  Also the CEO of Invocode(producers of StealthGenie spyware) and his employees are members of a "criminal conspiracy responsible for StealthGenie".  Fortunately, the FBI arrested the CEO in Los Angeles over the weekend.

StealthGenie is a spyware app that supports iOS, Android and Blackberry OS. Blackberry support only applies to pre Blackberry 10 devices so newer devices would not be vulnerable. The capabilities of the spyware is not breaking any new ground, we've seen all of this before and in software from their competitors.

StealthGenie's hompage - The World's Most Powerful Mobile Phone Spy Software"

Intriguingly from the Government's complaint, Invocode expected that the majority of their sales of the StealthGenie mobile spyware would be to "[s]pousal cheat: Husband/Wife of boyfriend/girlfriend suspecting their other half of cheating or any other suspicious behaviour or if they just want to monitor them.".  So mainly to monitor someone else's phone without their permission.  The FBI agents purchased a copy of StealthGenie and were able to immediately monitor the calls and text messages from another of their phones.  While investigating monitoring software from competitors of Invocode, I've also seen that they perform similarly or perform additional functions.

Speaking of Invocode's competitors, they don't seem to think highly of StealthGenie:

"...simply isn't worth the money!" - advice from other criminals?

This screenshot above is from a competitor that recommends two other mobile spyware packages in addition to itself that they prefer to StealthGenie. This implies that these are three other, possibly more powerful, mobile spyware and "wiretapping"/interception tools that are still available on the app markets. I applaud the US government going after Invocode in the "first-ever criminal case concerning the advertisement and sale of a mobile device spyware app".

Due to the gray-area uses of mobile spyware, Anti-malware and Anti-Spyware companies have had to come up with classifications to keep us from stepping on possibly legal  developers of spyware. This is mainly to avoid being sued for being anti-competitive or harming the business of legitimate monitoring software developers. It would certainly ease matters now that governments are starting to criminally prosecute producers of tools that can be used to intercept users calls and texts.

--------------

If you're curious about the legality of selling mobile spyware, the US Government cites the following sections of law:

Title 18, United States Code,
Section 2512(l)(b) (sale of an interception device)
Section 2512(l)(c)(i) (advertisement of a known interception device)
Section 2512(l)(c)(ii) (advertising a device as an interception device)

One can read the details themselves in the Federal complaint.

My smartphone is my key: Musings on the security of Smart-padlocks

Keys can be a bother. You forget them inside the apartment, they're stuck in a pocket or bag with your arms full, or you just lose them. When I was in high school, combination locks really appealed to me: no keys to misplace, just a simple three number combination to remember. Awesome, until the first time I forgot my combination after gym class. One pair of bolt cutters and I was able to change for my next class, but I was out one fancy combination lock. Potential memory lapses(my head is full of much more today than back in high school) rendered combination locks more of a hindrance than boon.

In previous years solutions to my problems with hotel keys and my house keys have arrived, but until the recent Noke(pronounced 'No Key') Kickstarter campaign I didn't have a reasonable way to replace the keys to my padlocks. Fortunately for me, the people at FŪZ Designs have thrown physical keys and combinations out to create a smart-padlock.

Smartphones? Now, smart-padlocks.

No more forgotten combinations?
Like a door from Star Trek, just walking up to your Noke lock with your smartphone unlocks it. For some of my more efficiency-minded friends that easily saves them seconds in their day. Given that the associated lock control apps let one control the unlock distance, I'm not too worried that attackers will steal things from my locker or ride off with my bike before I've gotten to them.

One can shorten the unlock distance via the control app.

The Noke lock actually shares more with the ignition lock in a modern car than with that old combination lock on my high school locker. Like the car without a new Transponder key, the Noke can be set so that it won't open without your smartphone. Of course that would just turn your smartphone into the key; lose your phone or let it run out of power and you've lost your key.  The designers have thought of that; they include a way to unlock the Noke with a 'Quick-Click' code. That code of course being the spiritual successor to my old nemesis the 'Combination'.

The Quick-Click code is a good backup opening method when you don't have your phone.

Truthfully the Quick-Click code, utilizing the shackle(that metal U-shaped part at the top) of the lock to enter the combination, is quite brilliant. While one could say it is a cousin of the original combination on a lock, its purpose is more like that spare key you keep under the doormat or that rock in your front yard.

Almost like Morse Code, one enters a series of short and long 'clicks' of the shackle. Entering the wrong code not only delays you but doing so 5 times disables this manual unlock method. Attackers trying to brute force the combination will get shut out.

Attacks against padlocks

I have friends who practice Locksport(recreationally playing with locks they own, looking for ways to bypass or 'lockpick' them). They're the sort to be first in line to buy a Noke once they hit the market. It's exactly the sort of puzzle they'd find amusing.

I'd already learned about the simplest physical attack from the teachers cutting my padlock off with the bolt cutters in school. The Noke has a hardened shackle to defeat this sort of attack. The physical security of the Noke could be bypassed with sufficient force, but it would lead to exposure of the attacker.

My Locksport friends have shown me more elegant means, such as the easy to make soda can shim. In a standard padlock the only thing holding the shackle locked is a spring loaded bar. The shim just pushes the bar out of the way releasing the shackle.  Shouldn't lockmakers have designed better ways to prevent attackers shimming their padlocks? Traditional lockmakers have and so have the Noke's makers.  They utilize a "double ball" mechanism to prevent 'shimming'. [More on 'double ball' padlocks from Deviant Ollam's fine book on lockpicking.]

Inside a Noke - Shackle at the top, 'Double ball' to counter shimming.

Attacks against smartphone apps

I'd be remiss if I didn't consider when an attacker would go after the low hanging fruit of the mobile app. The apps(one for each platform - Android, iOS, Windows Mobile) are the major interface to the padlocks. One can lock/unlock, set unlocking distance, and manage distribution of shared keys.  They also store a history of keys used.

I once described a possible threat scenario to a colleague regarding the ability of a particular piece of spyware to compromise the location and travel patterns of C-level executives. That last history feature of the app, while it doesn't leak the GPS data or location data can still provide an attacker with hints to location and specific time ranges when their victim is alone.

The sharing/key management feature of the app is another interesting target. Stealing keys from the app or, better, generating a valid shared key would allow the attacker to simply walk by and access the victim's valuables.  Since a shared key must be generated by the app, an attacker compromising it or controlling it can craft a permanent 'skeleton key' to access/unlock the Noke.

Are we ready for Smart-padlocks?
My trouble with padlocks began decades ago. Smartphones have made my life easier, I no longer need to remember every single password to access my accounts. If my padlocks have gotten smart enough to work with my smartphone so I don't need to memorize a new combination or keep track of a physical key then I'm happy.  Of course if my padlocks get smart enough that they need an immune system(or at least Antivirus) I won't be disappointed.