Foreign AffairsWritten evidence from Bill Marczak, Human Rights Movement

EXPORT OF BRITISH-MADE SPYWARE TARGETING BAHRAINI ACTIVISTS

Background

1. This submission provides evidence that a British manufacturer of “lawful interception” computer spyware, Gamma International (hereinafter referred to as Gamma), has been supplying its products to the Government of Bahrain. This finding is in contrast to several public disclaimers by Gamma. Careful monitoring and analysis has shown that the government is using Gamma’s FinSpy spyware (also known as FinFisher) to target Bahraini activists. One individual who was targeted is a British pro-democracy activist and member of Bahrain Watch.

2. Exporting surveillance technology to repressive regimes is problematic. Last year, Bloomberg reported that Western surveillance technology sold to Bahrain facilitated the torture of activists.1 In that instance, the technology was capable of capturing text messages sent from a cell phone. In contrast, FinSpy offers far more invasive surveillance capabilities, including recording Skype calls, stealing passwords, and remotely enabling a computer’s microphone to record nearby conversation. There is concern that information obtained from FinSpy may have been, or could be used to facilitate torture of activists.

3. As this submission demonstrates, the export of British surveillance technology to repressive regimes is of broader interest than in just the case of Bahrain. Other repressive regimes, such as Turkmenistan, have been found to be using FinSpy as well.

4. This analysis was performed by Bahrain Watch member Bill Marczak--also a Computer Science PhD student at UC Berkeley--in collaboration with researchers at the University of Toronto’s CitizenLab group.

5. The author is willing to provide additional confidential details in support of this submission in private written or oral testimony.

Distribution

6. The campaign to target Bahraini activists began on or before 11 March 2012. Bahrain Watch has so far identified six rounds of e-mails targeting activists. The e-mails purported to contain information such as schedules of upcoming protests, photos of torture marks on activists, and documents about a secret dialogue. Some of the e-mails were designed to fool recipients into believing they were opening an e-mail from al-Jazeera journalist Melissa Chan.2

7. At least three UK residents were targeted with the spyware. One target is also a UK citizen and member of Bahrain Watch. It is not possible for Bahrain Watch to obtain a complete list of spyware victims, as the malicious e-mails were sent in such a way that one recipient cannot learn the identity of the other recipients.

8. The spyware was distributed as an attachment that posed as a picture file or a Microsoft Word document. When a victim opened the file, a malicious program was installed on his or her computer.

Identification

9. The malicious program was identified as Gamma’s FinSpy spyware based on the following three features:

The word “finspy” appeared in several places in the spyware’s code, in an apparent accident by the programmers of the spyware.

Researchers at CitizenLab matched the design of certain elements of the Bahrain spyware to another piece of spyware that communicated with servers belonging to Gamma International. This appeared to be a demonstration version of FinSpy from 2011.3

Certain aspects of the spyware’s behavior matched old FinSpy documentation.

10. Gamma claims that they sell exclusively to law enforcement and intelligence agencies, suggesting that the Government of Bahrain is behind the use of FinSpy in Bahrain.

Capabilities

11. The spyware appeared to steal saved passwords from more than 20 types of web browsers, instant messaging clients, and e-mail clients. The spyware was capable of recording every keystroke on the computer, as well as Skype calls, chat messages, and file transfers, and could silently turn on the computer’s microphone to listen in on nearby conversations.

12. The spyware contained techniques to bypass a wide array of anti-virus programs. The spyware employed sophisticated techniques to thwart analysis. The spyware was capable of re-infecting a computer even if all spyware files were deleted from that computer.4

13. All known files containing FinSpy have been provided to anti-virus companies for analysis. Many companies have added detection for the specific files seen in Bahrain. However, as of the date of this submission, anti-virus programs are incapable of detecting files with FinSpy if slight modifications are made to the files. Gamma claims they have already made far more extensive modifications to prevent detection.5 Bahrain Watch is also unaware of any anti-virus program that can detect and remove an existing FinSpy infection on a computer.

14. Versions of FinSpy for Blackberry, iPhone, Android, Nokia, and Windows Mobile were also identified and analyzed. It is not known whether these versions were used in Bahrain. The mobile phone versions contained similar functionality to the PC version, with the addition of GPS tracking, and monitoring of popular 3rd-party messaging applications such as WhatsApp.

The Relationship between Gamma and Bahrain

15. The spyware was found to communicate with a server in Bahrain. Publicly available information about the server’s internet address shows it belongs to a subscriber of Batelco, Bahrain’s main internet service provider.

16. As part of the analysis of FinSpy, Bahrain Watch registered a new e-mail account and logged into this account from an infected computer. FinSpy automatically captured the username and password and sent it to the server in Bahrain. Subsequent inspection of the e-mail account’s access logs showed that someone else had attempted to log in with the correct username and password,6 suggesting that the Bahraini government is actively monitoring and exploiting the information captured by FinSpy.

17. According to Gamma Executive Martin Muench, “Gamma has never sold their products to Bahrain.” Muench speculates that the spyware used against activists and journalists in Bahrain was an “old” demonstration version of FinSpy that had been stolen during a presentation.7 However, Bahrain Watch has found that two different versions of FinSpy (believed to be versions 4.00 and 4.01) were used in Bahrain, which is inconsistent with the theory of a single stolen demonstration version. Both versions communicated with the same server in Bahrain.

18. Muench further stated that the spyware used in Bahrain was modified so that it did not communicate with Gamma. Had the spyware communicated with Gamma, “the company would have been able to deactivate that copy of the software,” according to Muench.8 However, as described later, Bahrain’s FinSpy server appears to be receiving regular updates, as of the date of this submission. These updates are likely from Gamma.

19. Gamma documentation refers to the server component of a FinSpy installation as the Master.9 The job of the master is to receive data from--and send commands to--infected computers. Gamma has claimed that Bahrain’s server is a proxy, ie, that it is simply a middleman that forwards communications to and from a Master outside of Bahrain. According to Muench: “The server that was found in Bahrain ... is not a product from the FinFisher product line.” 10 Bahrain Watch believes that Bahrain’s server is not a proxy, but is in fact a FinSpy Master, based both on the server’s response time to commands, as well as a now-fixed bug on the server that revealed to each single recipient the sum total number of messages sent by the server to all recipients. Analysis of this total over time showed that the server was not forwarding messages to a third party.11 Additionally, some commands sent from the server back to an infected client included the phrase “finspy_master.”

20. After Bahrain Watch revealed the internet address of Bahrain’s FinSpy server, researchers began probing the server and testing its responses. Based on their findings, they scanned other internet addresses around the world looking for servers that responded in the same way. Security firm Rapid7 conducted scanning based on the observation that an unexpected message (“Hallo Steffi”) was displayed when a user visited the internet address of Bahrain’s FinSpy server in a web browser. They detected servers that responded identically in ten countries, including the UAE, Qatar, and Ethiopia. After the release of Rapid7’s results, the “Hallo Steffi” message began disappearing from the servers they found.12

21. Subsequent to the scanning by Rapid7, Bahrain Watch conducted scanning, in cooperation with CitizenLab. Our scanning was based on a novel technique that exploited a distinctive communication pattern between FinSpy servers and infected computers observed in the case of Bahrain. Scanning by Bahrain Watch confirmed servers in five additional countries (including Turkmenistan and Brunei) and also validated Rapid7’s results, even after the disappearance of “Hallo Steffi” messages. Scanning results were further validated by analysis of mobile phone versions of FinSpy spyware: one of the mobile phone versions was found to send stolen data to a server that had been detected via scanning.13

22. A week after Bahrain Watch revealed the internet address of Bahrain’s FinSpy server, the server disappeared and reappeared at a new internet address, detected by our scans. Bahrain Watch again revealed this address, and the server disappeared and reappeared at a third address, detected by our scans. Bahrain Watch has stopped publicly revealing the addresses of servers. Bahrain’s FinSpy server is still available at the third address, as of the date of this submission. The continued relocation and operation of the server suggests that Bahrain is still actively spying with FinSpy.

23. Bahrain Watch has noted that the behavior of the Master in Bahrain has changed several times in ways that are identical to other FinSpy servers detected by scanning. Most recently, this was observed in late October 2012. Here are a few examples of the changes, accompanied with the time period during which these changes were observed being gradually applied to FinSpy servers:

A bug that revealed how many total messages the server had sent was corrected. (June—July 2012)

Servers began returning “Hallo Steffi” in response to web browser requests. (June—July 2012)

Servers stopped returning “Hallo Steffi” in response to web browser requests. (August 2012)

The scanning technique employed by Bahrain Watch to locate FinSpy servers was rendered ineffective.14 (September—October 2012)

24. The fact that all known FinSpy servers, including Bahrain’s Master, continue to be updated in this fashion suggests that Bahrain’s Master is receiving updates from Gamma. According to leaked Gamma documentation, a FinSpy server needs to have a current update license purchased from Gamma in order to receive updates. Once the update license is expired, the server can no longer receive updates.15 The continued behavior changes on Bahrain’s server indicate a current update license, which suggests an ongoing business relationship between Gamma and Bahrain.

Export Controls

25. In response to a letter16 from UK organization Privacy International, the Secretary of State revealed that at some unspecified time in the past, it had examined a version of FinSpy, and communicated to Gamma that a license would be required to export that version outside of the EU.17 The licensing requirement was based on the use of export-controlled cryptography (as per Category 5 Part 2 of Annex I to the EU Dual-Use Regulation) in the version of FinSpy examined by the Secretary. Bahrain Watch understands that the first time that Gamma submitted a version of FinSpy for export classification was around June 2012.18

26. Bahrain Watch and CitizenLab analyzed the cryptography used by the versions of FinSpy sent to Bahraini activists. The spyware was found to use cryptography that Bahrain Watch believes is export-controlled under Category 5 Part 2 of Annex I to the EU Dual-Use Regulation.19 The cryptography was used to encrypt data transmitted between the infected client and the FinSpy server. The module containing cryptographic code extracted from the Bahrain versions of FinSpy bears a 7 March 2012 datestamp, indicating this as a possible export date.20

27. One of the selling points of FinSpy and similar spyware is that it can capture information (eg, passwords, Skype calls, etc.) before it is encrypted. Thus, the use of export-controlled cryptography in FinSpy is not necessary to capture information. In general, the two main uses of cryptography in an application like FinSpy would seem to be secrecy: ensuring that information captured by FinSpy could not be inspected by a third party while in transit from an infected computer to the FinSpy server, and authentication: ensuring that a third party could not frame an infected user by sending fake stolen data to the FinSpy server, and ensuring that a third party could not take control of an infected computer. These features might be desirable in order to help ensure that evidence collected by such spyware would be admissible in criminal proceedings.

28. The Bahrain version of FinSpy employed export-controlled cryptography for secrecy. However, this cryptography contained significant implementation bugs, rendering it weaker than even the strongest non-export-controlled cryptography.21 The bugs meant that a clever third party might have been able to inspect activists’ personal data as it flowed to Bahrain’s FinSpy Master.

29. Bahrain Watch was unable to determine if the Bahrain version of FinSpy implemented any authentication. Analysis of communications between an infected client and the server indicated further vulnerabilities that could perhaps be exploited by a third party to frame an infected client.

30. Neither authentication or secrecy would seem to be of primary concern to a repressive regime: if the rule of law does not apply, then surely standards of evidence are not a concern. Thus, Gamma could probably produce a non-export-controlled variety of FinSpy of comparable functionality that would still be desirable for repressive regimes. Indeed, Gamma suggests that it produces editions of FinSpy that do not contain export-controlled cryptography.22

Recommendations

31. While British foreign policy purports to support efforts bringing freedom, democracy and human rights to authoritarian regimes abroad, British companies are complicit in the crushing of these efforts.

32. We have argued that export controls based on cryptography alone are an ineffective response, as export-controlled cryptography is not necessary to enable the capture of information from activists’ computers. Export-controlled cryptography instead supports use of this captured information in criminal proceedings, which is not likely to be a feature sought by repressive regimes. Indeed, previous actions by the Government of Bahrain show that information gathered by such tools is often used to facilitate torture rather than criminal prosecution. Furthermore, Gamma suggests that they produce editions of FinSpy without export-controlled cryptography.

33. Instead of relying on export controls based on the use of cryptography, we recommend that the government regulate these technologies by virtue of their surveillance capabilities. While such technology may have lawful applications, in the words of EU MP Marietje Schaake, “The concept of “lawful interception”...does not apply in countries where the rule of law is absent.” We recommend that surveillance technologies be added to the EU dual-use list, requiring licensing for export.

34. We also recommend that the government require all such exports to include “end-use” restrictions stipulating that products shall not be used in human rights abuses. The UK government should criminalize the sale of such products when a company knows or should reasonably know that the products will be used in violation of these end-user restrictions. Companies should also have an obligation to cease relations with, and deactivate any devices or programs sold to, an end-user who they know, or should reasonably know, is in violation of the restrictions.

35. Given Gamma’s dubious public statements regarding Bahrain, we also recommend that the UK government implement a robust monitoring regime to ensure that both companies and end-users are complying with these regulations.

36. Specifically, in the case of Bahrain, we urge the UK government to:

conduct an investigation to establish whether Gamma violated existing export controls.

exert pressure on Gamma to (1) cease providing--whether directly or indirectly--any software, hardware, or training to the Government of Bahrain, and (2) disable Bahrain’s installation of FinSpy, a capability Gamma possesses by its own admission.

19 November 2012

1 Bloomberg. 22 August 2012. “Torture in Bahrain Becomes Routine With Help From Nokia Siemens.” http://www.bloomberg.com/news/2011-08-22/torture-in-bahrain-becomes-routine-with-help-from-nokia-siemens-networking.html

2 The e-mails were from “Melissa Chan <melissa.aljazeera@gmail.com>.” That e-mail address does not belong to Ms. Chan.

3 CitizenLab. 25 July 2012. “From Bahrain With Love: FinFisher’s Spy Kit Exposed?” https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/

4 “Yurn” is the name given by security firm BitDefender to FinSpy. Bitdefender Labs. 28 March 2012. “Yurn trojan adds bootkit functionality.” http://labs.bitdefender.com/2012/03/yurn-trojan-adds-bootkit-functionality/

5 Bloomberg. 8 November 2012. “MJM as Personified Evil Says Spyware Saves Lives Not Kills Them.” http://www.bloomberg.com/news/2012-11-08/mjm-as-personified-evil-says-spyware-saves-lives-not-kills-them.html

6 The login came from a subscriber to a United States-based VPN (Virtual Private Network) service. Such services are often used to mask the true origin of communications.

7 Bahrain Watch believes that Gamma’s story about a stolen demonstration version may have been in reference to a FinSpy demonstration copy leaked in 2011 which the analysis linked to the Bahrain spyware. Analysis of the demonstration copy showed it to be version 3 of the FinSpy code. In contrast, the analysis of the Bahrain spyware showed that it represented a 2012 release -- version 4 -- of the FinSpy code. Bloomberg News. 27 July 2012. “Gamma Says No Spyware Sold to Bahrain; May Be Stolen Copy.” http://www.bloomberg.com/news/2012-07-27/gamma-says-no-spyware-sold-to-bahrain-may-be-stolen-copy.html

8 Ibid.

9 Wikileaks The Spy Files. October 2011. “Remote Monitoring & Infection Solutions: FINSPY.” http://wikileaks.org/spyfiles/files/0/289_GAMMA-201110-FinSpy.pdf

10 New York Times BITS. 16 August 2012. Company Denies Role in Recently Uncovered Spyware. http://bits.blogs.nytimes.com/2012/08/16/company-denies-role-in-recently-uncovered-spyware/

11 A simplified description of the bug follows. Every message sent by a FinSpy server to an infected client included a number representing the total number of messages that the server had sent to any recipient. If the server was relaying data to a third party, then an infected client should have seen gaps in these numbers. However, testing by Bahrain Watch on an infected client showed long time periods where the numbers returned by the server were consecutive. Examination of these time periods showed that the server in Bahrain was sending the infected client responses based on data that the infected client had sent to the server. This shows that the server in Bahrain was receiving, processing, and reacting to stolen information from infected clients, without first exchanging information with a third party.

12 Rapid7 SecurityStreet. 8 August 2012. “Analysis of the FinFisher Lawful Interception Malware.” https://community.rapid7.com/community/infosec/blog/2012/08/08/finfisher

13 CitizenLab. 29 August 2012. “The SmartPhone Who Loved Me: FinFisher Goes Mobile?” https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/

14 This is despite our precise scanning methodology never being publicly revealed. The specific modifications in this update seem to indicate a desire to render our scanning ineffective, as well as an understanding of our technique.

15 Wikileaks The Spy Files. October 2011. “Remote Monitoring & Infection Solutions: FINSPY.” http://wikileaks.org/spyfiles/files/0/289_GAMMA-201110-FinSpy.pdf

16 Bhatt Murphy Solicitors to UK Secretary of State for Business Innovation and Skills. 12 July 2012. https://www.privacyinternational.org/sites/privacyinternational.org/files/downloads/press-releases/bis_letter_before_claim.pdf

17 Treasury Solicitor’s Department to Bhatt Murphy Solicitors. 8 August 2012. https://www.privacyinternational.org/sites/privacyinternational.org/files/downloads/press-releases/2012_08_08_response_from_tsol.pdf

18 Privacy International. 2 November 2012. Personal communication.

19 The spyware was found to use the symmetric AES algorithm with a key length of 256 bits, and the asymmetric RSA algorithm with a key length of 2048 bits, involving the factorization of 2048-bit integers. Both cryptographic algorithms are used to encrypt data on disk before it is sent to the FinSpy server, to encrypt outgoing messages to the FinSpy server, and to decrypt incoming messages from the FinSpy server. According to Regulation EC No 428/2009 5A002(a)(1), software employing symmetric cryptography with a key length in excess of 56 bits, or asymmetric cryptography involving the factorization of integers larger than 512 bits, is under some circumstances considered a dual-use item subject to export controls. Official Journal of the European Union. 29 May 2009. “COUNCIL REGULATION (EC) No 428/2009.” (p. 168) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:134:0001:0269:en:PDF

20 Each module in FinSpy contains its own datestamp that is automatically inserted by the compiler when Gamma releases a new version of the module.

21 There were several bugs in FinSpy’s AES implementation, the most significant of which was that FinSpy generated AES keys by repeatedly reading the system clock at predictable intervals. The resulting predictable key structure meant that the valid FinSpy AES key for a ciphertext could be found after a few minutes of search; had the key been generated pseudorandomly, an exhaustive search of all 2256 256-bit keys would have been required to find the one valid for a ciphertext. Such a search is infeasible. Best practices indicate that AES keys should be generated pseudorandomly. No bugs were observed in FinSpy’s implementation of RSA.

22 Bloomberg News. 10 September 2012. “U.K. Limits Spyware That May Have Targeted Dissidents.” http://www.bloomberg.com/news/2012-09-10/spyware-matching-finfisher-can-take-over-iphones.html

Prepared 21st November 2013