This week we look at three case studies of abused cryptography. In the first instance, sensitive health information was left entirely unencrypted. In India, WhatsApp’s famed E2EE platform was hacked by beast malware Pegasus, and in South East Asia, Trojan “Titanium” built a backdoor into the devices of government officials. Even when organizations follow the highest industry standards for encrypting communications, motivated bad actors regularly exploit machines and the identities that protect them. We’ll see how crypto-defense evolves in the coming months to cover what can only be seen as a series of successful attacks against data security and the technology that defends it.
Andrew Yang says we’re experiencing the 4th Industrial Revolution, and he’s not wrong.
Remember when your first day of work meant a Nextel phone and a pad of paper? Well those days are gone (30 years ago, you might say). Remember when technology was its own industry (that’s cute), and if you went into teaching, or finance, or medicine you could avoid elusive algorithms altogether?
Well those days are gone, too. It turns out encryption is the wheel that makes all technology go around these days.
The University of Rochester Medical Center (URMC) in New York hospital paid a $3 million HIPAA fine for failure to encrypt ePIH (electronic protected health information). Legally, encryption is not mandatory under HIPAA law, but corrective action following risk assessment is. In 2013 and 2017, an unencrypted laptop was stolen, exposing the ePIH of 43 patients. Following this, encryption of hard assets was prescribed, and URMC paid for failure to take their medicine.
In 2010 there was a similar incident involving the loss of an unencrypted hard drive that also stored sensitive ePHI records.
“Following a risk analysis, as part of the risk management process, covered entities must assess whether encryption is an appropriate safeguard. An alternative safeguard can be implemented in place of encryption if it provides an equivalent level of protection,” states the HIPAA Journal website.
As unchangeable information like biometrics increasingly becomes the way we identify ourselves to our phones, our apps, our banks – exposing it may be a much more serious security problem that it was even 20 years ago. While the privacy of medical records has always been critical, it is now apparent that encrypting this sensitive data is crucial for very different reasons.
It seems there is nowhere to hide in this end-to-endless encryption debate.
Israeli tech company NSO Group created Pegasus back in 2010, a piece of malware that enables surveillance on mobile phones. Their self-purported purpose was to provide "authorized governments with technology that helps them combat terror and crime.”
However, several weeks ago the malware was found tracing phones in India, particularly those belonging to politicians, human rights activists and journalists; not terrorists and criminals. WhatsApp sued NSO Group over the infraction with the Israeli firm denied compliance, reaffirming “Our technology is not designed or licensed for use against human rights activists and journalists."
Pegasus was installed on victims’ phones by a simple call (that didn’t need to be answered), and from there would send back contact lists, text messages and even video from the camera of the infected device to Pegasus servers. In an act of irony, the NSO Group was itself traced when exfiltrated data was tracked back to servers and hosting services previously linked to the firm.
Citizen Lab researchers who discovered the breach have reported dozens of similar cases linked to Pegasus and state that “NSO Group stands out in terms of the reckless abuse of its spyware by government clients.”
While cause and accountability may be officially undetermined (NSO Group disputes the allegations), this most recent WhatsApp attack makes one thing clear. Even though we are entering a year of debate, encryption regulation and an unprecedented E2EE boom, in an arms race for data, encryption is still the best tool available to protect sensitive data.
If you build it, they will come.
And if you don’t, they’ll build it - and then they’ll come. This is a worst-case scenario of what an encryption backdoor can do in the wrong hands.
What Is It?
The latest threat to come out of the prolific hacking pod “Platinum” is a similarly named Trojan, “Titanium.” This hostile program has been active for several years, and its targets are major players – defense, government, telecom and intelligence agencies centralized in South and Southeast Asia.
How Does Titanium Work?
It installs backdoors.
The Backdoor Debate
In the E2EE debate, the question may become, “Are our governments as motivated to catch the bad guys as the bad guys are to catch the good guys?” That may be an unanswerable quandary at this point, but this attack highlights the flaw in law enforcement arguments against encryption; it’s very clear that backdoors swing both ways.
Find out where crypto leaders from the Global 5000 find their 2020 strategies for securing encrypted assets.