Tuesday, November 1, 2022

Truss, Hacks, and Games of Telephone

Truss, Hacks, and Games of Telephone

Matt Tait — Read time: 8 minutes


Truss, Hacks, and Games of Telephone

Was Truss' phone hacked? And what would that mean?


The Mail on Sunday has a great scoop: When Liz Truss was Foreign Secretary—shortly before her brief stint as Prime Minister—her personal phone was hacked by Russian security services. Unsurprisingly, Russia denies it (a denial worth less than the oxygen it took to say it), and opposition MPs in the UK are now calling for an investigation.


The story itself is a little light on concrete details. But the tl;dr:


The phone was hacked sometime during the Conservative leadership campaign after Johnson resigned this Summer


The hack was done by Russian security services


The incident caused pandemonium in the Foreign Office when it was uncovered, and Liz Truss changed her phone number shortly afterwards


Prime Minister Johnson and the Cabinet Secretary suppressed news reporting on it


The phone was “so badly compromised” it was put in a locked government safe (probably a colloquial reference to having forensic analysis in a Faraday-protected SCIF environment)


Compromised conversations included those with her soon-to-be Treasury Minister Kwarteng, as well as phone calls with foreign leaders during the early part of the Russian invasion of Ukraine about arms shipments


Most of the rest of the article is background and boilerplate, although it also references another article earlier this month revealing that Cabinet Secretary personal phone numbers (including Truss’) were available online for sale (for about $7.50), and a brief discussion of Truss worrying about the (literal) fallout if Russia decided to use nuclear weapons in Ukraine.


I don’t know.


There’s several really strange things about this article, and while some other outlets are reporting based on the Daily Mail’s original story, at least for now it looks like no other major news sites have independently confirmed it.


The Daily Mail is a British tabloid newspaper, and has a habit of publishing clickbait stories with weak sourcing. That said, the Daily Mail does sometimes have real scoops and serious stories. The problem is that the editorial review process there favors clicks to accuracy, which usually means urges caution when their big scoops don’t get independently confirmed by others.


The byline for the story is also interesting. Here we have two political (not defense) reporters at the Daily Mail. Both really do have real contacts with senior leadership in the British Conservative party, and so it’s entirely plausible that their source is someone like a current or former Cabinet minister who would be in a credible position to act as a knowledgeable source for the story. But even if so, the lack of a defense correspondent on the byline suggests that they either didn’t ask (or couldn’t persuade) a defense correspondent to independently confirm the claims in the article or provide some assistance unpacking the defense-specific claims in the article. That’s a red flag.


The timing of the story is also interesting. If the story is true, it must have been held unusually closely inside the UK government. The story is styled so as to damage Truss. But notably, it’s leaking now. It wasn’t leaked during her leadership contest during Summer, nor during her administration itself. There was no shortage of opportunities or motivation for senior Conservatives including Cabinet members to leak dirt on Truss to stop her becoming Prime Minister or to accelerate her resignation, and yet it didn’t leak until now. So this information, if true, was closely held, and the source must be someone who curiously wants to damage Truss now that she’s gone, but didn’t want to derail either her leadership campaign or her administration.


There’s not a lot of people that match the knowledge and motive criteria to be the Daily Mail’s key source here. But it’s also not zero people. Braverman and Kwarteng, for example, both held Cabinet and National Security positions in both the Johnson and Truss cabinets, and both were fired during the dying days of the Truss administration. So it’s plausible that a a genuinely senior and credible source with the knowledge and motive to leak this story now reached out to these journalists.


So it could be true. But there’s a lot of red flags. The lack of independent confirmation by other outlets days later is particularly concerning.


In short, I don’t know if it’s true. But for the sake of this article, let’s assume it is, and go from there.


In this story, the claim is that the compromise of Truss’ phone allowed the hackers to intercept phone calls. If so, that’s a very bad sign.


Not all hacking is the same. Hacking phones ranges in complexity depending on what the malware wants to achieve. In this case, we can infer from the malware being able to intercept phone calls that it would have almost certainly used a full chain exploit—a series of vulnerabilities deployed in rapid sequence to fully compromise the entire phone.


Creating full-chain exploits is (to put it mildly) a very high-intensity endeavor due to the need to bypass several layered security mechanisms on the device, circumventing all the heavy investments in security engineering by smartphone manufacturers in recent years. Finding vulnerabilities in phones is hard enough even for experts in the field. Building full-chains is dramatically harder, and involves very large amounts of offensive cybersecurity engineering work to pull off.


So what is at risk? What can phone malware extract? We won’t know for sure unless and until the UK government confirms and releases a more detailed incident report. But based on similar malware using full-chain exploits in the past, such malware generally gains access to, and will try to exfiltrate:


Photos, downloaded files, contacts, recent call history, and location tracking


All non-deleted messages, including SMS messages and end-to-end-encrypted protected messages in WhatsApp and similar texting apps.


Email inbox content, attachments, and drafts from any email account linked to the device, usually including all historic email from the account.


Browsing history of sites visited, and perhaps also keylogging to capture inputted passwords on websites


Voice call recording on calls made to or from the device, including voice calls sent via encrypted applications like Facetime and WhatsApp.


Such spyware infrequently also includes ambient recording functionality; that is, using the phone to hot-mic a room when seemingly idle. There’s no reason as yet to believe this one did, but fully-compromised devices are very powerful tools of surveillance with enormous privacy implications against the victim.


Unfortunately for the United Kingdom, UK government officials use their phones for a lot of sensitive work, particularly via WhatsApp groups, email, and phone calls. WhatsApp may be an end-to-end encrypted application—meaning that message content and phone calls can’t be intercepted and decrypted across the network or even by Facebook/Meta—but end-to-end encryption doesn’t stop content being accessed if one of the “ends” of the communication is compromised, as here.


In other words, there’s a very good chance a lot of sensitive information was lost, providing a lot of actionable intelligence and follow-on targeting information that Russian leadership and military planners would have been very happy to read. If this really happened, and it was really Russia, it will have been a major intelligence success for them.


Maybe. But probably not.


Mobile device security is a little bit different to cybersecurity of websites and laptops. Websites, for example, are often secured using passwords. Accidentally give your website password to a hacker thanks to phishing or password reuse and they can usually break in to your account on the site. Laptops are also designed to run any program you throw at it, usually with almost full access. A hacker usually just has to trick a user into clicking the wrong thing to compromise the whole system.


But mobile devices are different. A weak passcode might let someone break into your phone if they have the physical handset directly in their hands, but weak passcodes won’t let the hacker remotely compromise the device. Similarly, tricking a user into installing full-control malware on their device is nearly impossible. Smartphones don’t let users do that even if they really want to, so you can’t trivially trick someone into doing it.


This means that phone malware—at least high-end malware capable of intercepting phone calls—needs to bypass several security mechanisms on the phone itself using software vulnerabilities on the device. This is one of the reasons why security professionals recommend updating phone software shortly after updates are available. Patches fix security defects that could otherwise be used by hackers to break into the device.


Unfortunately, patching only gets you so far when dealing with very high-end attackers. Patching removes vulnerabilities that the vendor knows about. Not the ones it doesn’t. High-end hackers working for governments will often find and engineer exploits using vulnerabilities not known to the vendor, known as “zero-day exploits”. These allow the hacker to compromise even fully-patched devices. Worse: if these vulnerabilities can be triggered without needing user-interaction, there’s really nothing a user can practically do to defend against it.


In short, mobile device compromises are rarely about user negligence or basic social engineering tactics that might work in other types of cybersecurity breaches. Truss’ phone might very plausibly have been hacked, but if so, it’s just because she was a high-profile target of very capable foreign government hackers, and not because she picked a low-quality password or some other failure of basic cybersecurity hygiene.


Yes.


The UK IC is administratively laid out slightly differently to its partners and equivalents around the world. In the UK, GCHQ—the British Signals Intelligence Agency and near-equivalent to the US National Security Agency—has day-to-day Cabinet oversight via the Foreign Secretary.


When Liz Truss became Foreign Secretary, she will have been briefed in detail by GCHQ about the UK’s offensive capability, as well as the offensive capability used by foreign governments around the world to target the UK and its allies. Foreign capability in hacking smartphones and computer networks will have featured prominently in her initial briefings, but will also have been consistently re-briefed during her tenure as part of her responsibility to authorize their operations and as a one of the primary recipients of UK intelligence reporting.


The timing of Truss taking office is also relevant here. Truss became Foreign Secretary in September 2021, just a few months after reports that malware created by NSO Group had been used to target devices in the UK Prime Minister’s Office and the UK Foreign Office. She will almost certainly have been briefed on it.


In other words, Truss will not have been aware only in some high-level vague way that phones are, in principle, hackable, but rather will have been deeply and intimately briefed on this fact right from day one, and then repeatedly reminded of this during her entire tenure through warrant authorizations, oversight, and intelligence reporting reaching her desk.


The key question, then, is why she nevertheless used a personal phone, and not a government-issued one, knowing full-well the risk and likelihood of compromise. Why did she do it?


That’s a fun question. It’s about incentives, but it’s big enough to need it’s own post.


Subscribe to get full access to the site and community, and to never miss an update. Every new post will sent directly to your inbox.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.