Site iconSite icon IFSEC Insider | Security and Fire News and Resources

Police hacking of home computers: beyond the political dimension

Reports that the Home Office has signed up to an EU strategy against cybercrime allowing police services to hack into personal computers without a warrant have, not surprisingly, generated serious concern among commentators and civil liberties groups.

What, though, are the technical and practical issues behind such possible moves?

First of all, it’s important to note that Internet security and anti-virus applications evaluate programs according to their function, not the motives of the program’s author. The functionality of a program can be determined by analysing the code: if it behaves like a piece of malware (ie if it’s a virus, worm or Trojan) then it’s added to the anti-virus database.

Motive, by contrast, can only be guessed at. If the police were to create programs with a ‘spyware’ component for monitoring activity on a computer, security vendors would have little choice but to include detection for such programs: functionally, there would be no distinction between such a police program and one written by cyber criminals. This would, of course, undermine any police attempts to covertly intrude on a computer system.

Range of hacking options available

If the police wish to monitor activity on a suspect’s computer, a range of hacking options is available to them. Many are already used by cyber criminals. The obvious example is the keylogger, which monitors all keyboard input – or other activity like mouse clicks – on the target machine. Given that this would be part of a covert operation, they would also need to find a way of secreting the program on a suspect’s computer in the first place, and have the captured information fed back to their own computer systems.

There are several avenues open to anyone wishing to do this, but the growing popularity of wireless networks makes infiltration through this route a distinct possibility.

It’s unlikely that the police would want – or, indeed, require – any involvement from security experts in developing such monitoring programs. We cannot assume that the police would keep us in the loop on the development of any such programs.

In developed countries, where police agencies have a lot of expertise and experience, they are more than able to develop such code without the help of IT security experts. It may even be the case that it would be undesirable for the police to involve us as this could undermine the effectiveness of their methods, knowing that we would be obliged to detect any potential threat to our customers ‘whatever its source or intentions’. Much like cybercriminals, any police initiatives would rely on secrecy as their main tool of attack. Widening the circle of awareness could only be detrimental to that secrecy.

Cybercriminals could appropriate and misuse

The reversal of the adage ‘Poacher-turned-Gamekeeper’ involved in developing officially sanctioned hacking could actually make police programs a target for the established Internet security industry. Since we are bound to deal with any intrusion in the same way, for the reasons outlined above, police hacking tools would be dealt with in the same way as a cybercrime attack.

The other problem is that the technology used could easily be appropriated and misused by cybercriminals. A good parallel here is the code used by Sony to hide its Digital Rights Management software for audio CDs late in 2005. The concealment code was subsequently used by cybercriminals to hide their malicious programs. In the same way, it’s possible that code used by the police could be similarly misused, so security providers would be forced to add detection to protect their customers.

The covert nature of any such police hacking makes it likely that Internet security vendors will only find out about it when their software detects it. This would either be because we detect it proactively, without the need for a specific signature, or because someone (a police suspect, for example) on whose machine it’s installed suspects they may be infected and sends us a sample for analysis.

While making headlines, the EU strategy agreement marks the latest development in Governmental interest in tackling cybercrime. Last year saw a similar debate in Germany over the so-called ‘Bundestrojan’, which was proposed by Bavarian police to combat criminals. Although the German Bundestag rejected the initial proposals, debate continues over the pros and cons of legally sanctioned police spyware. The latest EU strategy agreement will undoubtedly further fuel the debate.

There was similar debate in 2001 following clams that the Federal Bureau of Investigations (FBI) had developed a keylogger named Magic Lantern. Reportedly, Magic Latern could be installed remotely via an e-mail attachment or by exploiting common operating system vulnerabilities, although its deployment and use has never been proven.

Legal implications for security providers

The Home Office’s acknowledgment of the EU strategy agreement is the first firm approval we have seen for the use of hacking techniques by the police authorities, so what would the legal implications be for security providers in providing detection for such threats?

It would, in my view, be difficult to mount a legal challenge aimed at preventing security vendors from dealing with any authorised hacking programs. After all, functionally such programs would be comparable to programs written by malware authors and used by cyber criminals to steal confidential data, launch Distributed Denial of Service attacks on online businesses, distribute spam and more. These are all activities the Computer Misuse Act and other criminal legislation in the UK is designed to combat.

We consider it our primary aim to monitor the threat landscape 24/7, and offer our customers the best defence possible against new and existing attacks. Cyber crime legislation is designed to stop unwarranted intrusions, so we would consider any such intrusions – whatever the source – as a fair target in protecting our customers.

The political and legal issues relating to the possible use of authorised hacking tools to monitor suspects are for others to debate. Aside from this, however, there are clearly practical security matters that would affect the use of such programs. The biggest of these is that the raison d’etre of security vendors is to develop and deploy technology that will secure their customers from the software used by cyber criminals. Since this is focused on the function of software rather than its motive, we would inevitably have to include detection for authorised hacking tools.

From one country to the next

Nor should we forget the international ramifications of this development. Customers in one country have a right to expect that we will protect them from code developed in another. In this sense, anti-malware protection is like an airport metal detector: it’s designed to alert on any malware, regardless of its source.

David Emm is a member of the Global Research and Analysis Team at Kaspersky Lab

Exit mobile version