Mideast Uses Western Tools to Battle the Skype Rebellion
The Wall Street Journal
By STEVE STECKLOW, PAUL SONNE
and MATT BRADLEY
June 1, 2011
When young dissidents in Egypt were organizing an election-monitoring project last fall, they discussed their plans over Skype, the popular Internet phone service, believing it to be secure.
But someone else was listening in—Egypt’s security service.
An internal memo from the “Electronic Penetration Department” even boasted it had intercepted one conversation in which an activist stressed the importance of using Skype “because it cannot be penetrated online by any security device.”
Skype, which Microsoft Corp. is acquiring for $8.5 billion, is best known as a cheap way to make international phone calls. But the Luxembourg-based service also is the communications tool of choice for dissidents around the world because its powerful encryption technology evades traditional wiretaps.
Throughout the recent Middle East uprisings, protesters have used Skype for confidential video conferences, phone calls, instant messages and file exchanges. In Iran, opposition leaders and dissidents used Skype to plot strategy and organize a February protest. Skype also is a favorite among activists in Saudi Arabia and Vietnam, according to State Department cables released by WikiLeaks.
In March, following the Egyptian revolution that toppled President Hosni Mubarak, some activists raided the headquarters of Amn Al Dowla, the state security agency, uncovering the secret memo about intercepting Skype calls. In addition, 26-year-old activist Basem Fathi says he found files describing his love life and trips to the beach, apparently gleaned from intercepted emails and phone calls.
“I believe that they were collecting every little detail they were hearing from our mouths and putting them in a file,” he says.
A cottage industry of U.S. and other companies is now designing and selling tools that can be used to block or eavesdrop on Skype conversations. One technique: Using special “spyware,” or software that intercepts an audio stream from a computer—thereby hearing what’s being said and effectively bypassing Skype’s encryption. Egypt’s spy service last year tested one product, FinSpy, made by Britain’s Gamma International UK Ltd., according to Egyptian government documents and Gamma’s local reseller.
: Previously in the Series
Peter Lloyd, a lawyer for Gamma, declined to discuss the testing but said the company didn’t sell the product to the Egyptian government. “Gamma International UK Ltd. cannot otherwise comment upon its confidential business transactions or the nature of the products it offers,” he said.
Adrian Asher, Skype’s chief information security officer, says his company can’t prevent these technologies from compromising its service: “Can we control [spyware] taking an audio stream off the speakers or the microphone? No, there is nothing we can do.”
He describes Skype’s emergence as a tool for dissent as an accident. “I don’t actively create a product that is useful for the dissidents of the world,” he says. “While I guess it’s a happy by-product, I can’t give them any assurances.”
Dissidents are discovering other potential vulnerabilities in using Skype. This month, rebels in Libya found what appeared to be spyware they say was being distributed via their Skype contact lists.
The Wall Street Journal asked security company Symantec Corp. to analyze the file, which turned out to be a “remote access tool” that could let an outsider remotely eavesdrop on audio and capture keystrokes.
Symantec said the file is being distributed on a website named after the date the Libyan protests began. Still, the file’s origins aren’t clear. “The actual attacker could be anywhere in the world,” says Symantec’s Kevin Hogan.
In China, Skype users are subject to censorship. To enter the Chinese market in 2004, Skype agreed to a unique arrangement in which a special version of its software there filters users’ text chats and blocks politically sensitive keywords. Skype operates in China through a partnership with TOM Online, a unit of Hong Kong-based TOM Group Ltd., which provides the filtering technology, according to Skype.
“TOM Online, like every service provider, has an obligation to be compliant with applicable laws and regulations,” Skype said in a statement. “It is possible that chat messages sent to or from a TOM-Skype user in China may be subject to archiving and monitoring.”
Egyptian security service memo: ‘The Skype communication system…counts as a safe and encrypted Internet communication system to which most extremist groups have resorted to communicate with each other.’
A 2008 study by the Citizen Lab, a research center at the University of Toronto, found serious security and privacy breaches in the Chinese Skype service that it said suggested it was being used for “widespread and systematic surveillance” of “dissidents and ordinary citizens.” Researchers found that TOM Online had captured millions of records of text chats and voice calls, including users’ personal information, and kept them on publicly accessible servers.
Skype said afterward that the security breach had been fixed. Li Xiuli, TOM Online’s marketing director, now says the company doesn’t monitor or record any of its users’ communications or personal information.
However, in a recent filing with the U.S. Securities and Exchange Commission, Skype said TOM Online’s filtering technology “allows instant messages to be filtered and stored along with related data based on content.” Skype added that it understands its joint venture “is obligated by the government to provide this filtering and storage.”
In some countries, including Oman, Egypt, Iran and the United Arab Emirates, Skype is blocked or partially blocked, although such efforts often aren’t effective. Several western companies, including Boeing Co.’s Narus Inc. and Bitek International Inc., both in California, and the German firm Ipoque GmbH, sell sophisticated products that can detect Skype traffic and allow networks to block it. The companies all declined to discuss their foreign customers.
“If requested to do so, we can completely stop it from working on a country-wide level,” says Graham Butler, Bitek’s chief executive. He says Bitek also can capture Skype traffic and turn it over to governments for analysis.
Countries sometimes say they block Skype because its free or low-cost calls cut into the revenue of local phone companies. But a secret 2009 State Department cable from the American embassy in Oman—where Skype isn’t authorized—notes that “the unstated and likely more significant rationale…may be that such services are out of reach of the listening ear of the government.” The cable was made available to certain media outlets by WikiLeaks and reviewed by The Wall Street Journal.
Oman’s Telecommunications Regulatory Authority confirmed that Skype isn’t authorized in part because it “does not meet the requirements of legal interception in Oman.”
The emergence of Skype as a tool for dissidents marks another odd twist in the service’s short, colorful history. Skype, which now has more than 663 million registered users world-wide, traces its roots to a file-sharing program, Kazaa, that grew popular for exchanging pirated music soon after its launch in 2001.
Kazaa’s founders, Niklas Zennström of Sweden and Janus Friis of Denmark, hired a group of Estonian programming whizzes to build the software. It used what is known as a “peer-to-peer” design. Users could share files (in this case, music) directly with each other as peers, not relying on a middleman in the form of a centralized server.
Kazaa attracted millions of users but soon faced legal challenges from the music industry. So Messrs. Zennström and Friis focused on a new project: building a highly encrypted, peer-to-peer Internet phone service. Again, they tapped the Estonian programmers. In 2003, Skype went live.
Tom Berson, a California cryptographer hired by Skype in 2005 to evaluate its security, says he met the programmers, who told him they grew up when Estonia was part of the Soviet Union and had the perils of “wiretapping in mind” when creating Skype.
“In many products, security is an afterthought, it’s kind of bolted on afterwards,” Mr. Berson says. “Skype is different in that it was designed in from Day 1.”
The main reason Skype included high-level encryption wasn’t a fear of wiretapping, says a spokesman for the Estonian programmers. Skype sometimes routes multiple calls through one user’s computer and the engineers wanted to make sure that user couldn’t eavesdrop, the spokesman says.
Skype is tough to intercept not only because of its design, but also due to its legal status. In the U.S., Europe, and elsewhere, laws require telecommunications providers to install interception capabilities, so police can eavesdrop on criminals if necessary. But Skype doesn’t see itself as falling under those laws.
Besides, Skype says it can’t intercept calls between Skype users even if it wanted to. That’s partly because conversations don’t pass through Skype’s own computers. In addition, the encryption key for each call is known only to the computers participating in the call, not to Skype itself.
That’s a headache for police and spy agencies. In Egypt, the Mubarak regime’s secret police fretted about the service in a 2009 internal memo, calling it “a safe and encrypted Internet communication system, to which most extremist groups have resorted to communicate with each other.”
The same year, Italian authorities told the European Union that criminals involved in prostitution rings, arms sales and drug trafficking were turning to Skype and similar Internet phone services to evade police. The customs and tax police in Milan reported overhearing a cocaine runner telling an accomplice to use Skype to receive the details of a two-kilogram delivery.
“It’s a great tool for the bad guys,” says Mr. Butler, the Bitek chief executive. But, he says, “It’s not as secure as people think.”
In recent years, a handful of small European companies—including Gamma of Britain as well as Germany’s DigiTask GmbH, Italy’s HackingTeam SRL and Switzerland’s ERA IT Solutions AG—have developed tools to eavesdrop on Skype. HackingTeam and Gamma have been marketing their software to governments outside of Europe, including in the Middle East.
Most of the tools are programs that must be installed on a person’s computer. Often they are distributed via infected email attachments or disguised as fake software-update alerts to trick people into installing them. The software doesn’t decode Skype’s encryption, but instead captures audio streams, keystrokes typed into the keyboard and possibly anything else happening on the computer.
“Skype is a nightmare for law-enforcement agencies” because of its encryption, says David Vincenzetti, chief executive of Milan-based HackingTeam, which sells a program called Remote Control System that works on computers, smartphones and Blackberries. “Using our technology, Skype is not a problem anymore.” He says the software can bypass Skype’s encryption and “read” the audio stream directly from a computer’s memory.
He says his company sells only to police and security agencies and has about two dozen customers, including in the Middle East, North Africa and the Far East. He declined to name them, although he said they don’t include Egypt, Libya or Tunisia.
“You can infect anybody on the Internet,” he says. “When the infection has taken place, you get full control” of their device, “and that means you can extract any information from that device.”
A “Top Secret” memo from Egypt’s Interior Ministry, dated Jan. 1, 2011, describes how the agency recently had conducted a five-month trial of a “high-level hacking security system” made by Gamma, a HackingTeam rival. The results, the memo said, included “success in hacking personal accounts on Skype” and “recording voice and video conversations over the Internet.” The system’s capabilities also included breaking into Hotmail, Gmail and Yahoo accounts, tracking the location of a targeted computer and copying all of its contents, the memo stated.
The memo noted that the system was being offered for €388,604 ($559,279), including training four officers to use it, by Gamma’s Egyptian reseller, Modern Communication Systems.
Adel Kadry, the reseller’s managing director, confirmed the documents were authentic. He said his company’s role was minor, fulfilling a legal requirement that a local partner be involved.
The Egyptian government didn’t respond to a request for comment on the documents.
According to its website, Gamma sells “Remote Monitoring and Infection Solutions” to governments under the brand name FinFisher. At a wiretapping trade show in Dubai in February, the company gave presentations on “Monitoring Encrypted Data on Computers and Mobile Phones” and “Applied Hacking Techniques used by Government Agencies.” Gamma officials there declined to be interviewed.
Egyptian government records indicate the Gamma product trial took place last year between August and December. That partly coincides with a U.S.-funded project in Egypt to monitor parliamentary elections in November.
The project was spearheaded by Freedom House, a Washington-based, pro-democracy nonprofit that partnered with local activists and bloggers.
Sherif Mansour, Freedom House’s regional senior program manager, says he recommended that the local activists use Skype because he believed it was more secure than email. “We knew that the government was following us and they were harassing the people working on the project,” he says. So the team came up with “some basic security protocols, and one of them was using Skype as much as possible.”
In the March raid on Egypt’s state security agency, Israa Abdel Fattah, a 32-year-old pro-democracy activist who had been jailed twice in the past three years, was shocked to discover in the agency’s files copies of her emails, transcripts of phone calls and text messages, and a list of companies where she had applied for jobs.
She calls it a grave violation of her personal life. “Everyone can see and know what I talk about,” she says.
One memo the activists found showed that the secret police had monitored their Skype communications. The memo described “the successful penetration of their online organizational meetings…via encrypted Skype.”
Mr. Mansour says that surprised him. “When they were arresting bloggers, they were torturing them to get their passwords out of them. So we were under the impression that they didn’t have this capacity.”
Adds Mr. Fathi, the activist whose love life was detailed in the files he found: “We were using Skype for a long time thinking that it was protected and secure.”
The documents state the Interior Ministry had approved the purchase of the Gamma system in December. But Mr. Kadry, Gamma’s reseller, said the deal never went through. Egypt’s revolution derailed it, he says.
—Margaret Coker, Farnaz Fassihi, Loretta Chao and David Crawford
contributed to this article.
Direct Link: http://online.wsj.com/article/SB10001424052702304520804576345970862420038.html