Who is using Telkom to spy?
A South African computer connected to the Internet via Telkom is hosting software that’s designed to allow powerful secret spying.
Two IP addresses belonging to the erstwhile South African state telecoms operator Telkom, has been caught in a global dragnet — indicating that local computers are hosting at least one FinSpy server.
At a high level, our scans probed IP addresses in each country, and attempted to perform the handshake distinctive to the FinSpy command and control protocol. If a server responded to the handshake, we marked it as a FinSpy node.
This snippet from a recent report — For Their Eyes Only — by Morgan Marquis-Boire and his friends at The Citizen Lab, Munk School of Global Affairs and the Canada Center for Global Security Studies.
IP addresses are essential to the way the Internet works. All digital information — called packets— that flows through the Internet contain IP addresses, so they ‘know’ where they should end up.Devices connected to the Internet like computers and mobiles must have some form of an IP address.
The FinSpy server works in conjunction with software called FinFisher. Finfisher is essentially a trojan — software that’s installed surreptitiously when a user opens an apparent innocent file, say a Word document or an image attached to an email.Once installed on an unsuspecting device FinFisher does the snooping and communicates and receives commands from the FinSpy server.
FinFisher, has versions working not only for Windows, but also on iOS, Android, BlackBerry, Windows Mobile and Symbian devices — so yeah — just about any smartphone. The range of surveillance it enables is near total. While the desktop version allows it to snoop by taking screenshots, recording your keystrokes, accessing passwords and nab the audio of Skype conversations, the mobile versions can track your location,peruse your address book,help itself to your SMS’s, listen to your calls, and — can activate the microphone on your device to listen to conversations close by.
Is this the South African government’s FinSpy server?
Gamma International UK Ltd is the UK headquartered company behind FinSpy and FinFisher software. Alerted to it, the UK government has inspected their software, and found that FinSpy is so potent it would require a license from it before it could be exported outside of the European Union. Because its software has been used against human rights activists, Reporters without Borders has called the company one of five “corporate enemies of the Internet”.
Gamma International itself claims that it provides “advanced technical surveillance and monitoring solutions and international consultancy to National and State Intelligence Departments and Law Enforcement Agencies.” I reached out to Gamma International to try and establish if they do sell their software to private companies. As of yet, I have received no reply.That is apparently the standard way they operate telling Slate on a previous occasion that Gamma:
“simply does not discuss its client base, its exports, or any of the operations which its clients may or may not be undertaking.”
Telkom in turn assured me that it is not them themselves hosting the FinSpy server,and that they had no idea who was either. It could be one of their ISP customers that is using FinSpy I was told.It is possible that the server software resides on one of Telkom’s machines, or that Telkom is only providing the IP addresses. Either way this would be in clear contravention of Telkom’s own terms of use.
I asked Telkom if they check the content enabled through their network and whether it complies with their terms. The answer via their spokesperson Pynee Chetty — when it comes to IP addresses —is that they do not check. To be fair to Telkom, monitoring the traffic on all these addresses would entail installing tracking technology on the South African Internet operating on a massive scale. And such technology could easily be used for censorship as well. But what if Telkom were simply informed by the likes of me of skulduggery on their infrastructure?
So I asked Mr. Chetty if Telkom could identify the culprits in this case using the IP addresses. Chetty claimed that they could not tell which customer of theirs was hosting the FinSpy server, because they operate a system where IP addresses are allocated dynamically every hour — so without the times they were spotted — the IP address contained in the report no longer points to the original customer account. What if I could get them the times? Chetty said that even if I had the times when the IP addresses were snagged — making it possible to trace the account holder — Telkom would not investigate the matter without a charge being laid at the South African police first. That is — even if this software clearly contravenes their own terms — Telkom would not investigate out of their own accord.
Why is Telkom so reticent? One could only speculate. The SA government still owns the largest stake in Telkom. Its organs are the only entities allowed to legally surveil South African citizens in South Africa. Gamma International does business with governments and claims they supply software within UK law. It is likely that this is therefore the South African government’s trojan. So I reached out to the South African government for comment.
Phumla Williams, South African government spokesperson fed back from “all the security cluster communicators. They all confirm that government does not use the software in their respective departments.”
Surveillance in the Republic
Surveillance of citizens by the state organs in South Africa can only happen after a court order. In theory therefor South African citizens are not subject to the blanket surveillance the US apparently practices.While the legal constraints on the state are more severe in South Africa, in practise the breakdown in the rule of law and corruption makes for a situation that is potentially far worse. Recent investigative reporting, as well as high profile political leaks, have shown that there’s widespread illegal surveillance taking place in South Africa. This is spying using the organs and infrastructure of the state, but often outside the logic of the state. In other words surveillance for private interests and with little legal oversight.
Why would the South African government want FinSpy’s capabilities? It’s unclear but unlikely that South Africa’s spy agencies have anything like the technical capability to do US NSA style broad surveillance. We also know that it won’t be trivial for them to access — for example— a South Africans’ Gmail account.Without a company like Skype’s cooperation, it is unlikely that they will have easy access to that kind of communication either.
South African government agencies — up to now — for the most part seem to focus on what they have easy access to, snooping on phone calls, SMS’s and email accounts hosted with local South African companies. A FinSpy system could give them new types of access by compromising what security experts call end points — like the ability to snoop on US cloud based services belonging to individual targets.
