As the leaked inner workings of controversial surveillance company Hacking Team are being spread over the internet, experts and journalists are trawling through their contents, finding evidence of deals with the finance industry, brutal regimes, and law enforcement agencies.
On top of this, several information security experts have noted how underwhelming some of Hacking Team’s spying tools actually are—some relying on vulnerabilities that had already been publicly disclosed, and exploits that only worked on old pieces of software.
Within the 400GB archive of Hacking Team files, which was publicly released by a hacker on Sunday, is a README file which appears to belong to a release version of one of the company’s products. The file lists the various exploits used in conjunction with different file types in order to infect a target’s computer.
For example, Microsoft Office programs are packaged with a Flash exploit, while Internet Explorer is partnered with a Flash, Java, and a Word 2007 exploit. The list is recent; the Flash examples are dated April 2015.
“Everyone is all worried about exploits and 0day and these guys had crap,” the information security expert known as thegrugq told Motherboard in private Twitter message.
“The Java version is old, the Word version is old. I wouldn’t expect anyone to have much success with those,” thegrugq continued. Indeed, the Java exploit applies to Java versions up to 8.25, which was released in October last year. Since then, Java has been updated several times.
The 0day that HackingTeam were using for their 0day feed is a big load of “meh”. Flash, win32k, old office, old Java https://t.co/cGch1XBs0e
— the grugq (@thegrugq) 7. Juli 2015
This mishmash of relatively old exploits is hardly A-game material. “This is like fielding a Sunday football league team against a team made up of random people on a subway car,” thegrugq added. Hacking Team also made use of vulnerabilities that had already been publicly disclosed, especially to attack mobile platforms. Security researcher Justin Case tweeted that the company’s Android tools used two public vulnerabilities, for example. Some attacks on iPhones also required the devices to be jailbroken, which makes iPhones less secure because they don’t receive any of the usual security updates from Apple. Thegrugq added that “anyone using a modern mobile device,” that was fully updated could likely resist attacks from Hacking Team, as long as they kept it locked and didn’t allow an adversary to physically get hold of their device.
HackingTeam’s android tools use Alephzain’s framaroot and GeoHot’s Towelroot, as fi01’sputuser exploits. We need reconsider how we publish
— Justin Case (@jcase) 6. Juli 2015
The updates to Hacking Team’s tactics against Macs were little to shout about, either.
“There is nothing to be impressed from them from a technical point of view,” said researcher Pedro Vilaça, who specializes in reverse engineering OS X malware. After briefly looking over some of the files in the Hacking Team breach, he concluded that Hacking Team hadn’t updated their OS X capabilities very much, and there were no examples of technical prowess.
However, the technical expertise—or lack thereof—of Hacking Team might not be all that important, something that many of the researchers concluded. “Fact of the matter is that Hacking Team managed to provide a service and products which are way more than enough for day-to-day spying,” Claudio Guarnieri, a researcher who has tracked the company in the past, told Motherboard in an encrypted chat.
Those services might be coming to an end. Hacking Team has warned all of its customers to stop using the company’s products immediately, and a member of the European Parliament has called for an investigation into Hacking Team’s actions.