Researcher lashes out at Hacking Team over open-source code discovery

When the researcher released his code as open-source, Android spyware development for governments was not its intended purpose.

screen-shot-2015-07-21-at-07-05-48.png

Researcher Collin Mulliner has lashed out at Hacking Team after discovering his codes have been used as a springboard in the development of Android surveillance tools sold to governments and law enforcement agencies.

Milan-based Hacking Team suffered a cyberattack this month which led to the theft of 400GB in corporate data. The once-secretive firm's corporate innards have been thrown across the Internet, resulting in released customer lists, exploits, surveillance tool code and internal communications now available for viewing and examination in the public domain.

While software vendors are rapidly patching newly-discovered Hacking Team zero-day vulnerabilities, the disclosures have also hit the open-source community.

System security researcher Colin Mulliner said in a blog post on Tuesday that he discovered his open-source creations were being used -- without notice or permission by Hacking Team -- after individuals on Twitter pointed it out and he received a flood of emails and personal notifications.

One query sent truly angered the researcher, as it demonstrates the mistaken belief Mulliner may have been working for the surveillance firm:

"I was analysing recent leak of hacking team from italy, and saw you supply the core android audiocapture for hijack voice calls on android. Have you updated it to new devices like lollypop?"

Mulliner emphasized that he did not write the Android voice call interception for Hacking Team's use, and instead, Hacking Team "took my ADBI framework and tools to build their software around it."

The exploit in question is core-android-audiocapture -- now hosted on GitHub -- which even keeps the researcher's original ADBI release file names and copyright information including his name and email address.

See also: Hacking Team won't 'shrivel up and go away' after cyberattack

In addition, Hacking Team allegedly used Mulliner's SMS fuzzer injector, code developed in 2009 which has found its way into the Italian firm's tool. Hacking Team emails discussing Mulliner's tools can be viewed on WikiLeaks.

Mulliner commented:

"I'm pretty angry and sad to see my open source tools being used by Hacking Team to make products to spy on activists.

Even worse is the fact that due to the lazy way they managed their source repository less informed people might get the idea that I developed parts of their tools for them. Just to make this very clear: I did not write any of those tools for Hacking Team."

As a result of the controversial purposes the open-source code has been used for, the researcher says that in the future, all of his software will be licensed that excludes "this kind of purpose." A lesson learned the hard way, but this case may prompt other security experts to re-think a too-open hand when sending their work into the open-source community.

"Obviously Hacking Team also used other open source software such as Cuckoo Sandbox," Mulliner says. "I hope everybody is going to think about future license to prevent this kind of usage. I'm not a lawyer but I would be interested in what legal action one could take if their software license excluded the use case of Hacking Team."

This week, Rook Security released a free scanner which detects Hacking Team-based infections and exploits.

Read on: Top picks