The secrets of one of the world’s most prominent surveillance companies, Gamma Group, spilled onto the Internet this month, courtesy of an anonymous leaker who appears to have gained access to sensitive corporate documents.
And while they provide illuminating details about the capabilities of Gamma’s many spy tools, perhaps the most surprising revelation is about something the company is unable to do: It can’t hack into your typical iPhone.
Android phones, some Blackberries and phones running older Microsoft operating systems all are vulnerable to Gamma’s spyware, called FinSpy, which can turn your smartphone into a potent surveillance device. Users of the spyware are capable of listening to calls on targeted devices, stealing contacts, activating the microphone, tracking your location and more.
But for FinSpy to hack into an iPhone, the phone’s owner must have already stripped away much of its built-in security through a process called “jailbreaking.” No jailbreak, no FinSpy on your iPhone, at least according to a leaked Gamma document dated April 2014.
This is good news for people with iPhones, and perhaps for Apple as well. But at a time of rising concern about government surveillance powers, it’s ironic that a different mobile operating system – Google’s Android – has emerged as the global standard, with a dominant share of the world market.
Android phones have more features. They come in more shapes, sizes and colors. And they’re cheaper. But, it’s increasingly clear, they are more vulnerable to the Gammas of the world, which develop and sell surveillance systems to police and government intelligence services.
The result is what might be called a growing “surveillance gap.” Some civil libertarians have begun pointing out that the people on the safer side of that gap – with stronger protections against the potential for government abuse – are the relatively affluent people who already favor Apple products.
Those willing to pay a premium for an iPhone or iPad, perhaps for their design elegance or ease of use, are also getting disk encryption by default, an instant messaging system that resists eavesdropping and an operating system that even powerful surveillance companies have trouble cracking.
Such features don’t tend to star in Apple’s glossy marketing campaigns because most shoppers likely think little about security when choosing their consumer electronics.
Yet the consequences can be serious if a government anywhere in the world decides to target someone with FinSpy, or if a police officer or border patrol agent attempts to browse through a person’s smartphone – or worse still, copy its entire contents for later examination.
“Technology can protect you from your own government. It can protect you from somebody else’s government. If you live in an authoritarian country, the disk encryption feature built into the (operating system) may be the thing keeping you safe,” Christopher Soghoian, the principal technologist for the ACLU, said in a speech last month. “It may be the thing keeping you from being beaten by the secret police. So it’s vital that these features reach average users.”
The Gamma Group, with headquarters in Germany and Britain, did not respond to an email requesting comment and has kept quiet generally in the week since a Twitter account – with the obviously bogus name “Phineas Fisher@GammaGroupPR” – first appeared online. (Many of the documents also are posted on Netzpolitik.org, a German site that promotes digital civil rights.)
The files include price lists for various surveillance products – FinSpy can cost governments nearly $4 million – as well as detailed descriptions of other spy tools and a 126-page user manual for FinSpy. Researchers and journalists combing through some of the leaked documents also have found evidence that FinSpy had been used against lawyers and activists in Bahrain. ProPublica reported it has been deployed on computers in the United States, Britain, Russia and many other countries as well.
Yet the user manual and other documents make clear that even powerful, expensive spyware such as FinSpy have their limits.
That’s why the choice of smartphones matters. Android phones are, by design, open-source systems that give programmers a wide range of powers in making apps work how they want them to. Apple, by contrast, controls the development of the hardware and operating system, and it manages what’s available in the App Store more aggressively than Google does for its Play store.
“Android is infinitely more exploitable than” Apple’s operating system, said Bart Stidham, a telecommunications system architect.