Canadian Police, Spies Eyed Hacking Team Tech — and the Law Now Makes it Easier to Acquire

With attention focusing on Italian spyware giant Hacking Team and their efforts to strike deals with investigators worldwide, a little-noticed change to Canadian law is becoming increasingly relevant.

A large-scale leak of secret documents from spyware firm Hacking Team reveals the extent to which private industry is able to infect and hack cellphones and computers, and their willingness to hawk their products from the UK to Australia and America.

But Canada might be the most susceptible to such malware, thanks to a barely-publicized legislative change — that was supposed to be about combatting cyberbullying — that came into effect last year.

Galileo and Zero-Day Vulnerabilities
The leaked records, released on WikiLeaks, confirm that a collection of Canadian investigators were looking to get their hands on the Italian company's advanced offensive surveillance software.

While in the end, the Royal Canadian Mounted Police (RCMP) did not sign a deal in 2011 and it's unclear if the Canadian Security Intelligence Service (CSIS) went forward, the examples underscore the interest by Canadian investigators in getting their hands on the powerful tools.

Internal emails from Hacking Team, released on WikiLeaks, contain debriefs of meetings with the RCMP and CSIS.

"They really liked the demo, they gave us compliments, etc," reads an Italian-language email between a company sales manager and a senior security engineer.

Hacking Team was asking for between $200,000 and $250,000, for the whole system, which included tools that could allow both agencies to remotely infect cellphones and computers — "the main interest was toward Android and BB [Blackberry] for mobile, Windows for PC," the emails read — and would give the Canadian police and spies access to Hacking Team's database of security deficiencies and exploits.

Those security holes in commercial software or hardware, often referred to as 'zero-day vulnerabilities,' are identified by firms like Hacking Team or independent hackers, then sold off to law enforcement or government agencies as a means to find backdoors in commercial software or hardware.

That is evidently at odds with the government's message on cyber safety, considering that the government appears to have a vested interest in ensuring that the security gaps remain exposed.

Motherboard has looked deeper into that spyware, and has more details on the meeting.

Emails exchanged between the Edmonton Police Service and Hacking Team in April of 2015 reveal exactly how the company was selling this software to Canadian law enforcement.

"Thank you very much for your interest in Hacking Team and [remote control service] Galileo Solution," a Hacking Team sales manager wrote to an IT investigative specialist in the Edmonton police service who had asked to join the Hacking Team email list.

The email goes on that Galileo "is able to create agents that collect different type of evidences from criminal's devices (PC, mobile phones, tablets), such as recording of Skype and voice, chat and messages from social networks, mails, files, screenshots, visited web sites, passwords from browsers, position, photos, contacts, calendar, etc. The evidences are transmitted safely and securely to the end-user in order to build intelligence on targets, all his accounts, his most contacted people, his latest position, and create correlation between targets."

Blackberry and Tactical Network Injectors
The Vancouver Police Department, too, looked into buying the gear.

"We recently ran into a problem that we thought your product could help us. We need to collect iMessages from an iPhone," wrote David Ainsworth, an investigator with the city's police service.

The Hacking Team staff visited the Vancouver police in July 2013, and ran a demonstration of the software for the chief. They assured the police service that their program would be able to collect iMessages, and more.

"We proceed with the demo, infecting the target via TNI YouTube," reads a debrief of the meeting sent between Hacking Team staff.

TNI probably refers to Tactical Network Injector, which means that Hacking Team was likely referring to a process whereby they can infect any mobile phone that tries to visit a specific URL — in this case, YouTube, though they've also applied the process to several porn sites. This sort of thing was predicted back in 2014, when one researcher thoroughly detailed how Hacking Team was able to inject unencrypted web traffic with malicious code, like that which regularly passed through YouTube. After facing a deluge of complaints, YouTube now uses HTTPS, making it harder to perform that kind of surreptitious data collection.

"Over all the demo was a success and I believe they are serious about acquiring the system," wrote an account manager to his Hacking Team colleagues.

They priced the software between "low 300K [to] upper 200K," the Hacking Team account manager writes.

According to the officer, Vancouver police were looking to crack: "Windows, IOS, Android and BB."

Blackberry is an interesting quirk for the hackers. In one 2012 email regarding upcoming demonstrations, they write ""just hoping that the customer will provide <> (e.g. iOS jailbroken, BlackBerry NOT v.10, etc,)" referring to, at that time, the latest Blackberry software, which has long been boasted by creator Research In Motion as one of the most secure phones on the market.

Most of the Hacking Team executives sent emails on Blackberry devices.

Related: Mexico is Hacking Team's Biggest Paying Client — By Far

While it would appear that Vancouver purchased the software, the police service wouldn't confirm.

A spokesperson for the RCMP was more equivocal. "The RCMP tested the Hacking Team technology in 2011. The RCMP did not purchase and does not use the Hacking Team technology," a spokesperson said of the federal police service, who did not respond to follow-up questions.

VICE News asked CSIS and signals intelligence agency Communications Security Establishment (CSE) whether they tested Hacking Team products, met with the company, purchased their products, or whether they use zero-day exploits.

"CSIS does not confirm nor deny any details with respect to our methodologies, interests, or activities," wrote a CSIS spokesperson.

"CSE does not comment on any of its operations, techniques or capabilities," wrote their counterpart at CSE.

OnStar and Transmission Data Recorders
When the RCMP and CSIS met with Hacking Team in 2011, the legality of things like zero-day and spyware exploits was a gray zone.

Canadian law, until late 2014, remained mostly analog. No language in the Criminal Code envisioned things like malware and software exploits. Specific warrants existed for tracking devices and wiretaps, but efforts to extend that legal authority to other investigative powers — like requesting metadata from cellphone providers — was mostly done on an ad hoc basis, leaving it to the courts to decide what is and isn't a lawful search and seizure.

In the fall of 2014, Canada's Conservative government introduced C-13. The bill contained a litany of updates to the Criminal Code by creating a new warrant specifically for metadata, and another that allows police to track people, things, and vehicles.

But most notably, C-13 expands how police are able to collect data from suspects.

In creating a new warrant for a "transmission data recorder" — meaning a thing that can capture metadata — police will be able to use a "computer program" to "obtain or record transmission data or to transmit it by a means of telecommunication."

Police and spies would need to obtain warrants for these powers, but most of these judicial authorizations would be obtained without the presence of defense counsel. One type of tracking warrant also carries a very low threshold of evidence.

The highly technical amendments to the law went generally unnoticed, until Cara Zwibel, director of the fundamental freedoms program at the Canadian Civil Liberties Association, told a Parliamentary committee that the changes should worry them.

"These definitions have been changed to include software. This means that provisions that authorize the use of a tracking device or transmission recorder effectively allow for the installation of malware. Police are being given the power to remotely hack into computers, mobile devices, or cars in order to track location or record metadata," she told the House of Commons committee studying the bill.

VICE News asked the Department of Justice last year whether the law would allow for the use of government-deployed malware, and was told simply "the question of whether one type of software or another could be used is more of an operational consideration."

That sort of thing is exactly what the Hacking Team software would allow them to do.

The sales managers at the company repeatedly identified Canada as a target country for their expansion.

A Transport Canada employee, who was looking for expertise on cybersecurity for her department, appeared to be on good terms with the Hacking Team employees, even having a back-and-forth with the company CEO about a VICE story.

David Vincenzetti sent out a Motherboard story from early June about the Italian company's claim that it can help police find criminals in the dark web.

"WE ARE DELIGHTED to have among the close readers of this list, Vice Motherboard which never reports on Hacking Team without smug editorial comment. Today was no exception!" he wrote, adding "IF you are a lawful user of the Internet, you have little to fear from Hacking Team."

Follow Justin Ling on Twitter: @justin_ling