You think your data, communication devices are safe? Think again

MANILA, Philippines – The Philippine government last year, purchased about P10 million ($200,000) worth of spyware from the British government.

According to news reports, the sale included International Mobile Subscriber Identity-catchers (IMSI-catchers), which critics fear may be used as tools to monitor alleged drug users in President Rodrigo Duterte’s brutal war on drugs.

However, this is not the first time the government has purchased surveillance equipment. (READ: What you need to know about state surveillance)

According to privacy rights group Privacy International, there have been at least 7 recorded sales of surveillance equipment to the Philippines. The group’s Surveillance Industry Index (SII), which tracks developments and sales in the industry, lists “off the air” technologies and intrusion software technologies, among these purchases.

But surveillance and monitoring techniques are not limited to these alone. There are a number of ways information and privacy can be exploited through hardware and software. 

Here are some ways an individual’s communications and data can be hacked or intercepted:

1. IMSI-catchers

INTERCEPT. IMSI-catchers, which mimic cell towers, can be used to intercept communications on mobile phones.

INTERCEPT. IMSI-catchers, which mimic cell towers, can be used to intercept communications on mobile phones.

How it works: IMSI-catchers – also known as Stingrays, are used to intercept devices by simulating or mimicking cell towers. When connected to an IMSI-catcher, calls and text messages as well as a device’s location can be accessed without detection.

Acting as a “fake” cell tower, the use of IMSI-catchers is usually considered a “man-in-the-middle” attack, wherein information is retrieved between two sources who would otherwise think their correspondence was private and secure.

According to reports, the Philippine government purchased IMSI-catchers from the British government in 2016 for about P10 million ($200,000). Data from Privacy International has also shown continued upkeep of the devices by the British government.

2. “Off the Air Interception” Technology

How it works: “Off the air” makes tracking devices possible when individuals are traveling from one place to another, switching between multiple cell towers.

In 2015, the British and Swiss governments listed a purchase of this type of technology to the Philippines, though the specific kind of equipment was not indicated.

Data from Privacy International showed another sale to the Philippines by the British government in 2016.

3. PacketShapers

MONITOR. PacketShapers can be used for legitimate purposes but also for politically-motivated restriction of information and monitoring of Internet activity.

MONITOR. PacketShapers can be used for legitimate purposes but also for politically-motivated restriction of information and monitoring of Internet activity.

How it works: Developed by American technology company Blue Coat Systems, which is now owned by cybersecurity company Symantec, PacketShapers are used to monitor online activity and secure online networks. They may also be used to restrict access to certain websites and information.

In addition to this, they can also be used to monitor and record communication.

PacketShapers are considered “dual-use” technologies, which may be used for legitimate purposes, but can also be used to carry out politically-motivated restriction of information.

With "dual-use" technologies, whether or not these types of equipment are harmful depends on who acquires the technology and for what purposes they are intended for.

According to Privacy International Surveillance Industry Index, a sale to the Philippine government was recorded in 2013.

4. Intrusion Software Technology

Also known as malicious software or malware, communications surveillance can be done through the use of these intrusive technologies.

Some types of malware were developed by foreign intelligence agencies like the US Central Intelligence Agency (CIA).

How it works: According to WikiLeaks, the CIA Engineering and Development Group, as well as its Mobile Devices Branch, developed malware that targets iPhones, Androids, as well as smart TVs.

Through these, functions on a person’s phone or smart device – such as cameras or microphones can be accessed. Data, information, and the location of infected devices may also be retrieved.

“Fake off” modes can also be carried out, which allows users to believe a device is turned off while it’s still on. Here, devices like smart TVs can act as bugs, recording conversations that take place nearby.

Once a person’s phone or device is infected, anything can be accessed – even encrypted data on platforms like Signal, Telegram, and WhatsApp.

Aside from this, the CIA’s Automated Implant Branch and Network Devices Branch have also developed malware that would target Windows and Mac OSx control systems, among others.

According to Privacy International’s SSI, the British government sold intrusion software to the Philippines in 2015.

HACKED. When a person's device is infected with malicious software, data and information on the devices can be accessed.

HACKED. When a person's device is infected with malicious software, data and information on the devices can be accessed.

5. Distributed Denial of Service (DDoS) attacks

A person’s data and personal information can also be accessed through different types of online attacks.

How it works: DDoS attacks work by overwhelming an online service or network with various requests from multiple sources. The goal of a DDoS attack is usually to reset the network to its default settings, which would make it easier to hack into a user’s system.

According to Digital Attack Map – a collaboration between Google and cybersecurity group Arbor Networks tracks – DDoS attacks can be used to make important online information unavailable. “Sites covering elections are brought down to influence their outcome, media sites are attacked to censor stories, and businesses are taken offline by competitors looking for a leg up.”

6. Fake wireless access point (WAP)

How it works: Using software, hackers can also fake a wireless access point, which users may mistake as genuine public WAPs. Fake WAPs are considered one of the easier hacks to accomplish and can be easy to fall for – with fake WAPs labeled as seemingly real networks in public spaces like airports, malls, and coffee shops among others. 

These fake WAPs actually connect to official public WAPs but leave a person phone or computer compormised. Once connected to it, hackers can also access data and information on the person’s device. – Rappler.com

Read more about state surveillance:

Sofia Tomacruz

Sofia Tomacruz covers foreign affairs, the overseas Filipino workers, and elections. She also writes stories on the treatment of women and children. Follow her on Twitter @sofiatomacruz. Email her at sofia.tomacruz@rappler.com.

image