How Pakistani Spy Agency spies using Telecom Network

possibly intercepting your https encrypted traffic

TL;DR

Pakistani spy agency is finding it difficult to read end-to-end encrypted WhatsApp conversations – their next best strategy is to ‘SSL-Spoof‘ your connection to install some software into your phone, as you surf the internet trying to give them full viewing access to everything on your phone (zero-click spyware)

This follows two previous updates

Read Update #1 – Predator Spyware Network Injection in Pakistan #1

Read Update # 2 – Predator Spyware Installed in Pakistan #2

How can we suspect that PTA is listening to your Encrypted Traffic?

What transpired in the last few weeks when Pakistan’s Internet was severely throttled (report published by Bytes 4 All – Slow Internet in Pakistan and the Smokescreen of VPNs | Bytes for All, Pakistan )

I feel it is the perfect lead-up to the suspicions that the Govt of Pakistan has hired the services of a black-hat company / software to spy on the People of Pakistan with Deep Packet Inspection.

Their effort is on the HTTPS encrypted data, during these few weeks it seems their system was severely overburdened with connection error timeouts & packet losses, either deliberately or with a failed monitoring system

What Happened on WhatsApp?

Internet user all across Pakistan, noticed specifically in WhatsApp – VoiceNotes, images & videos, were not being downloaded because of constant timeouts & packet losses while the app attempted to communicate with the secure WhatApp servers, due to some bizarre reason, but when connected through a VPN it connected seamlessly.

Interestingly it was noted that WhatsApp text messages filtered thru. I’m assuming that the WhatsApp text messages, being of a smaller packet size still filtered thru despite timeouts, as the app automatically kept retrying to deliver and finally the text messages did occasionally find it was to be delivered but after considerable delay.

The frustration reached a boiling point as none of the images and videos were downloading and it required repeated manual attempts and sometimes accidentally deliver and sometimes remained unloaded. This irritated the public enough, that it became a noticeable ‘shark-attack’ across Pakistan.What Might be Happening?

Suspiciously it all points to some Man-in-the-Middle (MiTM) mischief being done by the PTA which fully controls all data that passes thru their routers / DNS’s / nodes & firewalls

Simply if any traffic is routed through their servers they can easily tweak it, just so enough, to possibly confuse your ‘browser’ to be ‘redirect’ to a malware website hosted by them which can automatically installs a spyware program.

This sort of hacking is called SSL Spoofing (HTTPS Hijacking)

How does SSL Spoofing Work?

  1. When you access a site – ex: https:// XYZ dot com
  2. Your browser expects to be connected to a secure site hosted on the xyz servers
  3. PTA intersects this communication by some cleverly programmed settings in the national firewall which quickly redirect you to an unencrypted HTTP landing page
  4. In the brief moment your browser loads their unencrypted landing page, a malware software (zero-click) is injected into your phone/computer

Modern day browsers instantly block you from accessing an unencrypted (HTTP) websites, prompting a warning. But what is prone to this form of attack is people with un-updated OS or phones which can be exploited to these attacks

Unsecured Friends & Family at Risk of These Attacks

Now if this attack vector is able to INFECT YOUR FRIENDS & FAMILY’s PHONES who are not keen on keeping an updated phone

The spy agency is then able to READ ‘his & your’ one-to-one chats (from his side) & they are then also able to see all common friends group you share with them – If in theory they are then able to infiltrate enough people around you, they can easily build a profile database on you & your ‘unPatriotic activities’

Amnesty International published an expose on Intellexa in the form of Predator Files which elaborately explain how an HTTP (MARS Module) & HTTPS injection (Jupiter Module) works –

How can VPN’s prevent such Attacks?

Keep all your apps updated all the time, but use VPNs for all your internet browsing, once your VPN app passes through the initial connection & various timeout errors the internet that you browse is enclosed in that VPN Tunnel and is no longer slowed down by their SSL Spoofing

Summary

SSL Spoofing is nothing new and I’m sure modern day hacking must’ve advanced even more, but I think these firewall / web monitoring system administrators have absolutely no idea what disaster they are doing to Pakistan, even if they succeed in implementing the spoofing, ensure you protect the privacy of your data

SECURITY TIPS

  1. Keep your VPN ON ALL THE TIME
  2. Keep your phone & apps regularly updated
  3. Strictly use secure DNS servers like 1.1.1.1
  4. Be careful as to what you share or post, you’re a patriotic peace loving Pakistani, have nothing to hide but still be cautious and protect your data
  5. Encourage your family & friends to follow the above step

Posted

in

,

by