Everybody heard that Hacking Team got hacked 1, 2, 3, 4 While I think this is pretty great since they are kinda known to be scumbags since they sell to repressive governments I found out about not so great things around this hack. Actually I didn't find out myself put was pointed to it by other people on Twitter (1) , via email, and personal (thanks Michael Weissbacher!).
Basically I was told that Hacking Team used a bunch of my Android tools to build their monitoring software for Android.
What got me really upset is this email:
This person thinks that I wrote the Android voice call interception for Hacking Team. This is obviously not the case! Hacking Team took my ADBI framework and tools to build their software around it. The software this specific email is talking about is hackedteam/core-android-audiocapture (the link goes to the hackedteam GitHub repository). You can see that they kept even the original filenames (e.g. libt.c) that was part of my original ADBI release.
I was analysing recent leak of hacking team from italy, and saw you supply the core android audiocapture for hijack voice calls on android. Have you updated it to new devices like lollypop?
The reason why someone might think I wrote those tools for Hacking Team are pretty obvious once you take a look at the leaked code. Take, for example, the libt.c file from the HackedTeam repository. Hacking Team left all the copyright information (my name, website, and email address) in those files.
In addition to my ADBI framework Hacking Team also used my SMS fuzzer injector that I wrote in 2009 while working on the SMS fuzzing project together with Charlie Miller. Their Android fuzzer also made use of my ADBI framework.
I'm pretty angry and sad to see my open source tools being used by Hacking Team to make products to spy on activists. Even worse is the fact that due to the lazy way they managed their source repository less informed people might get the idea that I developed parts of their tools for them. Just to make this very clear: I did not write any of those tools for Hacking Team.
For the future I will use a license for all my software that excludes use for this kind of purpose. I have no clue yet how this license would look like so if anybody has a hint about pre existing open source licenses that exclude this kind of usage please drop me an email.
Obviously Hacking Team also used other open source software such as Cuckoo Sandbox. I hope everybody is going to think about future license to prevent this kind of usage. I'm not a lawyer but I would be interested in what legal action one could take if their software license excluded the use case of Hacking Team.
Below some links to the Hackedteam GitHub repository and the link to my ADBI repository. You can clearly see that it is based on my software.
github.com/crmulliner/adbi My GitHub repository for ADBI
hackedteam/core-android-audiocapture (based on my ADBI framework)
hackedteam/fuzzer-android/tree/master/sms_fuzzer_injectors/Lg (based on my SMS fuzzer injector I wrote in 2009)
github.com/hackedteam all repositories
Comments welcome via email to: collin AT mulliner.org