Spyware maker Intellexa had remote access to some of its government customers’ surveillance systems, giving company staffers the ability to see the personal data of people whose phones had been hacked with its Predator spyware, according to new evidence published by Amnesty International.
On Thursday, Amnesty and a coalition of media partners, including Israeli newspaper Haaretz, Greek news site Inside Story, and Swiss outlet Inside IT, published a series of reports based on leaked material from Intellexa, including internal company documents, sales and marketing material, and training videos.
Perhaps the most striking revelation is that people working at Intellexa could allegedly remotely access the surveillance systems of at least some of its customers via TeamViewer, an off-the-shelf tool that allows users to connect to other computers over the internet.
The remote access is shown in a leaked training video revealing privileged parts of the Predator spyware system, including its dashboard, as well as the “storage system containing photos, messages and all other surveillance data gathered from victims of the Predator spyware,” Amnesty wrote in its report. (Amnesty published screenshots taken from the video, but not the full video.)
The nonprofit researchers wrote that the leaked video shows apparent “live” Predator infection attempts “against real targets,” based on detailed information “from at least one infection attempt against a target in Kazakhstan.” The video contained the infection URL, the target’s IP address, and the software versions of the target’s phone.
A screenshot of the dashboard of an Intellexa customer surveillance system, which shows the types of sensitive personal data of hacked targets that customers and Intellexa support staff may have access to. Image Credits:Amnesty International
Companies that sell spyware to government agencies, such as NSO Group and the now-defunct Hacking Team, have long maintained that they never have access to the data of their customers’ targets, nor their customers’ systems. There are several reasons why.
From the point of view of the spyware makers, they don’t want the potential legal liability if their customers use the spyware unlawfully. And spyware makers would rather say that once they sell their spyware, the customers are fully responsible for using it. From the government customers’ standpoint, they don’t want to expose details of their sensitive investigations, such as targets’ names, locations, and personal data, to a private company that may be based overseas.
In other words, this type of remote access is absolutely not “normal,” as Paolo Lezzi, the chief executive of spyware maker Memento Labs, told TechCrunch when contacted for this story to ask from the perspective of a spyware maker. “No [government] agency would accept it,” he said.
That’s why Lezzi was skeptical that the leaked training video was showing access to an actual customer’s live surveillance system. Perhaps, he posited, this was training material showing a demo environment. The chief executive also said that some customers have asked Memento Labs to have access to their systems, but the company only accepts the offer if it’s necessary to solve technical issues. In any case, he said, “they enable us to have TeamViewer access for the necessary time and under their supervision we carry out the intervention and leave.”
... continue reading