Saudi-based Mobily seeks U.S. hacker's help to build a mobile spying system

Security researcher Moxie Marlinspike says Mobily isn't alone in widespread eavesdropping, urges hacker community to re-evaluate priorities

Saudi Arabia-based telecom company Mobily has attempted to enlist American computer security researcher Moxie Marlinspike to develop a surveillance system capable of surreptitiously capturing user data from such mobile messaging applications as Twitter, Viber, Line, and WhatsApp -- all in the name of fighting terrorism. When Marlinspike declined the offer, the company went so far to as to imply that by refusing, he was indirectly serving as an accomplice to terrorism.

The experience, according to Marlinspike (a pseudonym), not only shines a light on the type of ethically questionable practices that companies are embracing in the information age, but also serves as opportunity for members of the hacker community to re-evaluate their own values and priorities.

In a blog post, the well-regarded security pro relates how he was contacted by Yasser D. Alruhaily, executive manager of network information security at Mobily, to assist in developing a project "to both monitor and block mobile data communication." (The blocking component is evidently already set up.)

"What's depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter -- I helped write that TLS code, and I think we did it well)," Marlinspike wrote. "They later told me they'd already gotten a WhatsApp interception prototype working, and were surprised by how easy it was. The bar for most of these apps is pretty low."

Marlinspike declined the gig, citing his concerns about helping the company engage in "massive-scale eavesdropping of private communication." The company responded thusly (and verbatim):

"[I] have same thoughts like you freedom and respecting privacy, actually Saudi has a big terrorist problem and they are misusing these services for spreading terrorism and contacting and spreading their cause that's why I took this and I seek your help. If you are not interested than maybe you are on indirectly helping those who curb the freedom with their brutal activities."

Marlinspike wrote that he wasn't at all surprised by the nature of the request from Mobily. "What Mobily is up to is what's currently happening everywhere, and we can't ignore that," he wrote.

Specifically, Marlinspike lamented a trend in the hacker community in which "green hats" sell exploits to the highest bidder, regardless of the buyer's intent. "Forgetting the question of legality, I hope that we can collectively look at this changing dynamic and perhaps re-evaluate what we culturally reward," he wrote. "I'd much rather think about the question of exploit sales in terms of who we welcome to our conferences, who we choose to associate with, and who we choose to exclude, than in terms of legal regulations. I think the contextual shift we've seen over the past few years requires that we think critically about what's still cool and what's not."

Even purportedly patriotic hackers who only sell exploits to U.S.-based companies "for the good of the nation" may be contributing to global misuse. "Once exploits are sold to U.S. defense contractors ... it's very possible they could end up delivered directly to the Saudis (e.g., e.g., e.g.), where it would take some even more substantial hand-waving to think that they'll serve in some liberatory way."

As for smartphone users, Marlinspike has this advice: "If you're in Saudi Arabia (or really anywhere), it might be prudent to think about avoiding insecure communication tools like WhatsApp and Viber (TextSecure and RedPhone could serve as appropriate secure replacements), because now we know for sure that they're watching."

This story, "Saudi-based Mobily seeks U.S. hacker's help to build a mobile spying system," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.