Security Experts:

Hackers Expose India's Backdoor Intercept Program

Last week, the Lords of Dharmaraja made headlines by exposing their work to the world, after claiming to have breached systems used by India’s military intelligence. They released old source code from Symantec, and API documentation as proof. However, over the weekend it was learned that they also released a memo documenting India’s intercept program, and the role that Research in Motion, Apple, and Nokia play in it.

Symantec confirmed with SecurityWeek on Friday that hackers did access source code from Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2. According to a Symantec spokesperson, “SEP 11 was four years ago to be exact.”

In addition, Symantec Antivirus 10.2 has been discontinued, though the company continues to service it.

“We’re taking this extremely seriously and are erring on the side of caution to develop and long-range plan to take care of customers still using those products,” Cris Paden, Senior Manager of Corporate Communications at Symantec told SecurityWeek.

Over the weekend, the story expanded.

The Lords of Dharmaraja released a purported memo outlining the intercept program known as RINOA, which earns its name from the vendors involved - RIM, Nokia, and Apple. The memo said the vendors provided India with backdoors into their technology in order to them to maintain a presence in the local market space.

India’s Ministry of Defense has “an agreement with all major device vendors” to provide the country with the source code and information needed for their SUR (surveillance) platform, the memo explains.

These backdoors allowed the military to conduct surveillance (RINOA SUR) against the US-China Economic and Security Review Commission. Personnel from Indian Naval Military Intelligence were dispatched to the People’s Republic of China to undertake Telecommunications Surveillance (TESUR) using the RINOA backdoors and CYCADA-based technologies.

The said memo also included proof of the intercept operation, by quoting transcripts captured by the naval staff. Overall, India’s Military Intelligence was pleased with the RINOA SUR platform.

Security and privacy researcher Christopher Soghoian commented, “Due to export control [requirements], NSA (and until 2010, Commerce Dept) have source code for all US made enterprise security/communications products...”

“Instead of worrying about hackers getting access to 5+ year old Norton code we should worry about what NSA/US Military does with recent code.” The U.S. government, as well as other nations around the world, each have some form of intercept and monitoring operation. However, getting them to actually confirm the scope of such operations and what they’re used for is another matter entirely.

Symantec would not disclose what it has done for any specific government, but did explain its policy on the issue to SecurityWeek.

“On a case-by-case basis and upon request, Symantec shares how our code operates to prove the functionality of our code with governments for compliance and software assurance purposes,” the company said. “We consider each request on a case by case basis, we engage in a lengthy vetting process with appropriate government trade agencies involving our Legal departments, our CTO’s office, our IT departments and our government relations team. We are compelled by law in some cases by governments to share the effectiveness of our code in order to sell our products in that given country.”

“Governments need to and have the right to check on the safety and validity of the safety of products that enter and are sold in their country, whether it is information security software, food products, drugs, etc.,” Symantec explained.

In 2010, RIM came under fire for their cooperation with the Indian government. Despite what they said to the press, it would seem that while they didn’t hand over encryption keys, they did offer India other levels of access.

In fact, reading their release from the time, RIM essentially said they would allow backdoors to a point. Because, RIM’s cooperation can be fully expected, as long as the requirements “be limited to the strict context of lawful access and national security requirements as governed by the country's judicial oversight and rules of law.”

“RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries.”

Given that what India was doing is legal by India’s own laws, RIM would have no problems helping when ordered, especially if it means being able to do business in the country. The same can be said for Apple and Nokia.

In the meantime, the Lords of Dharmaraja have promised to release more information. So it is possible that additional intercept details will emerge. Time will tell.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.