'Weaponizing Vulnerabilities': New Snowden Doc Reveals Spy Agencies Targeted Smartphones

The intelligence alliance known as Five Eyes—comprising the U.S., Canada, New Zealand, the United Kingdom, and Australia—exploited security weaknesses in one of the world’s most popular browsers to obtain data about users and planned to use links to Google and Samsung app stores to infect smartphones with spyware, a top secret National Security Agency (NSA) document published Wednesday has revealed.

According to the 2012 document, leaked by whistleblower Edward Snowden and published jointly by CBC News and The Intercept, the NSA and its international counterparts took part in a series of workshops between November 2011 and February 2012 to find new ways to exploit smartphone technology for spying operations.

The Intercept reports:

CBC continues:

The project emerged in part due to concerns about the possibility of “another Arab spring,” referring to the 2011 wave of revolutionary actions in Tunisia, Egypt, and other countries in the Middle East and North Africa where several autocratic, Western-backed leaders were ousted.

“Respecting agreements not to spy on each others’ citizens, the spying partners focused their attention on servers in non-Five Eyes countries, the document suggests,” write CBC‘s Amber Hildebrandt and Dave Seglins. “The agencies targeted mobile app servers in France, Switzerland, the Netherlands, Cuba, Morocco, the Bahamas and Russia.”

The spy agencies also began targeting UC Browser—a popular app in India and China with growing usage in North America—in late 2011 after learning that it had leaked information about its half-billion users.

According to the reporting, the operation was launched by a joint surveillance unit called the Network Tradecraft Advancement Team, which includes spies from each of the Five Eyes nations.

The document frames the plan as a move for national security, with the agencies seeking to collect data or spy indefinitely on mobile phones of “suspected terrorists.” But they did so without alerting the public or the phone companies of the browser’s weaknesses, which “potentially put millions of users in danger of their data being accessed by other governments’ agencies, hackers or criminals,” Hildebrandt and Seglins write.

“Of course, the security agencies don’t [disclose the information],” Ron Deibert, executive director of digital rights group Citizen Lab, which identified security gaps in UC Browser and alerted the company to those issues in April, told CBC. “Instead, they harbor the vulnerability. They essentially weaponize it.”