Article Lead Image

Unsettling details of FinFisher espionage software leak to the Web

It's not just the NSA doing covert online surveillance.


Curt Hopkins


Posted on Sep 6, 2013   Updated on Jun 1, 2021, 7:10 am CDT

It’s not just the U.S. National Security Agency conducting online surveillance. Private corporations do it, too. Promotional materials from spy software developer FinFisher have been leaked onto the Internet, and the company’s capabilities are seriously creepy.

FinFisher, made by the U.K.-based Gamma Group, is being investigated by the Organization for Economic Cooperation and Development for breaking a dozen human rights rules, and has been accused of providing the Mexican government with software to spy on its own people. 

Along with the NSA spying revelations, which have begun to turn more and more people against covert surveillance, this is probably not the ideal time for Gamma Group to deal with such a leak. 

In the backgrounder to a presentation, the company announces it hired BackTrack Linux developer Martin Johannes Münch to, as security firm F-Secure put it, “build attack tools for Gamma.” They also mention proudly that Gamma developers have presented at hacker conferences Black Hat and DEF CON.

Interesting, but only marginally creepy. What’s unnerving are the matter-of-fact tone to the distressing claims they let loose in the materials themselves. 

On the slide for FinUSB Suite/Operational Usage, their system to covertly extract data from Target Systems,” they announce that the accompanying “Dongle can be used e.g. by housekeeping staff.” So much for keeping an eye on your jewelry, rich people, now you need to make sure you don’t act out a scene from an espionage movie. 

On the FinIntrusion Kit / Core Features slide, you can “Discover WEP (64 and 128 bit) Passphrase within 2-5 minutes” and extract Usernames and Passwords “even for SSL/TLS-encrypted sessions.” 

Other gems include Gamma’s brags that you can use their products to hack banks, and that they have malware will infect Windows Phones, possibly the first piece of malware to specifically target that mobile OS. 

Just think, people and governments unrestrained by the regulations that limit the NSA can walk in off the street, plunk down some cash, and walk out with the technology like this, capable of breaking banks and even surveilling entire countries.  

H/T F-Secure | Photo by bfishadow/Flickr, remix by Fernando Alfonso III

Share this article
*First Published: Sep 6, 2013, 1:25 pm CDT