Hacking Team built drone-based Wi-Fi hacking hardware
Leaked e-mails from the Italy-based computer and network surveillance company Hacking Team show that the company developed a piece of rugged hardware intended to attack computers and mobile devices via Wi-Fi. The capability, marketed as part of the company’s Remote Control System Galileo, was shown off to defense companies at the International Defense Exposition and Conference (IDEX) in Abu Dhabi in February, and it drew attention from a major defense contractor. But like all such collaborations, it may have gotten caught up in the companies’ legal departments.
In an e-mail summarizing a meeting in January, co-founder Marco Valleri outlined the roadmap for a number of Hacking Team’s platforms, including its “Tactical Network Injector” or TNI. This piece of hardware was designed to insert malicious code into Wi-Fi network communications, potentially acting as a malicious access point to launch exploits or man-in-the-middle attacks. The bullet points included the creation of a “mini-TNI” tasked to Hacking Team employee Andrea Di Pasquale:
Transportable by a drone (!)
The mini-TNI, marketed at IDEX as “Galileo,” drew the attention of a representative from Insitu, a subsidiary of Boeing that builds small unmanned aircraft systems including the ScanEagle and RQ-21A “Blackjack” UASs used by the US Navy. In early April, Giuseppe Venneri—an Insitu intern and a graduate student at University of California, Irvine—was tasked with contacting Hacking Team’s key account manager Emad Shehata, following up on a meeting at IDEX. “We see potential in integrating your Wi-Fi hacking capability into an airborne system and would be interested in starting a conversation with one of your engineers to go over, in more depth, the payload capabilities including the detailed size, weight, and power specs of your Galileo System,” Venneri wrote.
It’s not clear that the conversation went much further than that. After a series of exchanges, things seemed to grind to a halt over which company’s non-disclosure agreement would be used. Shehata sent a Hacking Team standard NDA; Venneri replied by sending Boeing’s preferred Proprietary Information Agreement (PIA) “that must be signed before we engage with potential partners.”
“Signing our PIA (attached) will dramatically shorten the authorization process at our end,” Venneri wrote. “Let me know if you are willing to sign our document to engage in conversations with us.”
Giancarlo Russo, Hacking Team’s chief operating officer, then jumped into the loop. “I saw your document and it will require additional legal verification from our side regarding the applicability of ITAR and other U.S. Law,” he said. “In my opinion, for a preliminary discussion our non-disclosure agreement should be sufficient to protect both companies and as you will see it is including mutual provision for both parties and it will make things easier and faster for us.”
Apparently, that didn’t fly with Boeing’s lawyers. A month later in May, Venneri wrote back, asking if Hacking Team’s leadership would reconsider. “If you could please reconsider our mutual PIA, know that the questionnaire at the beginning of the document is just for gathering information and has no impact on the PIA itself. We have lots of Non-US companies under our PIA. If you or your legal team have any requested changes to our PIA please don’t hesitate to add them in the attached document.”
The correspondence ends there, but it’s clear that Hacking Team employees had a somewhat skeptical view of Boeing well in advance of this exchange. When Boeing introduced its government-grade secure phone, the Boeing Black, in February of 2014, it set off a chain of derisive e-mail messages at Hacking Team. CEO David Vincenzetti commented, “It is just a shame that Boeing is an US company with extra strong ties with the Pentagon, DoD and, as a consequence, with the NSA itself,” hinting that the phone might not be a great choice for anyone other than US customers.
Massimo Controzzi, a security specialist at Ernst & Young, replied to the thread from his personal e-mail address, joking that the Black “comes with leather first class seats, welcome on board champagne, fantastic flight attendants, and, because Boeing is a first class US DOD security contractor, an obvious NSA backdoor.”