Inside the secretive industry that helps government hackers get around encryption.
Image: Seth Laupus/Motherboard
At first glance, Azimuth Security looks like any other bustling startup. Photos tweeted by the firm’s co-founder show a staffer zipping in front of glass-walled conference rooms on a hoverboard and employees in T-shirts playing with a stylish chess set over a beer. But this small Australian company plays a crucial role in the continuous battle for spies and cops to hack into phones around the world, Motherboard has learned.
The story of this little-known company provides a rare peek inside the secretive exploit trade, which is populated with military contractors, individual researchers, and boutique high-end hacking shops like Azimuth. While the trade is commonly painted as a wild west full of mercenaries who sell hacking tools to whoever can afford them, over a dozen well-placed sources described an overlooked section of the industry that focuses on supplying to a select group of democratic governments, rather than authoritarian regimes.
These companies keep a low profile. They don’t advertise their wares at surveillance fairs and keep the information on their public websites vague. But they do sell hacking software to police and intelligence agencies.
(Motherboard granted most sources for this story anonymity to speak about sensitive industry details.)
Besides its researchers’ talent, which multiple sources said is top-quality, what separates Azimuth from other players in the exploit industry is its client rolodex. Three sources familiar with the company said Azimuth—through its partner firm—provides exploits to members of the so-called Five Eyes, a global intelligence sharing group made up of the United States, United Kingdom, Canada, Australia, and New Zealand. The partner firm is Linchpin Labs, a software company founded by former Five Eyes intelligence officials.
"Azimuth provides Australia essentially all their offensive cyber capability," a fourth source familiar with the company told Motherboard, referring specifically to the Australian Signals Directorate (ASD), the country's version of the NSA. One of the sources, as well as confirming the ASD as a client, said the UK and Canada are Azimuth customers.
Azimuth also has zero-days for remotely hacking Android devices and iPhones
The ASD did not respond to a request for comment. The UK's Government Communications Headquarters (GCHQ) said it “does not comment on operational matters or relationships with industry,” and Canada's Communications Security Establishment (CSE) said it "is unable to comment on capabilities or operational matters," but emphasised its operations are carried out legally.
Two sources said Azimuth has dealt with the FBI. One specified Azimuth has provided the FBI with an exploit to break through the Tor Browser, a modified version of Firefox used to connect to the so-called dark web. Tor routes a user’s traffic through multiple computers around the world, before connecting to whatever site or service the user is trying to reach. This means law enforcement can have a harder time determining where a target is located, and so agencies may deploy a hacking tool to track the suspect down, bypassing the protections of Tor. High-ranking US Department of Justice officials have complained in the past that Tor and encryption have created a “zone of lawlessness.”
An FBI spokesperson told Motherboard in an email “The FBI does not comment on specific tools or techniques utilized in criminal investigations.”
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, and Lorenzo Franceschi-Bicchierai on Signal on +1 917 257 1382. Details on our SecureDrop, a system to anonymously submit documents or information, can be found here.
Azimuth develops zero-day exploits, according to six sources. A zero-day takes advantage of vulnerabilities that the manufacturer of the target software—say, Apple or Google—is unaware of; the company has had zero days to try and find a fix.
For example, a zero-day may use specially crafted text messages to break into an iPhone, or leverage an issue in the Google Chrome browser to infect a device from a malicious website. Some attacks require no user interaction at all, meaning a government can take over a phone likely without alerting the target; others need the target to click a link. Exploits are more valuable to attackers when they remain a secret: if a company finds out their product has a security flaw, they will likely fix the issue, making the exploit less effective. The goal for hackers, including government ones in some cases, is likely to keep an exploit as a zero-day for as long possible (in some cases intelligence agencies do report vulnerabilities so they can be fixed.)
Azimuth’s exploits are used in terrorism cases, and potentially other types of crime such as kidnapping or child pornography as well.
"Think of them as law enforcement friendly. So if [a law enforcement agency] has a case that's hard and they've got legal backing, they help," one source familiar with the company said.
Azimuth also has zero-days for remotely hacking Android devices and iPhones, two sources said.
Indeed, Azimuth employs some of the most prolific iPhone hackers on the planet. At the 2016 Black Hat conference, Azimuth researchers presented their work on the Secure Enclave Processor, the part of the iPhone that handles its most precious secrets, such as cryptographic keys and the user's fingerprint data. One of those presenters is a renowned iPhone jailbreaker who has been picking apart iOS for more than a decade.
At this high tier of exploit development, there is something of a circular door between Azimuth, intelligence agencies, and Silicon Valley, which are all looking to attract hires from the limited pool of people who can hack up-to-date devices.
At one point last year, Azimuth hired a number of the NSA's exploit writers, according to two sources. At least one Azimuth employee worked as a "Capabilities Development Specialist" at the US Department of Defense before moving to Azimuth, according to his LinkedIn profile.
And another Azimuth employee recently went on to work at Apple, where instead of attacking systems, he now helps make them more secure. (Azimuth researchers have also helped fix security issues in widely popular pieces of software. In 2015, Mozilla patched a vulnerability in Firefox, thanks to an Azimuth tip-off.)
This same kind of expertise stretches from Azimuth's research teams right up to the company's management. Mark Dowd, one of Azimuth's co-founders, is a heavyweight in the exploit development community. Along with other co-founder John McDonald, Dowd wrote a highly technical, 1,200 page book about discovering computer vulnerabilities. In 2015 Dowd discovered a security issue in Silent Text, an encrypted messaging program purchased by corporations, and, according to documents obtained by Motherboard through the Freedom of Information Act, the Naval Special Warfare Command.
Dowd declined a request to discuss Azimuth's work, and did not respond to a follow-up email.
Azimuth's Five Eyes-filled client list is likely the envy of other companies in the government hacking space. As Motherboard previously reported, Israel's NSO Group has attempted to buy US contractors in order to acquire their government connections. Zero-day exploit broker Zerodium also recently tried to enter the US market, and many similar companies flaunt their wares at high profile trade fairs for potential agency clients.
Azimuth does not advertise at surveillance shows, though, because it does not need to: It has a bridge to intelligence agencies. Azimuth’s distributor, a much more opaque company called Linchpin Labs, is run by ex-spies, three sources said. According to publicly available business records, Daniel Brooks, Matthew Holland, and Morgan Prior head various branches of Linchpin. In total, five sources confirmed a relationship between Azimuth and Linchpin.
Linchpin Labs did not respond to an interview request.
Little public information is available about Linchpin, which has worked with Azimuth for years. A handful of tech-press news reports from 2007 mention how Linchpin once irked Microsoft by releasing a Windows tool that allowed a user to load unauthorized software onto a machine—which could be viewed as a hacking tool. And several contracts listed online say Linchpin provided "training" to the Australian Federal Police (AFP) and Department of Defense.
Freedom of Information Act requests related to the company and made to the FBI and NSA were rejected—neither agency would confirm or deny the existence of any relevant records. Una Jagose, the then-director of New Zealand’s intelligence agency, the Government Communications Security Bureau, told Motherboard “I neither confirm nor deny the existence or non-existence of the information requested.”
Many of the company's employees and developers are based in Ottawa, judging by relevant LinkedIn profiles. When Motherboard approached Linchpin developers via social media, at least one employee seemingly panicked and removed all mention of the company from their own profile.
"Think of them as law enforcement friendly. So if [a law enforcement agency] has a case that's hard and they've got legal backing, they help."
Linchpin tells its clients not to share tools among agencies, and may, in some cases, help clients tweak or fix their payload—the piece of software the exploit is ultimately designed to deliver—according to one source. This malware might do everything you would expect a spy to be after: remotely turning on a phone's mic or camera; collecting files stored on the computer, or reading messages. Malware is especially useful for circumventing encryption on messages from apps such as Telegram or WhatsApp: it can record any message before the app encrypts it.
On top of Linchpin’s intelligence agency links, another reason Azimuth’s exploits are sold to relatively few customers is that Dowd, the Azimuth co-founder, cares who uses his company's tools, according to multiple sources.
Other vendors in this space “don't give a fuck about targets. Just profit. Dowd is not like that," one of the sources familiar with Azimuth said. A second source agreed with this characterization of Dowd.
As significant as Azimuth and Linchpin are in the trade of zero-days and related software, they are still just one part of a wide-spanning industry.
Researching and developing zero-days started as a mostly underground pursuit, and then became a word-of-mouth trade. But it has evolved into a professionalized marketplace with a lot of competition.
Kevin Finisterre, a developer who used to write and help broker exploits in the early 2000s, said in the beginning he developed exploits for fun, until someone told him what he did could be sold at a significant price. For years, Finisterre kept developing and releasing exploits in the open, and then retired from the exploit sales markets earlier this decade.
"Everything was very research-focused back then, and the output happened to be something that was valuable,” Finisterre told Motherboard. “Now people know that this stuff is valuable, the prices are ten times what we could've ever asked for back then."
Sergio Alvarez, an independent security researcher who has created exploits both as a freelancer and as an employee of zero-day vendor COSEINC, said “it was very easy to develop exploits” previously. Some security researchers like Alvarez make exploits on their own, which they may then sell to agencies or to companies who provide them to governments.
But as vendors of mainstream computers and programs beefed up their products’ security, hacking got harder. Now, developing an exploit for a modern-day browser such as Chrome, or a mobile operating system like iOS may require a team of researchers, each with specialized skills to weaponize an exploit. Some attacks can take months to craft.
“Because of the mitigations, now you need multiple vulnerabilities to get an exploit,” Logan Brown, president of cybersecurity company Exodus Intelligence, told Motherboard. Exodus sells information about zero-days to clients so they can protect their own networks, but has also sold details of an attack to a law enforcement agency.
Prices for zero days have risen with the increasing difficulty of breaking into sophisticated software and hardware. According to one source, a full, remote exploit chain for iOS 11 devices (currently the latest operating system for iPhones) and which requires no interaction from the target goes for well over $2 million today. And those prices have risen every year, the source added.
"The prices are ten times what we could've ever asked for back then."
For comparison, a remote exploit for Firefox can go for $200,000, one for the Tor Browser can be worth $150,000 or $250,000, and one for Chrome that allows an attacker to escape the program’s sandbox can go for between $500,000 and $1 million, according to people familiar with the market.
The zero-day trade has become more relevant as encryption has become the default for many consumer services, which makes intercepting messages and breaking into hard drives more difficult than it used to be. Apple and Google have started to encrypt their iOS and Android operating systems by default, and Apple, Facebook, and individual apps like Signal, Telegram, and Surespot provide encrypted messaging services.
"Making end-to-end encryption the default for billions of users as WhatsApp and iMessage have done is a game-changer for intelligence collection," Thomas Rid, professor of strategic studies at Johns Hopkins University, told Motherboard. Instead of simply intercepting communications on the wire, agencies may need to go to the source of interesting messages before they are encrypted—the phone, the computer—and break into the device directly.
The FBI has put aside tens of millions of dollars to combat this so-called “going dark” problem. The Department of Justice has repeatedly pushed for tech companies to implement backdoors, which would give agencies more guaranteed access to encrypted messages or hard-drives.
UK politicians have repeatedly complained about the same issue, while rarely acknowledging that the country does possess and use hacking capabilities. (A spokesperson for GCHQ said the agency’s position on encryption was clear: “Encryption is important for computer security and GCHQ advocates its use in the UK as part of good cyber security practice.”)
Traditional military contractors, known for selling tanks, jet planes, or other kinetic weapons, have also moved into the hacking space. Rather than being paid per exploit like many smaller zero-day developers, these giant corporations sign rolling contracts with government agencies.
A plethora of companies now focus solely on offering exploits and other hacking tools to intelligence and law enforcement agencies around the world, typically with customer support and additional products to extract information from target devices. Think of it as a hacking-tools-as-a-service.
Most famously, these include Italy's Hacking Team, Germany's FinFisher, and Israel's NSO Group, but the market is saturated with lower-quality, sketchier, offerings too, such as Delhi-based Aglaya or Wolf Intelligence. Some of these, including Aglaya, even have links to the consumer spyware market, where ordinary people can buy basic but functional malware. Many of these firms have controversial client lists, including countries with abysmal human rights records such as Sudan, Ethiopia, and Russia.
And in a slightly different but sometimes overlapping market, the Israeli firm Cellebrite offers in-house unlocking of encrypted iOS devices that cops have physical access to.
Then you have boutiques such as Azimuth; small in size, with maybe a few dozen employees that focus on selling to democratic governments. Azimuth’s researchers are close-knit: Social media posts show them hanging out in a penthouse and kayaking together—activities that wouldn’t be out of place at any other startup.
“These companies aren't doing anything inherently shady,” one source, talking about this part of the exploit industry, told Motherboard. “They are selling software products to people who have the authority to use them in practice. They aren't selling them to malicious actors.”
Besides Azimuth, another company that also works in this space is Immunity Inc., a company created by former NSA staffer Dave Aitel. (Aitel declined to comment.) Some companies in this tier work exclusively with the US government; others work just with Five Eyes agencies. Firms may publicly emphasize their work as security consultants, providing advice on how to keep hackers out, while at the same time creating tools for government hackers to use, and never or rarely speaking about the latter side of their business publicly.
"Almost all of the smaller ones have some kind of cover for their exploit work," one source said.
Azimuth’s website advertises “security assessments” and “penetration testing” for clients, and says it is an “information security consultancy, focused intensely on providing best-of-breed technical services for our clients.” It does not mention its government work on its website.
Linchpin's barebones website makes no explicit mention of the company's type of clients or the products it sells. It suggests the company has offices in Australia, Canada, the UK and US, and says Linchpin offers “expertise and capability in software domains that are typically difficult to resource.” Records in UK business database Companies House says Linchpin conducts "business and domestic software development."
“These companies aren't doing anything inherently shady.”
But, to be clear, while western agencies may use hacking in cases of terrorism or other high profile investigations, they can still use the same tools in disproportionate or unlawful ways. In a 2013 child pornography investigation the FBI deployed an exploit against users of a privacy-focused email service, including those not suspected of a crime. The FBI has also used a Tor Browser exploit to hack into thousands of computers across the world using a single legally contentious warrant.
One researcher who left the industry told Motherboard that many vendors do not know how their exploits are ultimately used, although he was not speaking specifically about Azimuth or Linchpin.
“The only way to know with certainty is when you see that your exploit has been used in a public attack. That’s it,” they added. Some contractors may have staff with security clearances who are briefed on or closer to operations, though.
Brown, the president of cybersecurity company Exodus Intelligence, told Motherboard that "short of agreements and all of that, it's really hard to control,” how a client may use an exploit. Exodus previously sold a Tor Browser zero-day to a law enforcement agency, which then deployed the exploit in a sloppy, broad manner. It was quickly detected and fixed, rendering the attack much less effective. Brown said blacklisting an offending client may be a deterrent, especially when zero-day vendors communicate with one another.
The exploit market is here to stay, but companies that only sustain themselves by researching and hacking high-value, well-defended targets, such as Chrome or iOS are going to have a hard time surviving as those targets get tougher and tougher to hack, according to a hacker who used to work in the intelligence community .
“I do see a future where this market is going to be more and more difficult to the point that it won't be a sustainable business model," he said. “You can’t put all your marbles in this one bucket. It's risky."
Azimuth buys hundreds of iPhones for development purposes, according to a source. But in January Dowd tweeted that the company just bought Corellium, a state-of-the-art piece of software that emulates the iPhone, which gives the company an additional way of probing iOS. Dowd said Azimuth is the company’s first customer.
“Sweet,” Dowd wrote on Twitter, referring to Corellium. “This is basically magic.”
Get six of our favorite Motherboard stories every day by signing up for our newsletter.