Similar to an IMSI catchers, these devices are the next generation of surveillance for law enforcement.
Just when you thought that surveillance technology couldn't get any more invasive, along comes a device that can steal your social media passwords, grab your emails, siphon your Dropbox contents, and build a detailed profile of your digital life, if your phone is close enough to it.
That's the promise made by "InterApp" a small black-and-white box that targets smartphones, offered by Rayzone Group, a surveillance company from Israel. Rayzone Group calls the product an "Apps and Cloud Interception System."
Forbes was the first to mention the product in a recent article detailing a surveillance trade show in Paris in November. Motherboard found brochures for InterApp, as well as Rayzone Group's other products, online (embedded below).The product brochure says that InterApp "does not require any cooperation from the phone owner. The only required condition is that the WIFI transmitter of the mobile device will be open (No need to surf the web)."In short, Rayzone Group's website claims that an InterApp device is able to steal the data of "any phone user" within its proximity.
InterApp is marketed to intelligence and law enforcement agencies
The box can apparently pinch data from a number of different smartphone models (a screenshot of an iPhone is included in the brochure, but no mention of specific brands is made), and purports to be able to steal a treasure trove of information from a device: email addresses, passwords and content, social media passwords, the contents of a target's Dropbox, their previous locations, contact list, photos, internet browsing history, and more technical details such as the device's MAC address, model, and operating system.
InterApp is marketed to intelligence and law enforcement agencies, and has similarities to an IMSI catcher—a device that can obtain certain details about a person's phone, calls and text messages in a local area, and which are often deployed at crowded areas or protests. InterApp instead focuses on data such as passwords and photos. It claims to require "minimum training," and "no technical skills" to use, and judging by screenshots on the website the information collected is presented in a user-friendly graphical interface.
"It looks like it's a relatively new capability"
The brochure recommends that several of the devices could be installed to monitor a larger area—an airport, for example—while leaving "no trace" on the target's smartphone. It claims that the product can handle "hundreds of mobile devices simultaneously."
"I don't answer to any journalist," Ron Zilka from Rayzone Group told Motherboard in a phone call. "All the equipment is only for governments."
"I wish you all the best. I got your email, and I wish not to respond," he said.
"It looks like it's a relatively new capability," a spokesperson from Privacy International told Motherboard in a phone interview. The spokesperson asked to remain anonymous as they often attend surveillance trade shows.
The spokesperson said Privacy International had come across a similar product before, in 2014. Developed by Wintego, "WINT," another small device, claims to obtain similar data to InterApp (brochure embedded below).
"The power of this system relies on how credible the vulnerabilities they claim they have are"
It's not totally clear how InterApp or WINT gain access to a target's data, however. InterApp's website says that it relies on "smartphone application vulnerabilities."
"Either they collect data from apps that leak it in clear[text], or they compromise the device, but it doesn't sound like [the latter]," Claudio Guarnieri, an activist and security researcher who monitors the surveillance industry, told Motherboard in an online chat. He was also sceptical about the device's true capabilities. "In many cases when we get to learn more, it turns out they're not as good as advertised," he said. "The power of this system relies on how credible the vulnerabilities they claim they have are."
In its brochure, Wintego claims that the product uses "active measures" to extract data, and that it "gains access to target devices in various scenarios."
Although there may only be a few companies offering this sort of product at the moment, the promise of easily obtaining highly sensitive data from smartphones is no doubt an attractive one to police and intelligence agencies. If InterApp and similar products haven't already been bought up and deployed, they will be soon.