Ex-Twitter Security Lead Asked To ‘Set Up Saudi Surveillance Operation’

Mobily, a major Saudi Arabian telecoms firm, reached out to privacy advocate and ex-Twitter security researcher Moxie Marlinspike to see if he was interested in helping set up a major surveillance operation.

That’s according to Marlinspike (pictured), who claimed in a blog post he was approached by Mobily to help set up a big man-in-the-middle operation to snoop on mobile users of Twitter, WhatsApp, Viber and Line.

He claimed he was asked by Yasser D Alruhaily, executive manager of the network and information security department at Mobily, to help monitor and block mobile data communication.

Orders appeared to have been passed down by the Saudi government, according to Marlinspike, as they were given by “the regulator”, according to the email correspondence he had with the supposed Mobily contact.

Scary Saudi surveillance?

Marlinspike told TechWeekEurope he was convinced the Mobily contact was genuine, even though they appeared to lack some technical panache. “They were technical enough to get WhatsApp interception running the way I would have done it,” he wrote over Twitter.

Neither the Saudi government, nor Mobily itself had responded to TechWeek requests for comment.

As for how the surveillance would work, Marlinspike said design documents pointed to abuse of the certificate authority (CA) system, with the creation of SSL certificates, which the government would supposedly use to convince application users their conversations were safely encrypted and hidden from prying eyes.

Anyone who has ownership of a certificate, however, can pretend to be part of a trusted CA chain, whilst intercepting messages.

“A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities,” Marlinspike wrote in his blog.

“Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over $5 billion in revenue, so I’m sure that they’ll eventually figure something out.

“They later told me they’d already gotten a WhatsApp interception prototype working, and were surprised by how easy it was. The bar for most of these apps is pretty low.”

When Marlinspike told the contact he was not interested for privacy reasons, they said the operation was designed to catch terrorists. They even had the cheek to suggest Marlinspike was aiding terrorists by not participating in the initiative.

“What Mobily is up to is what’s currently happening everywhere, and we can’t ignore that,” he added.

Exploit sales fears

Marlinspike also took the opportunity to talk about the surveillance risks associated with the market for security exploits, which TechWeek covered in a major special report last year. He fretted over US government-purchased zero-day vulnerabilities that could end up in the hands of regimes such as those in Saudi, used to spy on citizens.

“I’d much rather think about the question of exploit sales in terms of who we welcome to our conferences, who we choose to associate with, and who we choose to exclude, than in terms of legal regulations,” he added.

“I think the contextual shift we’ve seen over the past few years requires that we think critically about what’s still cool and what’s not.”

Are you a pedant on privacy? Try our quiz!