Independent researchers in Egypt have identified what appears to be a new technical avenue for state surveillance: manipulation of the two-step verification process.
Many activists, journalists and regular citizens throughout the world use two-step verification (see below) on social media and email services in order to bring a new layer of security to their communications. But now, it appears that state actors may be exploiting this feature for their own gain.
In Egypt, as in many countries around the world, the state controls the telecom infrastructure and the private telecommunications companies run the services and the networks. During the uprisings on 25 January 2011, the state famously coordinated a sequence of shutdowns on different communications systems. But censorship is only part of this dynamic of control.
How does two-step verification work?
With 2-step verification turned on, a user will receive an SMS (or voice call) whenever attempting to log in, as a way to authenticate access to the account.
Without two-step verification, most of us log in to our email accounts simply by typing in a password. But many services offer this extra step, wherein the system will require an additional piece of proof that you are “really you”. This extra step is based on something the user knows (the password) and something the user has (the mobile).
A common extra step is for a system to send a unique, secret code to a user’s mobile phone when he or she attempts to log in to the account. Only when the user has entered both the password and the secret one-time code is the login process is complete.
In December 2015, Egypt blocked Facebook’s “Free Basics” mobile app. While many were quick to focus on the blocking as an act of censorship, multiple outlets reported that the blocking was due to Facebook’s refusal to let the Egyptian government spy on users of the app.
For Internet users, these and other similar incidents prove that mass surveillance and targeted surveillance can happen easily. In Egypt, leaked documents and technical research also have proven that government agencies are purchasing malicious hacking technologies and coordinating with private telecom companies as part of their ongoing interest in eavesdropping on the communications of their citizens.
Now, by using more sophisticated tools and resources (as documented here for example in using Blue Coat and RCS products in Egypt), the state no longer depends on the telecom companies to get access to citizens’ data and communications information.
This means that phone calls, text messages and geographical location (gps) are easily logged and accessible for Egyptian authorities to see, without any due process or appropriate legal protections. If an officer “wants to” have this information, he can have it. And this gives the state easy access to the information of activists.
So who can target high profile activists? Theoretically, non-state actors could target activists using tools obtained on the black market. But practically speaking, and since Egypt's ecosystem is very closed and state-controlled, the state and state-associated groups are the main perpetrators of this type of surveillance.
Two-step verification is regularly recommended as a simple way to mitigate this type of surveillance. But it becomes a weak point when the state gains access to a person's accounts by intercepting the incoming messages to their mobile.
How are state actors exploiting this feature?
As a user, if you forget your password for a particular platform, you can often recover your password by asking the platform to send a unique code to your mobile. When you receive the code, you enter it in the platform as away of verifying your identity. In Egypt, however, thanks to strong state control over telecommunications infrastructure, it appears that state actors have been using this feature to their gain. They attempt to access activists’ accounts by selecting the “forgot password” option, and then intercept (or block) the code sent to the activist’s mobile phone. This allows them to rest the activist's password and effectively take over his or her their account.
Although you can later on have a code-generator app on your mobile for the codes instead of getting an SMS, this happens only after activating two-step verification and providing your mobile number — and that’s the situation with most services.
Independent researchers in Egypt have evidence that the security and intelligence sector in Egypt now has the ability to target activists and Internet users by sending them phishing links to gain access to their accounts and remotely control their computers. But these news findings suggest that they are coordinating with the private telecom sector in new ways as well.
Multiple high-profile activists have been targeted in this way over the past in the past few years. Most recently, on 26 March 2016, this model was used to target prominent award-winning journalist and blogger Wael Abbas, as part of a bigger hacking campaign. His Gmail account was also targeted: He received an email notification from Google that read: “state-sponsored attackers may be attempting to compromise your account” in the inbox. On his mobile, Wael received a fake pop-message telling him to update the software. The message seemed strange to him, and it was different from the usual updates and upgrade notifications that are sent to Android devices. The message even had a typo.
On 30 March 2016, Mohamed Gaber, a well-known graphic designer and activist (aka Gue3bara), reported getting a password-reset SMS without requesting one. On 1 April 2016, award-winning human rights advocate and journalist Nora Younis reported getting two such notifications. With her password in hand, a person could make multiple attempts to log in to her account.
These and other experiences show the vulnerability of two-step verification in cases where an adversary is capable of SMS interception.
How do I know if I’m being targeted this way? If I’m worried, what should I do?
The only way to avoid such targeting is by removing any and all mobile numbers from all your email and social media accounts. An alternative solution is to use secondary email accounts as your the recovery options.
And as always, it is important to use a unique, strong passphrase instead of a password and avoid using the same phrase or variations on that phrase on any two of your accounts.
If you need help…
Individuals with accounts on Facebook, Yahoo and Hotmail have most commonly had these problems, likely due to the technical security systems of these platforms (no cases have been reported thus far with Google or Twitter.)
To update account settings on any of these platforms, take the following steps:
- From Hotmail Account: sign-in here https://outlook.live.com. Click on your avatar on the top-right and select ‘View Account’. Click ‘Security & Privacy’ tab and select ‘More Security Settings’ on the left. This will load the ‘Security Settings’ page displaying the information you added. Scroll down and opt to remove your mobile number.
- From Yahoo Account: Sign-in here https://mail.yahoo.com. Click your name on the top-right corner and select ‘Account Info’. After the page loads, select ‘Account Security’ from the right. You may be asked to log in again. At this point, you will see recovery phone number. Remove it.
- From Facebook Account: Sign-in here https://www.facebook.com. Click on About. From the list at the left, select Contact and Basic Info. Scroll down until you see your mobile number. Remove it.
Ramy Raoof is a technologist, privacy and digital security consultant in Egypt. Find him on Twitter at @RamyRaoof.
Mohamed Najem contributed research for this post.