Microsoft and Mozilla have taken action against a certificate authority that is purportedly linked to a US military contractor who allegedly paid programmers to insert malware that collects user data in mobile apps.
The CA, TrustCor, disputes this, but as of the time of publishing, it had not responded to specific inquiries.
After a lengthy discussion between staff at Mozilla and Apple, security researchers and the CA itself, Mozilla program manager Kathleen Wilson said the org’s concerns were “substantiated” enough to set a distrust date of November 30 for TrustCor’s root certificates.
You may read the entire conversation that took place on Mozilla’s dev-security-policy (MDSP) mailing list. Microsoft stayed out of the discussion, but TrustCor executive Rachel McPherson reported that the company had been given a mistrust date of November 1 for its certificates.
“Microsoft gave us no advance notice of this decision,” McPherson said.
“We have never been accused of, and there is no evidence to suggest that TrustCor violated conduct, policy, or procedure, or wrongfully issued trusted certificates, or worked with others to do so. We have not done any of those things.”
According to Apple’s remarks, the findings “lend itself to reasonable doubt about [TrustCor’s] ability to operate as a publicly trusted CA,” and the company agreed with other commenters’ points of view.
As of this writing, TrustCor’s certificates are still included among Apple’s trusted root certificates; it is unknown if the iMaker intends to take any more action.
The components of a trust crisis
Joel Reardon, a professor at the University of Calgary and co-founder of AppCensus, first identified data-harvesting malware in a group of Android apps that had been downloaded more than 46 million times at the beginning of this year.
A speed camera radar, Muslim prayer apps, a QR scanner, a weather app, and other apps were among the infected ones.
Reardon claimed that Measurement Systems, situated in Panama, was the organisation that created the code. Reardon’s findings were covered by the Wall Street Journal, which claimed to have discovered connections between Measurement Systems and a Virginia defence contractor working for the US government on cyber intelligence, network defense, and intelligence intercept projects.
The apps were withdrawn, though several have already made a comeback on Google Play without the problematic code.
On November 8, Reardon and Serge Egelman of UC Berkeley started a new conversation in the Mozilla development mailing list about their investigation into measurement systems.
According to the two, Vostrom Holdings, which trades as Packet Forensics and which Reardon claimed sells legal intercept products to government organizations, registered Measurement Systems’ website.
Measurement Systems and TrustCor have the same group of corporate officers and are both registered in Panama. They were both registered less than a month apart.
The two also looked into Msgsafe, a TrustCor-operated encrypted email service that they claimed sent email in plaintext across TLS. Reardon claimed that neither E2E encryption nor the claim that Msgsafe cannot read users’ emails have him convinced.
In his statement, Reardon made it clear that he had “no evidence that Trustcor has violated any laws” or “has been anything other than a diligent competent certificate authority.”
However, he added: “Were Trustcor simply an email service that misrepresented their claims of E2E encryption and had some connections to lawful intercept defense contractors, I would not raise a concern in this venue. But because it is a root certificate authority on billions of devices – including mine – I feel it is reasonable to have an explanation,” Reardon said on the public discussion board.
Unacceptable responses
Mozilla and other participants in the thread posed questions that TrustCor’s McPherson attempted to respond to, but the authorities weren’t persuaded despite TrustCor’s claims that Reardon’s information was outdated and that it didn’t continue to do business with Packet Forensics.
Comments in the discussion thread seemed to be more upset about TrustCor’s inability to respond satisfactorily than they did about the alleged links.
“The original concerns, except the potential links to a spyware operation, didn’t feel like grounds for distrust to me. However, the way this CA approached the claims leaves me with no trust in their operations,” said cryptographer Filippo Valsorda.
Others echoed similar sentiments, saying that McPherson’s answers weren’t sufficient for a company with as much online power as a Certificate Authority.
“Our assessment is that the concerns about TrustCor have been substantiated and the risks of TrustCor’s continued membership in Mozilla’s Root Program outweighs the benefits to end users,” Mozilla’s Wilson said.
Suggest an edit to this article
Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
