➡ The internet’s security model, known as the Public Key Infrastructure (PKI), is being exploited for mass surveillance. This model, which is used in almost all internet transactions, can be manipulated by hackers, corporations, and governments to monitor device activity. This is done by inserting a ‘surveillance bomb’ or a root certificate onto your device, which can decrypt any traffic encrypted with its matching public key. This issue is difficult to detect and is a significant threat to privacy, as it can bypass any device’s protections.
➡ Symantec, a company that once owned Verisign, a top root certificate authority (CA), and Blue Coat Systems, a surveillance company, was accused of issuing fake certificates for surveillance purposes. Google discovered this and led other tech giants like Apple, Microsoft, and Firefox to ban Symantec certificates. Symantec then sold Verisign and Blue Coat Systems, leaving it with Norton and Lifelock. The story highlights the vulnerability of certificates and CAs, and the potential for misuse by legitimate organizations and hackers.
➡ If you’re worried about someone spying on your online activity, you can use an app to check for any interception. However, some advanced threats might not be detected by the app, especially if they use authentic certificates. To protect yourself further, you could record all the root certificates on your device after a fresh install and check for changes over time. Be aware that blocking certain certificates might stop some services from working. Also, don’t assume that just because a site uses TLS or HTTPS, you’re completely safe.

While certain communities are obsessed with hardening devices like phones, the most common privacy threats are actually pretty obvious and doesn’t require much for an attacker to utilize, nor are any particular devices immune. In some cases it can be done via someone physically inserting this surveillance bomb on your device. In other cases, your soulless story and you self hack for the attacker. But this surveillance trick is different because it is very quiet. There’s the nastier method, which is a government requiring you to install some app, and that app is then silently inserting the little bomb that allows the surveillance.

And even if you remove the app, the little bomb remains. In this video, I’m going to tell you what the surveillance bomb is and how this actually cancels out the protections of any device, whether it’s a computer or phone or hardened or not. You are not exempt. The whole problem is based on the trust model of the Internet. You all assume that when big tech says your Internet is secure, you believe it. But unfortunately it is based on the concept of a hierarchy of trust that is easily broken. The biggest sources of this threat are corporations, definitely governments, and entities that can force you to install things on your phone.

Dropping this surveillance bomb on your phone is done in an obvious way by oppressive governments. But fear not, your presumed free nation is doing it too, though in surreptitious ways. You really need to be aware of this threat and it is not an easy one to detect. Stay right there. The whole Internet security model today is based on something called the PKI or public key infrastructure. And while that all sounds good when explained to you in theory, today I will tell you why this particular infrastructure actually is being abused for mass surveillance purposes. Unfortunately, this is the security model of basically every Internet transaction today, and there have been many incidences of discovered security breaches using the flaws of this particular architecture.

Any cybersecurity person is already aware of this particular flaw and actually utilizes it to watch traffic on devices they want to monitor. But unfortunately, the hackers also know this technique and uses this to perform a man in the middle attack. But the worst offenders of this are actually governments, because they can set rules that render any Internet encryption that uses this PKI infrastructure null and void. The PKI model, the public key infrastructure is a security model that has built in pieces to make it work as a tool to encrypt traffic on the Internet. I will just keep the explanation brief and you can read up on these terms separately if you wish.

The main concept of security, which is now called TLS or transport layer security, is based on the mathematics of using a public key to perform an encryption, the actual mechanics of this encryption is based on a mathematical formula which we don’t need to get into. The point though is that it is standardized, but the public key is the input into the formula. A public key looks like this. A public key is not a secret. And when you go to any website or any site that wants to perform TLS encryption, the public key is openly provided. It is in fact part of the normal handshaking now between Internet devices to initiate encryption.

So public keys are used to encrypt, but to decrypt you must have the private key. This is an important point. Again, there’s a standard formula used and the input to decryption is the private key. The result will be plain text of the original message. Now to make it absolutely clear, a person that has a private key can decrypt any traffic encrypted with its matching public key. The Internet is very complex and it’s basically made to self front, so to speak. So way back when Mozilla first invented this infrastructure, they called this SSL or Secured Sockets Layer.

Certificate Authorities. Having keys isn’t enough here. There had to be a distribution system to make sure that anyone can obtain a pair of keys. Public plus private. And since the Internet is huge, the way this was organized was through centralized entities called Certificate Authorities or ca. Then to spread the load, each CA subordinates the authority to other organizations called intermediate Certificate authorities. These intermediate CAs are responsible for distributing or basically selling certificates to any entity that wants them to. Now, to ensure that each CA is on the up and up, there’s a financial bond, so to speak, attached to any entity that wishes to function as a ca.

In the security world they’re equivalent of a bank and they report to the next CA up the chain, all the way to the very top or root level, which is like a central bank. The lower level CAs are typically responsible for distributing TLS certificates for domains. Some of these you pay for and some are offered free, like the ones from let’s Encrypt, which is what I used back in the old days. The original root certificate authority was VeriSign and this was later sold to Symantec. There’s a big Symantec story coming up here. So remember this. Verisign, being the central bank of certificates, was able to issue root certificates.

Root certificates basically empowers holder the ability to create a certificate for any domain it wishes. So obviously this is tightly controlled so that only entities verified to own a domain may get a certificate. For it. When a public key is used on the Internet, browsers will not just use the public key to encrypt, but they will follow the chain of distribution of certificates until they encounter the root certificate which validates that domain’s public key. That root certificate’s public key is stored on your device. If the public key is not verified to come from a valid ca, then your browser will give an error message.

This prevents someone from using just any fake public and private keys and ensures that the domain is who it claims it is. So in action. This means that if you go to Microsoft.com the public key that you encounter on the website www.Microsoft.com is validated against the root certificate to ensure that it is in fact trusted and does not come from a rogue source. Root Certificates on Devices in order for all this to work, your devices need to have root certificates already in place. This is typically the job of the operating system, meaning iOS, Mac OS, Android, Windows and Linux, to make sure that the official root certificates are are on your device.

This ensures that your Internet sites can be validated. If you have very old devices that have not been updated, you will find that they may not have up to date certificates and thus you are not able to have any encryption on some domains. This all depends on the dates the root certificates expire. Let’s now introduce the problem. Now that we understand the basics here, hopefully let me tell you some of the problems and I’ll give you real life examples. One of the problems is that there is really no control over who can install a root certificate on your device.

Again, every cybersecurity person understands this. So to analyze network traffic, an ethical hacker will install a fake root certificate on the device. And since they have the private key, they can then create fake certificates for any domain they wish. This is all automated, of course. If they want to intercept traffic going to google.com they can create a fake website called google.com and the certificate will be validated by the fake root certificate. And now the ethical hacker can read the traffic in plain text using a technique called a proxy. Then the traffic is forwarded to the real website, but it was read completely beforehand.

Again, note that the main tool here was to insert a root certificate on your computer. This is very easy to do in Windows and involves writing to the registry. In Linux, like systems like iOS, iOS, Android, it just involves copying the certificate file to the appropriate directory on the machine. For example, here’s the contents of the certificate folder on Linux and here’s one with a nice UI using my Brax 3 phone dropping the Bomb Inserting root certificates is pretty simple and after it’s done, no further action is necessary on the device. It’s a one time act.

In some countries, some apps are required to access government services or banking services. For example, there’s China’s WeChat chat app, which is also the common payment method there. An app like that which is government controlled could very easily insert a root certificate on the device. I’ve talked to some people from Russia for example, and when installing some Russian apps, they’ve noticed particular root certificates appearing on their device. A new possible source is the new Max messenger app in Russia or the VX app which are used specifically in Russia. I can’t tell you the specific apps that you need to worry about because there are too many possibilities.

The point is that since it is very easy to do, I don’t doubt that it is done. Of course it can be passed to you as a hack attack by having you click on some email and that initiates a script to install a root certificate. Or it can be something your corporate IT department will tell you to click on on an email so that your computer is able to access the corporate network. All these techniques result in just installing a fake root certificate. A Little History of Evil to show you this in action, let me introduce you to this old story.

It’s quite a saga actually. It involves a company called Symantec, which is now broken up in little pieces and no longer ex. Symantec back in the day bought Verisign and again to refresh your memory. Verisign was basically the top root CA of the entire public key infrastructure. Verisign could validate any intermediate ca. Symantec then expanded and bought the surveillance company Blue Coat Systems. It was such a huge deal that the CEO of Blue Coat Systems actually became the CEO of the entire Symantec. Symantec also owned Norton Antivirus, of course, and then proceeded to also buy Lifelock, some scammy identity protection service.

Today the company is now called Norton and Lifelock has now been integrated into the product line together with the Antivirus. By the way, to emphasize the manipulation of information here, Symantec does not even come up on Wikipedia anymore. This is the way they change the story and wipe it from history like in the book 1984. But we will be sure to counter that by revealing the truth right here. Just to give you some background, Blue Coat Systems was a surveillance system company. It made hardware used to basically break Internet encryption and allowed mass surveillance of the entity where it is installed.

It was used for mass surveillance by countries in the Middle east, which I will not name. And it is also used by corporations. The way they did their surveillance at the time was very simple. Since Blue Coat Systems was owned by Symantec and the root CA Verisign was owned by Symantec, then Verisign granted Blue Code Systems an intermediate CA authority, which meant that the surveillance division could create any domain certificate it wanted and it would always be valid since it is signed by the official verisigned top level root certificate which is on every single computer in the world.

Well, this enabled Blue Code Systems to basically spy on any Internet traffic anywhere. Since it created the fake domain certificate, it had the fake domain private key and could decrypt any domain any and no one needed to install a fake root certificate. By hacking the root CA verisign, they basically inserted themselves in every computer in the world. Well, the evil doers got caught. The hero here, surprisingly is Google. Google suspected the possibility of intermediate CAs issuing fake Google certificates. And if I recall correctly, some CA in China was caught doing this and was delisted as a cat.

Google spots this by a technique called certificate pinning. They make sure that Chrome knows the valid certificates that Google has, and Chrome checks the signatures of all reported certificates by that browser. Then if the signature doesn’t match what Chrome has pinned on its imaginary wall, it shouts an alarm to Google. Google discovered this and then publicly accused Symantec of evil doing. Then Google gave a date after which all certificates issued by Symantec, including Verisign, would be banned by Chrome. Seeing the evil here, Apple, Microsoft and Firefox all updated their browsers to do the same thing to ban Symantec certificates.

Symantec had no choice. Basically it killed their sign and of course ruined the reputation of the company hiding this information from shareholders. Symantec had a fire sale and sold off Verisign to Digicert for basically nothing. Blue Coat Systems was included in an enterprise division and that was sold to Broadcom. And so Symantec was left with just Norton and Lifelock and is still scamming you every day with these products. Moral of the story the moral of the story is that we assume that certificates, certificate authorities and the whole infrastructure is bulletproof. I wrote a little plan long ago on how to solve this by having a public blockchain that recorded all certificates issued.

So it’s immutable and can only be used once. But of course, who will listen to me? I’m just that guy who’s the arch enemy of the graphene community. Therefore I must know nothing. This is a bigger problem though. Even legit organizations can decrypt certificates if they have the private key. Private keys can be stolen. Some insider at some company could copy the private key and bring it to a three letter agency. Some three letter agency could pay an entity to get a copy of the private key. So we have a double problem. We have the problem of a legitimate private keys being stolen or b fake root certificates with fake keys Avast Antivirus if you want to see the fake root certificate problem in action live, I’ll give you an example process.

I want you to install the Avast antivirus app on a PC. Now look at your root certificates and you will notice that Avast root certificate which is fake is now installed on there. Avast is not an official ca, so this is fake. This now allows Avast to watch your Internet traffic and their reasoning is that this is used to identify phishing attacks. Be that as it may be aware that from here on anyone in possession of the Avast private key can create fake certificates for any domain. This exercise should show you that all it takes is for an app to quietly install a root certificate like Avast and instead of intercepting the traffic on device as Avast claims to do, the traffic can be captured at some proxy server like some Apple Internet relay as a theoretical and then all the traffic can be scanned.

The problem here is that for governments and corporations there is no incentive to actually fix this as corporate surveillance systems allow the IT department to scan the traffic inside a corporate network and government certainly wants this capability to continue to be available. It is a surveillance boon for them. Defensive Techniques Detecting an MITM I wrote an app for Android many years ago and frankly it has not been updated in a long time but it still works. It is called Catch man in the middle. It is used to detect a man in the middle, meaning it can detect if the certificate is potentially not original, which indicates some entity scanning your network.

There are a few exceptions now where this might give a spurious result and mostly it applies to google.com so this is likely not a good domain to check. Anyway, I loaded the app on my Brax3 phone. I downloaded the app from Aurora Store. In my case I don’t know if Google Play still distributes the app, but you can get it on apkpure.com as well. So just to demonstrate this let’s try by typing the domain braxme. Let’s see what it says and you will see here that it turns out to be Clean. Now let’s try it with google.com this is an example of a site that does not work with this app.

So it will give you a warning. Let’s try it out first and then I’ll discuss how it actually works and why it doesn’t work here. As you can see here, it gives an alert to that there’s a man in the middle. The way this app works, it compares the certificate of the website as seen by your device and then it connects to our server and the server looks at the same website and looks at the certificate as well. Then the two certificates are compared and if they do not match exactly, then this error comes up. The reason this doesn’t work for Google is that they’ve tricked their systems to use multiple google.com certificates.

Google is its own intermediate CA so they can do this. So what happens is that since multiple certificates exist instead of a single one, then our solution here will likely not find the same exact certificate. A place like Google has many thousands of servers, so this is likely a security measure since some employee with access could copy a private key. Now, a man in the middle attack is typically global and affects all sites. So searching for a site like Braxme or a bank is good enough to know that there is no mass surveillance being conducted in between networks.

Each certificate has a unique digital fingerprint and that’s what we are comparing here. If both your site and our site is clean, then the fingerprint should match as I show here. Now just because this doesn’t show a problem doesn’t mean there’s no problem. That’s because the man in the middle of proxy may not always be in operation. That’s the problem here. The interception can be turned on and off by the operator. And remember that the interception point can be a particular network. For example, if you work for some large corporation, it is more than likely that a fake root certificate is on your corporate computer.

And if the computer is yours, you may have been asked to install something to access the corporate VPN with something else included and that is the root certificate. From there, automated systems can record your traffic on the network. And if someone suspects you of doing non job related stuff or leaking corporate information, then they will have a record of it. There will be an obvious MITM if the surveillance proxy is loaded at a central government location like in countries like China or Saudi Arabia, someone is always watching. Defensive techniques advanced. The more difficult problem to solve is if someone is using the authentic certificate of a company but through back channels like via spies or a company greased with payments, some agency will actually just proxy the real certificate and then use the private key attained on the side to decrypt.

Think of this as possible on the back end. Just as a theoretical think of the largest email provider in the world like a gmail.com and while you think you are going direct to the Gmail server, you’re actually sending your email traffic to a three letter agency server that then forwards it to the actual company server after a scan. In this example I just gave of a backdoor wink wink sharing of a private key. The Catch MITM app would spot nothing since the certificate would be authentic. Now the app I wrote will catch a casual hacker and I would definitely check sites like bank sites to make sure those are not compromised, which are the usual targets of hackers.

If you fear that someone is intercepting your traffic, run this app to check and in the absence of an app, ask a friend to give you a screenshot of the certificate of a website and compare it to yours. If there’s no man in the middle, both should be the same. But just note this procedure does not work with google.com As I said, you can look at certificates on any computer browser like this. Start to understand what certificates look like. Don’t just take everyone’s word. The other thing I would do if I were worried about more advanced threat is to actually record all the root certificates on my device after a fresh install or factory reset, then occasionally compare and see if it changes.

Now on my device I blocked all the Chinese CAs as I don’t connect to Chinese sites anyway so there’s no reason to increase the attack surface. But be careful here as blocking certificates will prevent certain services from running. Like blocking Chinese servers may block TikTok, but I don’t care about that. If you installed Avast on a computer I would remove it. In fact I would remove all antivirus from all computers. They’re just adding to the attack footprint. Make sure Avast doesn’t leave a root certificate on there. I just checked on Android and Avast did not install a root certificate on mobile.

Maybe it’s part of their premium service now, I don’t know. But don’t assume that because you hear it has TLS or HTTPs that you’re safe. Depends folks. While other channels sustain themselves via sponsorships were actively sustained directly by this community. Hopefully one that benefits directly from the education we provide. Thank you to those who provide donations to us through patreon locals and YouTube memberships. Our long run approach is just to offer services and compete in the open market to generate your trust and patronage. This makes me feel like I’m always offering you value rather than feel like I’m begging.

For those Interested in the Brax3 project that is handled by the site braxtech.net and you can see the current status of the project there, which currently started shipping we have other products that you will find on our community area. On Brax me there are over 120,000 users that are part of our community and that discuss security and privacy issues in a safe environment. Many of you believe in us and so this community is growing. Some have been involved for more than 310 years in our store there you will find products like the Google Phones, Brax Virtual Phone, braxmail, bytesvpn and Brax Router.

These are an essential base to building your personal privacy and of course support the creation of content on this channel. Thank you for watching and see you next time.
[tr:tra].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.