The Hacking Team Road Map

The Hacking Team roadmap given below shows us the different ongoing projects that Hacking Team was working on at the time of the hack. The information was translated directly from a Hacking Team email and gives great insight into the working of the organization. The information is detailed and gives information on the various attack surfaces and attack vectors exploited by the company to attack the targets security.

The translated version of the unchanged text -

CARRIERS

· Tactical Active / Passive interception (Marcov et alia)

or increase the number of supported App

or include 'also active attack SMB

or it may also include a password sniffer "traditional"

§ The pictures of facebook are downloaded straight from CDN

§ Some apps that do not verify the SSL certificate to send sensitive data

Two or mode 'attack WiFi

§ Standard TNI (insertion into an existing network)

§ FakeAP (Broadcast network notes)

· Automatic addition of network requests from clients

Two or mode 'of Injection

§ Passive (While browsing web)

§ Enable (Captive / AppLink Injection)



· Fuzzing libraries on Android (Luca)

o Analysis of the crash "eligible candidates" found by the system on fuzzing libraries XML2 and XSLT



· Preparation of a POC of sniffer for Bluetooth keyboard (Andrea)

or We are waiting to receive the necessary dongle

or After viewing the POC we will decide whether and how to add it in the tactical device



· Exploit VLC (Eugene)

or The video can go to play?

or works with the browser plugin?

DESKTOP


· Windows:

o Creation of a new elite (Ivan + MarcoF to v10.1)

§ A version "AV friendly" could replace the soldier

§ Encryption module linked to key device

§ Introduction of technical anti-memory scan



o Support for UniversalApp

§ In v10, and easy to implement, and very popular, otherwise v10.1

o Support OneDrive (Marco)
 

· Monitor the spread of Skype Web (which will 'default on Windows10?)

· Insert Windows 10 machines in RITE

Here instead the features that will be developed for RCS10. The release and 'expected in a neighborhood of ISS USA (October):

- Support for Offline infection on Win10

- Support "social" browser Edge

- New set of certificates that expired after the release of RCS10

- Bugfix for Android

· OSX:

Parsing or local backups of Itunes [Done]

Capture or token iCloud (Giovanna)

or capture images from Photos (Giovanna)

MOBILE

· Android:

or Voice calls on WhatsApp, Line, wechat, Facebook and Hangout! [Done]

or extension of functionality '"SMS invisible" [Done]

Persistence Melted or application even after deleting the [Done]

or Mode '"Fake Off" (Emanuele Fabrizio +)

§ Adding a module that enables / disablita and a related event (when it enters this mode ')

or Create a scout / elite (verrra 'inserted in a 10.x)

New method of infection or Offline (+ Diego Emanuele)

§ Significant Features:

· Bypass PIN

· Auto Root



· IOS:

Capturing or iMessage [Done]



or New Agent iOS (+ Alberto Massimo)

§ No Jailbreak Required

§ Resistant to reboot the phone

§ Invisible in springboard

§ Infection remote one-click (no on iOS9 beta)

§ Capturing Microphone and Screenshot (screenshot of iOS9 beta)

§ If the device and 'jailbroken and / or there' it from cooperating with those who have in hand:

· Hiding more 'high

· Greater quantitiativo data collected

· In v10 will be two separate agents, then eventually will be integrated

§ By the end of July will have 'functionality including' base agent (Massimo)



· BlackBerry:

o Support OS10 (Fabrizio)

§ Almost ready ...
 

· Check whether you can use the Facebook API and Google to make scraping from iOS / Android spoofando application permitted (Fabrizio + Marcov)

or The problem remains of multiple URL schemes (proxy?)

§ The cinesei responded?

· Testing iOS Jailbroken iOS 8.4 (Massimo)
 

VECTORS

· Offline:

or infection UEFI keys bootable (Antonio)

§ The key infected will drop 'to turn a scout

§ It may also be inserted in the old "Infection Agent"!

Infecting or USB device that looks like boot disk (+ Giovanni Antonio)

§ will drop 'the scout and then will carry out' a wipe



Infection or Tails USB UEFI (Antonio)

§ The infection will occur 'at runtime

§ Can be combined with the infection of the boot from "Infection Agent"

or New NTFS driver for UEFI infection (Antonio)

persistent infection or even on OSX and UEFI signed (Antonio)



· Network Injector:

or New set of external antennas for the TNI [Done]

or decrease in the consumption of resources of the TNI (Andrea)

o Creation of a mini-TNI (Andrea)

§ Ruggedized

§ Transportable by a drone (!)

§ Without constraints due to melting

o Creation of a micro-TNI (Andrea)

§ HW of a cabinet

§ Avra a subset of the functionality'





BACKEND

· GUI:

or New graphics

or "Touch Friendly" to be tested on tablet Windows10, when they come out (Eros)

or Mode '"light" to use the console in mobility' or in the presence of networks with very low bandwidth (Eros)

or function in the search tab filesystem [Done]

or interface for sending "SMS invisible" [Done]



· Server:

o Integration Module for the management of the GSM modem [Done]

Installer or one that will update 'automatically all components [Done]

Compliant or 'system to the ISO 27001 [Done]

o Support for Windows Server 2012 [Done]



· CMS:

or The 3 systems (ticketing, licensing and donwload) can expect hosted by separate machines

§ Each machine must 'mount a system of HIPS

or systems that are to be published on the internet (ticekting and download) will use a range of IP addresses and a domain linked to HT



or Licensing:

§ Dovra 'expose an API that returns all encryption keys installer not revoked

· When you create a new client will 'automatically assign one of the encryption keys taken from the pool "spare"

§ Dovra 'have a function of "withdrawal" of a customer or user

· Removes the encryption key for the installer

· Withdrawal of the certificate of the client (on all servers)

· Disable one or more 'user account



or Download:

§ Dovra 'use client certificates to-customer (Apache)

§ The link to download the license will perform 'a script that provides the proper license under the CN of the certificate

· The license will go 'generated on-the-fly

§ Depending on the CN of the certificate each customer access to the latest version that can 'see

· In a separate area you must 'but can also have access to the old installer and licenses

§ The download of the manual will carry out 'a watermarking on-the-fly

§ Access must be possible only by entering the per-user credentials (which are NOT saved locally):

· With an authentication server shared between Ticketing and Downloads

· By enabling access to downloads only through support (with eg a token passed via URL)



or Ticekting:

§ Dovra 'use client certificates to-customer (Apache)

§ The system will support 'to a separate machine to send email notifications: only this machine will know' the real email addresses of customers

§ Having three templates of news to be sent to customers (Major, Minor, Urgent) no sensitive information or version numbers

§ The notifications of tickets to customers do not contain 'body it' title of the ticket