Updated Mozilla and Microsoft have taken action against a certificate authority accused of having close ties to a US military contractor that allegedly paid software developers to embed data-harvesting malware in mobile apps.
The CA, TrustCor, denies this, but has not responded to direct questions at time of publication.
After a lengthy discussion between staff at Mozilla and Apple, security researchers and the CA itself, Mozilla program manager Kathleen Wilson said the org’s concerns were “substantiated” enough to set a distrust date of November 30 for TrustCor’s root certificates.
The back and forth took place on Mozilla’s dev-security-policy (MDSP) mailing list, and you can read the full discussion there. Microsoft didn’t participate in the conversation; instead, TrustCor executive Rachel McPherson claimed that Microsoft had set a distrust date of November 1 for her company’s certs.
“Microsoft gave us no advance notice of this decision,” McPherson said.
“We have never been accused of, and there is no evidence to suggest that TrustCor violated conduct, policy, or procedure, or wrongfully issued trusted certificates, or worked with others to do so. We have not done any of those things.”
Apple said in its comments that it concurred with the views of other commenters, and that the findings “lend themselves to reasonable doubt about [TrustCor’s] ability to operate as a publicly trusted CA.”
As of writing, TrustCor’s certificates still show up in Apple’s list of trusted root certificates, and it’s unclear if the iMaker plans to take action of its own.
The anatomy of a trust breakdown
The entire TrustCor affair goes back to early this year, when University of Calgary professor and AppCensus co-founder Joel Reardon discovered data-harvesting malware in a collection of Android apps that had been downloaded more than 46 million times.
The infected apps included a speed camera radar, Muslim prayer apps, QR scanner, weather app and more.
According to Reardon, Panama-based Measurement Systems was the company that developed the code. In the Wall Street Journal’s report on Reardon’s findings, it claimed it had found ties between Measurement Systems and a Virginia defense contractor doing cyber intelligence, network defense, and intelligence intercept work for the US government.
The apps were pulled, though some have since returned to Google Play with the offending code removed.
Reardon kicked off another discussion in mozilla.dev.security.policy on November 8, in which he and UC Berkeley’s Serge Egelman reported on their digging into Measurement Systems.
Per the pair, Measurement Systems’ website was registered by Vostrom Holdings, which does business as Packet Forensics, a company Reardon said sells lawful intercept products to government agencies.
Measurement Systems and TrustCor are both registered in Panama, were registered only a month apart, and have the same set of corporate officers, Reardon said.
The pair also investigated an encrypted email service run by TrustCor called Msgsafe, which they said sends email in plaintext over TLS. Reardon said he’s “not convinced there is E2E encryption or that Msgsafe cannot read users’ emails.”
Reardon emphasized that he had “no evidence that Trustcor has done anything wrong” or “has been anything other than a diligent competent certificate authority.”
However, he added: “Were Trustcor simply an email service that misrepresented their claims of E2E encryption and had some connections to lawful intercept defense contractors, I would not raise a concern in this venue. But because it is a root certificate authority on billions of devices – including mine – I feel it is reasonable to have an explanation,” Reardon said on the public discussion board.
TrustCor’s McPherson attempted to answer questions posed by Mozilla and others in the thread, but despite its insistence that Reardon’s info was out of date, and that Trustcor and Packet Forensics had no ongoing business relationship, the authorities weren’t convinced.
Comments in the discussion thread appeared to be less concerned about the alleged links, and more concerned with the fact that TrustCor couldn’t provide satisfactory answers.
“The original concerns, except the potential links to a spyware operation, didn’t feel like grounds for distrust to me. However, the way this CA approached the claims leaves me with no trust in their operations,” said cryptographer Filippo Valsorda.
Others echoed similar sentiments, saying that McPherson’s answers weren’t sufficient for a company with as much online power as a Certificate Authority.
“Our assessment is that the concerns about TrustCor have been substantiated and the risks of TrustCor’s continued membership in Mozilla’s Root Program outweighs the benefits to end users,” Mozilla’s Wilson said.
We’ve contacted TrustCor to learn what it plans to do, but haven’t yet heard back. ®
Updated to add
“The ‘Measurement Systems’ Reardon confirmed that he found was registered in the United States of America, and that “Measurement Systems” was NOT registered by any of the same people or companies as a similar (but different) named company “Measurement Systems S. de R.L.” registered in Panama,” McPherson has told The Register.
“Measurement Systems S. de R.L. registered in Panama appears to have had a shareholder OF A SHAREHOLDER in common with TrustCor at one point of time in the past. The “Measurement Systems”, registered in the United States, is the one that Reardon claims to have ties to other companies.”