They thought they were downloading Skype. Instead they got spyware

Internet-filtering equipment likely sold by a Canadian-founded technology company played a part in surveillance and covert redirecting of users in Turkey and Egypt, a new report from the University of Toronto's Citizen Lab suggests.

Users in Turkey were redirected using network-filtering technology likely sold by a Canadian-founded company

A new report suggest that internet-filtering equipment sold by a Canadian-founded technology company played a part in surveillance and covert redirecting of users in Turkey and Egypt. (Kacper Pempel/Reuters)

Since last fall, Turkish internet users attempting to download one of a handful of popular apps may have been the unwitting targets of a wide-reaching computer surveillance campaign.

And in Egypt, users across the country have, seemingly at random, had their browsing activity mysteriously redirected to online money-making schemes.

'When you have this middlebox which is capable of filtering and modifying people's internet traffic, pretty much the sky's the limit.'- Bill Marczak, The Citizen Lab

Internet filtering equipment sold by technology company Sandvine — founded in Waterloo, Ont. — is believed to have played a significant part in both.

That's according to new research from the University of Toronto's Citizen Lab, which has examined misuse of similar equipment from other companies in the past. The researchers say it's likely that Sandvine devices are not only being used to block the websites of news, political and human rights organizations, but are also surreptitiously redirecting users toward spyware and unwanted ads.

Using network-filtering devices to sneak spyware onto targets' computers "has long been the stuff of legends" according to the report — a practice previously documented in leaked NSA documents and spyware company brochures, the researchers say, but never before publicly observed.

"When you have this middlebox which is capable of filtering and modifying people's internet traffic, pretty much the sky's the limit in terms of what you can do," said Bill Marczak, one of the authors of the report.

'Dual-use' technologies

The report is a stark reminder of how internet filtering equipment designed for legitimate uses — such as managing network capacity — can also be abused.

The governments of Both Turkey and Egypt have for years used internet-filtering technology to monitor activity, crack down on dissent, and restrict free expression online. Such devices are currently exempt from internationally agreed upon export control laws governing "dual-use" technologies.

The researchers acquired a secondhand Sandvine PacketLogic filtering device with Procera livery, and compared the behaviour of their device to the traffic patterns observed in Turkey and Egypt. (The Citizen Lab)

A spokesperson for Global Affairs Canada said the government was "concerned by allegations of the misuse of Canadian-made technology, including reports of its use in inappropriately preventing free access to the internet." 

Elizabeth Reid said in a statement the government would "continue to engage with our partners on the review of this type of technology."

In January, the government established a new ombud role to "investigate allegations of human rights abuses linked to Canadian corporate activity abroad."

Waterloo, Ont.-based Sandvine was purchased by U.S. private equity firm Francisco Partners last year and merged with another computer networking company, Palo Alto, Calif.-based Procera. The resulting company operates under the Sandvine name.

In a statement, Francisco Partners said its companies are mandated to "operate in accordance with applicable law and strict ethics policies and practices, which include the protection of human rights," and has asked Sandvine to investigate.

Company vows to 'take appropriate action'

In a statement, Sandvine did not directly address Citizen Lab's findings, saying it had not been given a chance to review the full report.

Citizen Lab director Ron Deibert says providing the full report to Sandvine in advance would infringe upon Citizen Lab's rights to both academic and free expression.

"The technical details we provided are sufficient for Sandvine to investigate and respond," Deibert said in a statement.

He says Sandvine has threatened Citizen Lab with legal action.

Sandvine said it had started a preliminary investigation, and would "either validate or refute the Citizen Lab's claims and take appropriate action in accordance with our business ethics policies" once it had sufficient data and a copy of the full report.

The company says it employs "strong safeguards to ensure adherence to our principles of social responsibility, human rights and privacy rights," and has an ethics committee that reviews potential sales for risk of misuse.

Users redirected to spyware downloads

Citizen Lab researchers believe that the company is nonetheless enabling surveillance to take place in Turkey.

They say Sandvine's PacketLogic filtering technology operated by Turk Telecom was, until recently, configured to silently redirect users toward downloads infected with spyware — a technique known as a man-in-the-middle (MITM) attack.

The website of the Avast antivirus app in February, showing an HTTPS padlock while automatically starting an insecure file download. The lack of HTTPS on the file download means that targeted users in Turkey and Syria will instead receive spyware. (The Citizen Lab)

In this configuration, the Sandvine filter inspected traffic that passed through it, looking for attempts to download popular apps like VLC media player, Avast Antivirus and unofficial distributions of Skype.

If such a request came from one of 259 targeted IP addresses identified by Citizen Lab, the request would be redirected to a malicious copy — without the user knowing. If installed, the user would have been silently infected with spyware.

But there is a catch: the connections had to be unencrypted for the filter to see them taking place. For this reason, many websites now serve content, including file downloads, over encrypted connections, to thwart MITM attacks.

Citizen Lab's researchers observed this behaviour in five Turkish provinces. However, it's difficult for the researchers to say how many users may have been targeted, or who the intended targets were — in part, because many users could be sharing the same IP address.

The injection of spyware briefly ceased in mid-February, only to resume this week, Marczak said.

Users sent to marketing sites

In Egypt, the researchers observed legitimate network traffic being redirected in a different way — not toward malicious files but to affiliate marketing websites, and to websites configured to mine cryptocurrency in visitors' web browsers.

They call this type of activity AdHose. It appears designed to make its operators money covertly, but who is behind it remains unclear.

Locations of the targets of spyware injection in Turkey and Syria. (The Citizen Lab)

Citizen Lab observed AdHose operating in one of two ways. In so-called spray mode, all users are indiscriminately redirected when their web traffic passes through the filter for a short period of time. In trickle mode, only visitors to certain sites are redirected. Previous findings suggest this practice has been in place since at least August 2016.

Sandvine's equipment is believed to be located very near, if not at, one of Egypt's four submarine cable landing sites, operated by Telecom Egypt, where all internet traffic enters and exits the country.

Findings 'inaccurate': Sandvine

It's not clear whether Sandvine employees working in Turkey or Egypt helped configure the devices, or were aware they had been configured to behave as documented by Citizen Lab.

To further back up their findings, the researchers acquired their own PacketLogic filtering device secondhand, and compared the behaviour of their device to the traffic patterns observed in Turkey and Egypt.

They say it is possible that someone could have copied the PacketLogic design and code to exhibit the same behaviour, or that the devices could rely on publicly available code that is also used by others, but that this is unlikely based on the code's distinct design.

Sandvine disputed Citizen Lab's findings, calling them "technically inaccurate and intentionally misleading," without going into specifics.

"There are many products on a network that are capable of redirecting network traffic," the company said, describing the feature as "technology that is commonly included in many types of technology products."

The Turkish and Egyptian embassies in Ottawa did not respond to a request for comment.


Matthew Braga

Senior Technology Reporter

Matthew Braga was the senior technology reporter for CBC News, where he covered stories about how data is collected, used, and shared.