Early on in 2017, one hacker gained access to the servers for Retina-X Studios, a company based in Florida that makes so-called “spyware” software used to snoop on unsuspecting people’s smartphone devices. While the marketing around these products is geared towards parents that want to be able to surreptitiously view everything their children do on the family smartphones, the reality is that there are as many or more customers for these products among jealous lovers, snooping co-workers, and criminals looking to gain access to others’ smartphones without being detected. The 2017 hack of Retina-X Studios involved gaining access to their servers, thanks to the PhoneSherrif application storing the API key and credentials in plaintext, and began deleting information off of those servers. It was unclear at the time exactly what the motive for the hack was.
Now the same hacker has done it again, however, and has made his motive for hacking Retina-X Studios very, very clear.
“None of this should be online at all,” the hacker told Motherboard, claiming that he had deleted a total of 1 terabyte of data.
“Aside from the technical flaws, I really find this category of software disturbing. In the US, it’s mainly targeted to parents,” the hacker said, explaining his motivations for going after Retina-X. “Edward Snowden has said that privacy is what gives you the ability to share with the world who you are on your own terms, and to protect for yourself the parts of you that you’re still experimenting with. I don’t want to live in a world where younger generations grow up without that right.”
While a hack of this sort is surely criminal, the ethics behind it shouldn’t be ignored. Technological advances create wonderful tools for all of us, but it also creates tools that can be abused. We’ll leave questions about ethical parenting aside as that’s not really what we cover here on the EMPIST blog, but we certainly do discuss the intersection of technology and security. It’s frankly amazing how often technology is defeated by inept or plainly stupid security decisions. Storing any sort of credentials in plaintext as Retina-X did is a failure, particularly given the kind of data and information the company stored on its servers. The hacker in this case was able to get information from devices that had PhoneSherrif installed such as a readout of text messages sent and received on those devices, any pictures or videos that had been taken using them, and call histories. Again, that sensitive and private information was stored on publicly facing servers with the API and credentials stored in plaintext.
Apparently Retina-X made some changes since 2017 attempting to stop this sort of thing, but it clearly wasn’t enough.
This time, the hacker said the API key was obfuscated, but it was still relatively easy for him to obtain it and break in again. Because he feared another hacker getting in and then posting the private photos online, the hacker decided to wipe the containers again.
If nothing else, this should drive home that all companies that host sensitive information on their clients or themselves, which is to say all companies everywhere, should be taking data security and password policies very seriously. Plaintext is a the last word anyone with a data security competency wants to hear. If you don’t have a firm understanding of data security for your business and your personal life, develop one. If you need help setting the security policy for your business, get that help.