Disagreement over the form of words to be used for a non-disclosure agreement appears to have scuppered nascent discussions between Hacking Team and a subsidiary of Boeing over a flying, hacking, spyware drone.
Insitu, a division of Boeing, was in the classic “talks about talks” stage of negotiations earlier this year with Hacking Team regarding the creation of a spy drone. It was envisaged that the drone would be able to intercept and hack Wi-Fi on the wing, but the discussions were doomed to crash and burn as lawyers for the two companies couldn't agree on which non-disclosure agreement (NDA) to use.
To kick off negotiations, the Hacking Team's key account manager Emad Shehata sent Insitu a copy of its standard NDA to “sign and stamp”.
In reply, Giuseppe Venneri, a mechanical engineer intern at Intuit, replied, “We are a Boeing Subsidiary and we too have a version of an NDA called a Proprietary Information Agreement (PIA) that must be signed before we engage with potential partners. Signing our PIA (attached) will dramatically shorten the authorisation process at our end.”
Shehata didn't appear to have the authority to carry on negotiations at this point, as the next email in the chain came from Giancarlo Russo, COO, Hacking Team, who wasn't impressed with Boeing's PIA. “I saw your document and it will require additional legal verification from our side regarding the applicability of ITAR and other US Law. (Fyi, under EU applicable law we are not a military equipment but a dual use technology).
“In my opinion for a preliminary discussion our Non-disclosure agreement should be sufficient to protect both company and as you will see it is including mutual provision for both parties and it will make things easier and faster for us,” Russo wrote.
The reply from Venneri was short: “If you are unable to review/sign our form, know it will take some time on our side to seek approval from our Boeing parent. Are you willing to consider our form?”
It would appear that Hacking Team then went silent as a month later there is another email from Venneri to Russo, dated 11 May 2015: “We corresponded with you about a month ago and were unsure about the progress going forward with preliminary discussions regarding any future collaborations. If you could please reconsider our mutual PIA, know that the questionnaire at the beginning of the document is just for gathering information and has no impact on the PIA itself. We have lots of Non-US companies under our PIA. If you or your legal team have any requested changes to our PIA please don't hesitate to add them in the attached document.”
Of course, two months later, Hacking Team got hacked, effectively rendering ineffective any NDAs.
While this latest revelation from Hacking Team's emails may sound high-tech, most companies and home users should not be concerned, Martyn Ruks, director at MWR Infosecurity, told SCMagazineUK.com. “Getting close enough to their Wi-Fi network to attack it without being detected is not generally the greatest challenge for the attacker,” he said.
“This story primarily relates to the use of drones to provide accessibility to Wi-Fi networks that would not be possible by other means,” Ruks said. “For example, if there were Wi-Fi networks at remote facilities or in countries where a physical presence would be difficult or dangerous to achieve, this may be an alternative method. The techniques for attacking the Wi-Fi network itself or introducing malware would be similar if not identical to an attack on any other Wi-Fi network, it would just be facilitated from or via the drone's onboard systems.”
However, drones could also hack other systems. “Any wireless communication method including mobile phones could potentially be intercepted or attacked from a distance using this approach. For example, the drone may contain a fake mobile phone base station in an attempt to attack user handsets. The most likely reason for targeting Wi-Fi networks though may be because they are often poorly configured and easier to infect users with malware,” he said.
Brian Chappell, director of technical services EMEAI at Beyond Trust, said: “Ironically, I think the very people they would be targeting are also those who are most likely to be security conscious, not wanting to expose their systems to potential attack.”