WEBVTT

00:00.000 --> 00:06.140
But if I told you that the Canadian government actually published a manual, basically a tech

00:06.140 --> 00:13.700
brief, I guess you call it, for its own spyware. Now, this is an official RCMP document, right?

00:14.060 --> 00:21.300
Like it lays out in some technical detail, not totally, it's not all encompassing how they

00:21.300 --> 00:29.660
legally hack into phones and computers using what they call an on-device investigative tool,

00:29.840 --> 00:34.100
or ODIT. That's what we'll call it, I don't know if that's how it's actually pronounced,

00:34.340 --> 00:41.200
but that's how we pronounce it. If you're not Canadian, you might not know who the RCMP is,

00:41.660 --> 00:48.300
and that's the Royal Canadian Mounted Police. They're Canada's federal law enforcement agency.

00:48.300 --> 00:55.460
Like, think of the FBI meets your local police department with horses though,

00:55.960 --> 01:05.380
and now with legal spyware. And before we dig into the tool itself, I just want to kind of explain

01:05.380 --> 01:12.580
something. With a tool like this, it's not anything really new, right? It's basically a

01:12.580 --> 01:19.580
remote access trojan or rat, and they've been around forever in a day. GitHub is absolutely

01:19.580 --> 01:26.620
full of them. They essentially let attackers control the system and turn on things like webcams

01:26.620 --> 01:33.960
and record audio and capture keystrokes and take screenshots and access files, all kinds of stuff,

01:34.120 --> 01:38.860
matrix, all kinds of stuff. Governments use them as well, and hackers use them. Everyone

01:38.860 --> 01:45.620
uses them. Even board teenagers use them. So what makes ODIT different is that it's

01:46.580 --> 01:52.100
government-developed, court-approved, and basically run by a federal agency with

01:53.080 --> 02:00.560
explicit judicial authorization by them. And because the RCMP published their internal

02:00.560 --> 02:06.940
briefing, we got a rare window into how these tools actually work and how they're deployed

02:06.940 --> 02:14.360
at scale and how they talk about them in their own words essentially. ODIT installs on your device,

02:14.460 --> 02:21.400
not your device specifically unless you're on some kind of list and they're failing you,

02:21.480 --> 02:28.180
or if you're not subscribed, just who I had to. It targets phones, laptops, tablets, and

02:29.320 --> 02:32.780
basically once it does it, it doesn't just watch what you do,

02:33.300 --> 02:39.900
it becomes a part of your system. Think of it like that in-law who kind of moves in and eats all

02:39.900 --> 02:44.860
your snacks and drains your hot water but never actually contributes to the actual eating bill,

02:45.260 --> 02:53.320
except this one's quieter and a lot more invasive. ODIT doesn't really need to break

02:53.320 --> 02:59.580
encryption or intercept traffic. It's already inside your system grabbing data before it even

02:59.580 --> 03:04.860
gets encrypted or right after it's decrypted and that's kind of the difference. The encryption

03:04.860 --> 03:11.420
isn't defeated, it's just bypassed and bypassing is always better than breaking it in my opinion.

03:11.660 --> 03:16.280
I prefer it in physical security definitely but it's cleaner in my opinion. It's more efficient,

03:16.520 --> 03:23.120
it's less noisy. There's a lot of benefits to it. ODIT is like having a RCMP agent kind of

03:23.120 --> 03:29.160
sitting there watching your screen and reading your messages and watching what your keystrokes

03:29.160 --> 03:36.540
are but in real time. You're not going to know and yes, they can absolutely listen to you or

03:36.540 --> 03:41.800
watch you whatever they want but here's how it works. It hooks into the actual device as a IOLAR

03:41.800 --> 03:49.320
which just stands for input output and at that point that's where your interactions kind of

03:49.320 --> 03:55.380
hit the system before actually getting processed or encrypted as it were if that's what you're

03:55.380 --> 04:01.680
using. Think of it like tapping a phone right inside the receiver not out on the pole.

04:02.020 --> 04:09.520
You're grabbing the raw signal as soon as it goes in so when you type a message ODIT sees it

04:09.520 --> 04:18.440
in plain text and before your actual secure app actually gets to see it. Now when someone sends

04:18.440 --> 04:26.660
you a message ODIT catches it after your app decrypts it. Encryption side stepping kind of.

04:26.860 --> 04:32.520
Now maybe you see why I've pushed a lot of the times for operating systems like tails

04:32.520 --> 04:40.420
which is amnesiac or compartmentalization like tubes. ODIT talks to the RCMP servers over a

04:40.420 --> 04:45.020
C2 channel and that's basically command and control. It doesn't maintain a constant

04:45.020 --> 04:52.800
connection instead it beacons at regular intervals just like normal device telemetry or push notifications

04:52.800 --> 05:01.520
do and that keeps it somewhat stealthy. Now some variants randomize the check-in times or do things

05:01.520 --> 05:09.200
like mimic background traffic. What's sent back could include encrypted payloads IP data system

05:09.200 --> 05:15.120
status, queued commands. It's basically like a heartbeat. It tells the operator that the tool

05:15.120 --> 05:22.520
is actually alive and it's functioning as expected and listening or watching so persistence is another

05:22.520 --> 05:28.620
layer basically. The document doesn't really go into it which is really unfortunate but

05:29.200 --> 05:35.140
ODIT clearly has to survive things like reboots because those happen. Now this means

05:35.140 --> 05:41.120
privilege escalation and on Android that might mean abusing device admin settings

05:41.120 --> 05:47.740
on Windows. It could be something like involving registry changes or DLL injections

05:47.740 --> 05:53.400
like whatever the method actually is it hides itself very deep in the system often with

05:53.400 --> 06:02.220
rule level privileges and no RCMP isn't just exfiltrating raw data by itself. It's actually

06:02.220 --> 06:08.760
compressing and encrypting and packaging it before it actually gets transmitted

06:08.760 --> 06:15.220
and probably with a symmetric cipher and that minimizes things like its size it protects integrity

06:15.800 --> 06:22.100
and it conceals the payload. So if you're scanning like your outbound traffic and you see

06:22.100 --> 06:29.540
being encrypted blobs heading to RCMP IP addresses you're pretty much already too late

06:29.540 --> 06:36.800
but legally the RCMP does this under a warrant and that's one way that they kind of differ

06:37.380 --> 06:44.180
from the NSA and other intelligence agencies that are out there from what I understand from

06:44.180 --> 06:50.660
the small amount of research that I did. Canada's law actually requires three warrants.

06:50.960 --> 06:55.260
One for transmission of data and another for intercepting computer functions

06:55.760 --> 07:02.920
and a third under part six of the criminal code in Canada which is basically for private

07:02.920 --> 07:11.480
communications but once they've got those in place the gloves come off. So Odit can actually grab

07:12.220 --> 07:19.140
stored app data documents messages even stuff like cloud data that's accessible from the device.

07:19.440 --> 07:29.260
Now this isn't like full forensic imaging it's much more selective right so Canada the RCMP's

07:29.260 --> 07:37.840
covert access and interception team decides what gets pulled right it keeps it stealthy and

07:38.700 --> 07:44.660
official or officially within the scope of the warrant so they say but honestly like 99%

07:44.660 --> 07:51.040
of the time these tools are absolutely abused we've seen that across almost every single agency

07:51.040 --> 07:58.600
including the most technically proficient ones so Odit logs everything you type or tap keystrokes

07:58.600 --> 08:05.060
passwords chats right before encryption kicks in like so before and that's kind of like what

08:05.060 --> 08:11.820
the UK tried with chat control which now they rebranded into something as equally Orwellian

08:11.820 --> 08:19.060
but it takes screenshots right periodically or when certain apps are open up so like imagine

08:19.060 --> 08:23.220
you're checking your encrypted email right too bad it's already grabbed the screen so

08:23.220 --> 08:31.340
the video calls it's the same story tools like signal encrypt audio in transit but

08:31.340 --> 08:38.340
Odit records it before it's encrypted on your end or after decryption on the other

08:38.340 --> 08:46.600
party's end so the RCMP then reassembles the stream server side and when we talk about things like

08:46.600 --> 08:52.180
video calls like does it work on video calls from what the documentation says not directly

08:52.180 --> 08:58.600
with screenshots kind of make up that difference microphone can be activated remotely signal

08:58.600 --> 09:05.800
leave it records the room it records conversations it records ambient sound right it's it's not a

09:05.800 --> 09:13.180
live wire tap so to speak but it's more like a hidden recorder that like you didn't know your own

09:13.180 --> 09:18.620
that you take everywhere with you and the camera as well like let's not forget that the front or

09:18.620 --> 09:25.480
the back or both no shutter no flash like no indication whatsoever that it's actually happening

09:25.480 --> 09:31.780
just kind of silent snapshots in the background installation can be physical or remote just like

09:31.780 --> 09:37.060
any other rat it that there's no difference really with any of this stuff if they have the device

09:37.060 --> 09:43.000
they can also side load it if not it's delivered over the network through things traditional means

09:43.000 --> 09:49.160
your exploits and vulnerabilities or just plain old good old-fashioned social engineering it

09:49.160 --> 09:56.300
identifies target devices and basically removes itself from other ones which it's really discreet

09:56.800 --> 10:02.320
quiet and targeted from its again from its own documentation so now if it detects itself on another

10:02.320 --> 10:07.820
device or the wrong device it removes itself so it's it's fairly discreet and quiet and targeted

10:07.820 --> 10:17.940
and every so often it checks it right it uploads data gets commands metadata IP addresses included

10:17.940 --> 10:25.980
obviously that's very handy geolocation data data integrity is verified when it's used

10:26.300 --> 10:33.660
via hashing so before and after an upload if it fails the check the data is basically thrown away

10:33.660 --> 10:39.700
if it passes it's deleted from the device captured data isn't always sent straight to investigators

10:39.700 --> 10:47.580
if it includes privileged or irrelevant material it's stored securely filtered and basically

10:47.580 --> 10:53.440
only what's approved is actually handed off or so the rest of the data is supposed to be

10:53.440 --> 11:00.080
deleted do they actually delete it who knows right probably not so they're also saying it if no charges

11:00.080 --> 11:07.700
are actually filed then the data is also purged if there are charges it may be retained through

11:07.700 --> 11:12.040
appeals and that could be in the federal system down here that could be yours i don't know about

11:12.040 --> 11:17.660
canada but the target never gets notified there's no alerts no performance hits no antivirus flags

11:17.660 --> 11:24.340
very small footprint maximum invisibility the tool is powerful it's it's invasive and it's powerful

11:24.820 --> 11:32.060
and it's legal and that's why it matters basically when a government rat comes with a badge and a

11:32.060 --> 11:38.960
budget and a core order like the optics might change a little bit right they might look cleaner

11:38.960 --> 11:44.360
but the effect really doesn't encryption is irrelevant in that case but you can't protect

11:44.920 --> 11:51.020
what's already stolen from the inside of your system and the only reason we're actually having

11:51.020 --> 11:58.600
this discussion is because i think it's interesting to look at government malware or or how they say

11:58.600 --> 12:04.580
they implement it and because at the end of the day reading their own documentation about how they

12:04.580 --> 12:11.360
use tools like this can absolutely have an upside to understanding who you're actually

12:11.360 --> 12:16.080
dealing with and even though this isn't a us-based document it's not a us agency

12:16.680 --> 12:21.160
that's fine because we can still learn from we still look at it and evaluate it and hopefully

12:21.160 --> 12:26.660
get some value at it i found it i thought it was interesting so i figured i'd make a video

12:26.660 --> 12:31.340
about it maybe i figured you guys might see it as interesting as well let me know what you think

12:31.340 --> 12:35.620
in the comments i definitely like to hear about it in any case i did look i'd look this up in

12:35.620 --> 12:39.660
doing some research on this it was very interesting finding some of the weird articles that would

12:39.660 --> 12:46.380
pop up where they would talk about how they're not using malware on phones and it was just really

12:46.380 --> 12:52.040
weird i think it's kind of a open thing now which is why i ended up actually making this video about

12:52.040 --> 12:56.920
it if it was something that was still very secretive i don't know if i actually would have i would

12:56.920 --> 13:04.040
have to actually get into the whole legally is it a loud kind of thing but whatever um i didn't

13:04.040 --> 13:08.680
do that on this one i just i was like oh look it's common knowledge i'm gonna talk about it

13:08.680 --> 13:14.120
so i hope you guys enjoyed learning about it i definitely enjoyed reading about it and the

13:14.120 --> 13:20.080
link for the actual pdf will be down in the description so thank you for watching i'll see you in the next video