Meet Toka, the Israeli cyber firm founded by Ehud Barak, that lets clients hack cameras and change their feeds – just like in Hollywood heist movies
Omer Benjakob, Haaretz, December 26th, 10:13 AM IST
On January 10, 2010, Hamas’ point man with the Iranians, Mahmoud al-Mabhouh, was assassinated in Dubai. A month later, the local police force stunned the world – and Israel – by painstakingly piecing together hours of closed-circuit TV footage. The videos were combed to trace the 30 Mossad assassins’ steps and reveal their faces.
If Israel’s espionage agency had the technology currently being provided by the Israeli cyberfirm Toka 12 years ago, it’s likely the hit squad would have never been identified.
Toka was co-founded by former Israeli premier Ehud Barak together with the former Israel Defense Forces cyber chief Brig. Gen. (ret.) Yaron Rosen – and its capabilities are being revealed here for the first time.
The company sells technologies that allow clients to locate security cameras or even webcams within a given perimeter, hack into them, watch their live feed and even alter it – and past recordings – according to internal documents obtained by Haaretz and reviewed by a technical expert. Its activities are regulated by the Israeli Defense Ministry.
It was set up in 2018 and has offices in Tel Aviv and Washington. It works solely with state clients in government, intelligence bodies and law enforcement agencies, almost exclusively – but not just – in the West. According to the internal documents, as of 2021, the company had contracts with Israel valued at $6 million, and had also planned an “expansion of existing deployment” in Israel. Toka did not respond to Haaretz’s queries regarding its activities in Israel.
Niche operator
Cameras play a number of roles in regards to national security and defense.
Last month, Iranian hackers leaked footage of the deadly terrorist bombing that had taken place at a bus stop in Jerusalem the previous day. It was lifted from one of many security cameras installed by an Israeli security agency for surveillance purposes. According to the Israeli state broadcaster, Iran gained access to that camera a year ago. Toka’s product is intended for such scenarios, and much more: hacking into a camera network, monitoring its live feed and accessing its archive, and altering them – all without leaving any forensic trace.
While Israeli cyberoffense firms like the NSO Group or Candiru offer bespoke tech that can hack into popular devices such as smartphones and computers, Toka is much more niche, a cyber industry source explained. The firm links the worlds of cyberoffense, active intelligence and smart surveillance.
As well as co-founders Barak and Rosen, the company is run by two CEOs from the world of cyberdefense: Alon Kantor and Kfir Waldman. Among the firm’s backers are venture capitalists Andreessen Horowitz, an early investor in Facebook (its co-owner Marc Andreessen still has a seat on the Meta board; Meta is currently suing Israeli spyware maker NSO Group).
According to a company pitch deck obtained by Haaretz, Toka offers what it terms “previously out-of-reach capabilities” that “transform untapped IoT sensors into intelligence sources,” and can be used “for intelligence and operational needs.” (IoT stands for Internet of Things and refers here to web-connected cameras and even car media systems.)
Toka, per the documents, offers tools that allow clients to “discover and access security and smart cameras,” survey a “targeted area” and “stream and control cameras” within it over time, and target cars, to “wirelessly” provide “access” and extract what Toka terms “car forensics and intelligence” – in other words, the geolocation of vehicles.
The services are bundled together and Toka clients, the documents boast, will be able to gather visual intelligence from both “live or recorded videos.” They can even “alter feeds” of “audio and visual” recordings to allow “masking of on-site activities” during “covert operations.”
Security and web cameras have mushroomed in recent years and can be found everywhere: traffic intersections, street corners, malls, parking lots, hotels, airports and even our homes – from baby monitors to smart door buzzers. In order to broadcast a live feed that we can access via our phones or desktops, these cameras must connect somehow to the internet.
Toka’s system taps into these cameras and the different systems supporting them. This can be used for both operational and intelligence needs. For example, during a terror attack, a police force using the technology can remotely track the movement of fleeing terrorists across the city. It also allows covert collection and altering of visual data, which can be invaluable for military ops or criminal investigations.
Dystopian tech
In the 2001 heist movie “Ocean’s Eleven,” the elite crew led by George Clooney and Brad Pitt hack the closed-circuit TV system of the Las Vegas casino vault they are trying to break into, diverting its feed to a mock safe they built in a nearby warehouse. The casino security teams are effectively blind, giving the suave thieves time to crack the safe.
Twenty years on, this is no longer the stuff of movies: Toka’s tech allows clients to do just that and more – not just diverting a live feed but also altering old feeds and erasing any evidence of a covert op.
Technical documents reviewed by an ethical hacker prove that Toka’s tech can alter both live and recorded video feeds – all without leaving any forensics or telltale signs of a hack (in contrast to NSO’s Pegasus spyware, or Intellexa's Predator, which leave a digital fingerprint on targeted devices).
“These are capabilities that were previously unimaginable,” says human rights lawyer Alon Sapir. “This is a dystopian technology from a human rights perspective. Just its mere existence raises serious questions.
In theory, such tech can be abused, he says, “One can imagine video being manipulated to incriminate innocent citizens or shield guilty parties that are close to the system, or even just manipulative editing for ideological or even political purposes should it fall into the wrong hands,” he says.
Sapir explains that, legally, “intelligence collection is a sensitive issue. Despite a lack of legislation, the police deploy mass surveillance means they may not be fully authorized to use: technology like the HawkEye system, which no one knew about until the media revealed its existence”
Any video that is manipulated, he says, is inadmissible in an Israeli court as evidence. “A scenario in which someone is accused of something and doesn’t know if the evidence presented against them is real or not is truly dystopian. The current law does not begin to address situations like these.”
For Palestinians in the West Bank, the legal situation is totally different, he notes. “Take for example the Blue Wolf facial recognition technology, used by the IDF to keep track of Palestinians. The West Bank is Israel’s defense establishment testing ground – and a scenario in which Toka’s tech is deployed unbeknownst to anyone is simply terrifying.”
Sapir adds: “There have been cases in which video evidence helped refute false claims made by settlers and soldiers, and helped save innocent Palestinians from jail. We’ve also seen cases in which video evidence has been tampered with in the past.”
Toka said in response to this report that it “provides law enforcement, homeland security, defense, and intelligence agencies with software and a platform to aid, accelerate, and simplify their investigations and operations. Toka was founded to give military, intelligence, and law enforcement agencies the tools they urgently need and deserve to lawfully, quickly, and easily access the information they require to keep people, places, and communities safe.”
Toka further noted that it works only with the U.S. and its allies and conducts a “rigorous, annual review and approval process that is guided by international indices of corruption, rule of law, and civil liberties and aided by outside advisors with extensive and reputable expertise.”
Cyber of Things
Smart appliances in the IoT world (from refrigerators to light bulbs) usually use Bluetooth to connect to a wireless internet in order to work. However, as Donncha Ó Cearbhaill – an ethical hacker and researcher with expertise in investigating government spyware and other forms of state surveillance – explains: “Those Bluetooth and Wi-Fi interfaces may contain software flaws that later leave the devices open to attack by sophisticated threats.”
Cearbhaill continues: “An attacker may only need to compromise a single IoT device to get deep access to a network. For example, after compromising an IoT light bulb over Bluetooth, an attacker could use this initial access to extract the Wi-Fi password stored on the light bulb itself. With this password, the attacker could connect directly to the target Wi-Fi network and subsequently perform traditional surveillance and network attacks against devices and software running on the network.”
Protecting smart devices has become the hottest trend in cyberdefense in recent years. New firms have begun providing IoT cybersecurity for clients big and small – and Israel is considered a pioneer in the field. Toka shows Israel is a leader in the field of IoT cyberoffense, too.
In the early 2000s, Israel’s military and defense establishment – and specifically its cyber units – were already developing such capabilities, says a local source active in the field. “If I had to break into a secret site, even 20 years ago the second or third thing I’d probably do is try to figure out what type of security cameras it has,” they add.
According to Cearbhaill, in recent years “we’ve begun to see the large-scale exploitation of vulnerable IoT devices that were publicly exposed on the internet. An attacker who finds a vulnerability in a closed-circuit TV digital video recording or some network storage system can trivially scan the internet and compromise unpatched devices that are located anywhere in the world.”
He says that security cameras are usually bought and installed at scale and few change their default settings – including their password. This means that anyone with basic tech and web know-how can easily find the IP address through which these cameras are broadcasting or connecting to the internet. In the darker recesses of the web, there are actually sites that offer users the ability to switch between random online feeds broadcasting openly online. Sometimes you get a camera surveilling a far-flung water desalination facility in the desert; sometimes it’s an abandoned parking lot or warehouse – and sometimes it’s a couple in bed.
Cearbhaill says it’s impossible to know if Toka is only allowing clients to find already exposed cameras, exploit known security loopholes by scouring the web or developing their own exploits (or hacks) – or perhaps even a combination of all three.
However, reviewing their technical documents, he says “it appears that Toka has an interest in targeting devices over wireless interfaces such as Bluetooth or Wi-Fi, which is most relevant for tactical attacks where the operator is in the same physical location as the target closed-circuit TV or IoT system.”
He explains that though there may be many different types and makes of cameras, “devices from different vendors often use common wireless chipsets developed by third-party hardware manufacturers. Attackers who have found a flaw in such a chipset could use the same flaw to attack multiple different products built from the same base.”
He adds that “once the attackers have gained access to the camera or local network, they can copy or redirect traffic to their own systems, or potentially block or modify the video stream that is being sent.”
‘Tools they need and deserve’
Toka’s documents reveal the states with which Toka was in touch: Israel; the U.S.; Germany; Australia; and Singapore, a nondemocratic country. As of last year, talks for deals were also taking place with U.S. Special Operations Command (USSOCOM) and a U.S. “intelligence” agency.
It is unclear who in these countries had access to Toka’s tools, both in Israel and abroad and under what terms they are sold. The firm is listed on the website of International Defense Cooperation Directorate of the Israeli Defense Ministry (SIBAT), which means it is recognized as an official defense exporter. The Defense Ministry, as is its policy, refused to confirm whether Toka or any specific company is under its oversight.
In response to this report, a company spokesman said that, “Toka provides law enforcement, homeland security, defense, and intelligence agencies with software and a platform to aid, accelerate, and simplify their investigations and operations. Toka was founded to give military, intelligence, and law enforcement agencies the tools they urgently need and deserve to lawfully, quickly, and easily access the information they require to keep people, places, and communities safe.
“Toka is unable to disclose who our customers are. We can say that Toka only sells to the U.S. and its closest allies. Under no circumstances will our company sell our products to countries or entities sanctioned by the U.S. Dept. of Treasury or disallowed by the Israeli Defense Export Control Agency – limiting our potential clientele to agencies in fewer than one-fifth of all countries in the world. Toka does not sell to private clients or individuals.
“On top of that, Toka conducts a rigorous, annual review and approval process that is guided by international indices of corruption, rule of law, and civil liberties and aided by outside advisors with extensive and reputable expertise in anti-corruption practices.
“Toka is regulated by the Israeli Ministry of Defense, and as such, is prohibited from disclosing its products’ security mechanisms. While Toka has never encountered illegal usage of its products, if it did, Toka would immediately terminate that contract.”
Nessun commento:
Posta un commento