Written by Patrick Howell O'Neill

Large public places, such as airports or shopping malls, have already been turned into surveillance free-for-alls, where people’s every move is catalogued for the sake of profit. Now, one prominent company is ready to help governments spread that same surveillance technology over entire cities.

Israeli company Jenovice Cyber Labs is poised to launch new products that monitor everything from prisons to heavily populated areas, depending on what exactly customers want, CyberScoop has learned. It’s a particularly provocative product coming in the wake of DHS detecting Stingray cellphone spying devices across Washington, D.C., but all too easy to fathom based on the way companies make millions off the collection of location-based data.

Jenovice’s Metropolink, which is only available for law enforcement and intelligence agencies, is sold as an “autonomous” surveillance system meant to monitor entire metropolitan areas. The capabilities list reads like hacker tech from a Jason Bourne movie: It’s advertised as being able to locate, list, map, track, analyze and visualize all Wi-Fi networks and identities across whatever environment a customer chooses.

The product works thanks to a network of sensors placed around a large populated area that track devices by identifiers including, but not limited to, MAC address and geolocation. Targets are usually phones that are broadcasting and collecting Wi-Fi information by default.

Product advertising lists the technology as “passive,” an important distinction that’s subject to less regulatory oversight than active attacks and exploits found in other products. Similarly, in many countries, Metropolink doesn’t require a warrant, the company says.

Categorizing the product as “passive,” however, doesn’t tell the whole story. Like the company’s long-distance Wi-Fi interception device Piranha, Metropolink can easily be used to inject malicious payloads into targets, according to a Jenovice employee. That capability can be added with a license upgrade.

Metropolink sensors possess a default collection range of about 500 meters, which can be enhanced depending on the hardware. The sensors then pass the data to a command center where its visualized for easy consumption. The company also promises that the devices can detect and track targets moving at high speeds in cars or motorcycles.

Another product Jenovice will launch is Prisonlink, a surveillance kit designed for the smaller and more specialized environment of prisons. The product materialized after correctional officers in multiple countries told Jenovice that prisoners use Wi-Fi connectivity to communicate with the outside world, which is often against prison rules. In addition to tracking unauthorized phones and Wi-Fi networks, Prisonlink can gather information on devices and disconnect a target device from their Wi-Fi access point.

The last entry in Jenovice’s new product line is perhaps the most opaque. Achilles Cloud Interception boasts the ability to “use and connect keys to extract cloud account information” from iCloud and Google accounts remotely “in a fully automated and silent process.” The company says the product steals authentication tokens, granting full access to a targeted account. Credential extraction requires physical proximity to a system like Metropolink.

When asked, Jenovice declined to further explain how the product works. Token-based authentication is ubiquitous on the modern web; it’s how you stay signed in to virtually everything. If Achilles works as advertised, it’d be a major weapon in a customer’s arsenal.

CyberScoop hasn’t seen or heard of Achilles being successfully demonstrated in a meaningful way.

The new product announcements will be made at the upcoming June 2018 ISS World conference in Prague, a global conference for the surveillance and hacking industries. On the second day of the conference, Jenovice’s vice president for research and development Tal cis giving a talk on “tactical Wi-Fi interception” focusing on “identifying targets, acquiring them and manipulating Wi-Fi enabled devices to extract intelligence.”

Money to be made

Gleichger said the company hasn’t received any outside funding and is already selling its products “all over the world.”

While the company gives users to ability to inject malicious code onto targets, Jenovice customers can use the company’s own exploits or integrate with third party technology. One option is for customers to lean on the lucrative and well-known exploit industry, led by Israel’s Q Cyber Technologies (formerly known as NSO Group). That company makes over $200 million in sales per year, according to one employee.

Instead, Jenovice sells the “passive” tools so that exploits can be plugged into any particular mission. Jenovice stresses that it has no input, access or knowledge of customer operations once the training and sale is complete.

Much of Metropolink echoes the tech from Snoopy, a 2012 research project from Glenn Wilkinson and Daniel Cuthbert focused on stealing data from mobile devices by imitating Wi-Fi networks and intercepting data traffic. That research proved the idea was possible by snooping on traffic in subway stations across London.

A similar surveillance research project is CreepyDOL by Brendan O’Connor. CreepyDOL tracks Wi-Fi signals as a way to follow smartphones across a targeted area. Snoopy surveils and identifies targets by tracking the radio signals — not just Wi-Fi — that virtually all devices emit.

O’Connor, who demonstrated many of the same techniques at the DEFCON security conference five years ago, called the tactics “terrifyingly easy” to execute.

“[Metropolink] looks like a carbon copy of Snoopy,” O’Connor said. “Snoopy used laptops as the sensors specifically so they can be flipped into active interception and attack mode.”

The same is true for Metropolink. In the years since the original research, O’Connor says it really hasn’t become much more difficult to surveil large areas in much the same way.

Cuthbert agreed.

“About a year and a half after the media from Snoopy attention died down, we started to hear numerous rumblings about companies taking the code, packaging it up and selling it off in different ways,” said Cuthbert. “Everything we did in 2011 and 2012 is what [Jenovice has] done now.”

O’Connor said he’s very recently been contacted by multiple government organizations in the U.S. in efforts to build and deploy similar large-scale surveillance systems. He isn’t alone. Other prominent private sector cybersecurity executives told CyberScoop that they had recently heard an increase in overtures from government organizations — countries weren’t specified — on the exact same topic.

Yet the point of all the previous research was to fix what researchers like O’Connor said were profound privacy problems that could lead to large-scale surveillance.

Gleichger told CyberScoop that the earlier research “reminds” him of Jenovice’s recent work.

“We took it to a different place,” he said.

Update, 5/21/17: We’ve added clarification to a paragraph describing Jenovice’s Metropolink. Customers looking to engage in active attacks can integrate with third party technology or use Jenovice’s own products. A former Jenovice employee originally said the company didn’t develop its own exploits but Gliechger, Jenovice’s vice president of R&D, denied that they don’t develop such technology.