Titolo: More precisions about the keylogger found in Italy

In october 2018, an article was published on several websites about a keylogger surveillance software found in Italy on a computer, and installed by cops. This article can be read in multiple languages :

Although this example of surveillance is rather outside our subject (we want to limit ourselves to studying physical surveillance devices, as mentionned in our call for contributions), we found interesting to talk about it anyway.

We received by email precisions concerning this surveillance software, which explain some things that were left unexplained by the article from october 2018. We summarized below the new informations. These informations should be treated with caution, considering that the surveillance software couldn’t be analyzed properly (the hard disk of the computer infected by the surveillance software was erased after the software was found).

  • The operating system of the infected computer was Windows.

  • The software was installed remotely through Internet. It stayed on the computer for four years. When the computer was re-installed/formatted, the surveillance software was installed again remotely through Internet.

  • Apparently, the software needed a constant Internet connection to spy and send the collected informations. It wasn’t capable of saving the data locally to send them later.

  • The software was able to record the text typed on the keyboard, to take periodic screenshots, and, depending on the security measures on the computer, to record communications sent and received (visited web pages, etc).

  • The presence of the software was discovered thanks to investigation files.

The software was supplied to the carabineri (italian cops) by the italian company Neotronic. Below, an extract of the presentation of the software by Neotronic, translated to english :

It should be noted that the NID system (Neotronic Internet Decoder) is able to obtain in clear all the communications sent/received by the targeted user, not protected by unassailable cryptographic techniques. If in the course of the wiretapping encrypted communications emerge (such as Black Berry communications in encrypted mode, Skype, encrypted VoIP, HTTPS web pages, etc.), it is possible to make the content of such communications interpretable, after evaluation of the security measures taken by the user (firewall, antivirus, anti-malware, etc.) and of the applications used, through the use of our IT agent Enhanced Law Enforcement Neotronic Agent (ELENA), which can also provide the periodic snapshoot of the desktop of the target computer, and the text typed on the keyboard connected to the computer used by the target user (including encrypted mail).

Des oreilles et des yeux