What is the Red Team Lab?
The Red Team Lab is one of several in-kind services offered by OTF. Through the Red Team Lab, OTF strives to accomplish the following:
- To strengthen the security of open-source internet freedom software by providing auditing services. The lab offers third-party services focused on improving the software security of projects that advance OTF’s internet freedom goals. Audits ensure that the code, data, and people behind the tools have what they need to create a safer experience for people experiencing repressive information controls online.
- To engage in public safety audits. This allows the lab to audit and reverse-engineer potential malicious apps deployed by governments or state-sponsored actors, which may be putting users at risk through a grave privacy and security overreach.
The lab does not focus on the ongoing development of new features (including software maintenance) in existing software, the creation of brand new tools, emergencies and other rapid response needs, or support of the underlying infrastructure of a project. The Internet Freedom Fund, Rapid Response Fund, or Engineering Lab are the more appropriate support mechanisms for these needs respectively.
I- Auditing Services
By providing auditing services, the lab strives to validate the privacy and security claims of software, and advance projects' software security best-practices.
The lab will prioritize supporting the following projects:
- Internet freedom efforts, tools, and software currently or previously supported by OTF
- Efforts that fit within OTF’s remit, but for various reasons, may not be current or previous recipients of OTF funding
Projects the Lab seeks to support
Some examples of applications the Red Team Lab will review are the following:
- An Internet freedom project seeking a security audit of their software
- An Internet freedom project looking for short-term support for remediation of known vulnerabilities
- An internet freedom project looking for a security architecture and design review in the early stages of a project from a trusted and capable third party
The ideal applicant is a software developer, project lead, systems administrator, or an information security technologist who can speak on behalf of a software project that has the ability to adequately respond to and maintain the lab’s output after the support is concluded.
If an applicant appears to be unable to respond or be responsible for the outputs of the lab-supported effort, the application may not be considered competitive, may be dismissed, and/or may be directed to apply to one of OTF’s other more appropriate funds.
How does it work?
The primary work is reactive, based on reviewing and responding to issues in pre-existing software.
The lab will provide specific, short-term support to people or organizations representing software projects within OTF’s Internet freedom remit. The lab will offer access to services made available by the lab’s security partners.
OTF reserves the right to publish and reuse audit findings as we deem necessary and appropriate. This includes publishing the report in its entirety, or after redacting sections that could cause unnecessary risk or compromise the safety of users. The applicant is given 90 days (or longer) to remediate the vulnerabilities discovered.
OTF reserves the right to conduct a peer review of our audit for validation, quality assurance and review, and improvement.
II- Public Safety Audits
Malicious software is increasingly being introduced by repressive governments to reduce or remove its citizens’ ability to communicate safely and privately, and to exert widespread surveillance upon them. This software is typically released in the form of a mobile application, which governments either encourage or mandate their citizens to use.
Anyone may apply to the lab and report a potentially malicious app. Some example scenarios include the following:
- You suspect that a country is using X consumer technology to surveil their citizens or a minority group
- You suspect that X enterprise technology has an encryption backdoor that was purposefully placed, and verification would require reverse engineering skills
- You suspect that internet access within a particular country is being intercepted and monitored via HTTPS interception, and verification would require an investigation at the device level
- You suspect X company’s public statements regarding their technology might be misleading or inaccurate (for instance, “we support end-to-end encryption”), and verification of these claims is crucial to user safety and protection
- You suspect that a device has been hacked, and that a user is being surveilled and monitored by state-sponsored spyware
- You have access to hardware or software used to intercept, surveil, or monitor private citizens and want to investigate it
In order to qualify for a public safety audit, a software should fall under the following concerns:
- The app is created by, associated to, or sponsored by a government
- There is suspected malicious activity and/or rumored vulnerabilities (even if there is no evidence of it yet, since acquiring that would be the goal of the audit)
- There are suspicious or excessive permission requests
- There is stealthy or forced installation by government entities
- There is a large and/or involuntary, unconsented target audience
The Public Safety Audit then strives to 1) determine whether or not an application is deemed malicious, and if so, 2) to what extent has there been a data and privacy overreach.
Who can request a Public Safety Audit?
Anyone can report an application with suspicious activity to the Red Team Lab and request a security audit of it using the application form. OTF will then determine whether or not the request is within remit and within the scope of the Lab, and whether or not there is credible evidence to suggest that the application is worth auditing.
Where appropriate, Red Team Lab auditors will manage the coordinated responsible vulnerability disclosures for public safety audits. Following an appropriate disclosure window, security audits may be posted publicly on OTF’s website.
Examples of Previous Work
The Red Team Lab has conducted several public safety audits, and some of our past work include the following:
- Study The Great Nation: an educational app by the CCP which boasts technical capabilities beyond what it purports to do, and maintains a high level of access to a user’s device.
- IJOP: an app that CCP police and other officials use to communicate with the Integrated Joint Operations Platform, the main system Chinese authorities use for mass surveillance of Uyghurs and other Turkic Muslims in Xinjiang. The program aggregates data about people and flags those it deems potentially threatening, some of whom are then detained and sent to political education camps and facilities.
- Feng Cai: an app used by security forces in China to scan and collect a large amount of information from tourists or other travelers’ phones, with the data then uploaded to a local file server over clear-text HTTP without any protections.
- JingWang: an app that local police in China are forcing residents to install, which then searches for “illegal” images, prevents the installation of other applications, and sends details about the device to a government server.
How to Apply
Submit an application to our Red Team Lab here!
The form will ask questions to ensure the applicant’s overall effort is within remit, that they are requesting services we are capable of offering, and that they are capable of responding and maintaining what we provide after OTF support.
Who are the Lab’s Security Partners?
Audits supported through the Red Team Lab are conducted by the following service partners:
- Include Security
- Radically Open Security
- Trail of Bits
- Eaton Cybersecurity SAFE Lab
Questions, comments, feedback?
The best place to start is to review, join, and add to the public discussion at we.opentech.fund. If there is a need to contact us directly, feel free to email [email protected]