According to various security experts who have sifted through the roughly 400GB of internal documents leaked online, it seems the Hacking Team’s tools are not all that impressive:
For example, Microsoft Office programs are packaged with a Flash exploit, while Internet Explorer is partnered with a Flash, Java, and a Word 2007 exploit. The list is recent; the Flash examples are dated April 2015.
But researchers aren’t impressed.
“Everyone is all worried about exploits and 0day and these guys had crap,” the information security expert known as thegrugq told Motherboard in private Twitter message.
“The Java version is old, the Word version is old. I wouldn’t expect anyone to have much success with those,” thegrugq continued. Indeed, the Java exploit applies to Java versions up to 8.25, which was released in October last year. Since then, Java has been updated several times.
This mishmash of relatively old exploits is hardly A-game material. “This is like fielding a Sunday football league team against a team made up of random people on a subway car,” thegrugq added.
Hacking Team also made use of vulnerabilities that had already been publicly disclosed, especially to attack mobile platforms. Security researcher Justin Case tweeted that the company’s Android tools used two public vulnerabilities, for example. Some attacks on iPhones also required the devices to be jailbroken, which makes iPhones less secure because they don’t receive any of the usual security updates from Apple.
No matter how impressive these tools may look at face value, governments across the globe were paying Hacking Team a lot of money for them simply because it is a lot less expensive than developing the same in-house.
This sounds like a ringing endorsement for never jailbreaking an iPhone.