Flight Simulator Passwords Trojan Might Lead to Legal Liability

After designing the impenetrable maze that was the labyrinth (to restrain the half-man, half-bull Minotaur), Icarus was imprisoned by King Minos. To escape, he set his sights on flying—designing wax and feather wings that he and his son Daedalus used to fly. When, in a fit of hubris, his son flew too close to the sun, the wax melted, the wings failed and Icarus sat by helplessly as his son came crashing into the water and drowned.

One moral of this story is that one should not tempt the fates with hubris—acts better left to the gods themselves. This lesson might best be absorbed by Flight Simulator developer Flight Simulator Labs (FSLabs), which reportedly developed an innovative solution to software piracy—the kind that Daedalus might be proud of.

According to various published reports, the software manufacturer installed within the software a program that included the Chrome Password Dump tool. When a Google user uses the Chrome browser, the browser stores various passwords and userid’s of the user. That way, when the user logs on to a password-secured website using the browser, the user need not remember the password for that website, but rather can trust the browser to auto-fill the password window with the appropriate information for that site. The password dump tool can be used to recover all a user’s stored userid’s and passwords, or by a hacker to, well, do the same thing. It’s just a tool; whether it’s legal or not depends on who uses it or not.

Apparently, what FS Labs did was to embed the Chrome Password Dump tool into its base flight simulator package. Installing the flight sim software also installed the password grabber, but it would only be “invoked” if, after downloading the flight sim program, the user attempted to activate it using a compromised, stolen or inauthentic serial number—in other words, a pirated code. FS Labs called this a DRM (Digital Rights Management) feature.

In a statement on its website,  FL Labs said:

Hello all,

we were made aware there is a reddit thread started tonight regarding our latest installer and how a tool is included in it, that indescriminantly [sp] dumps Chrome passwords. That is not correct information – in fact, the reddit thread was posted by a person who is not our customer and has somehow obtained our installer without purchasing.

I’d like to shed some light on what is actually going on.

1) First of all – there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products. We all realize that you put a lot of trust in our products and this would be contrary to what we believe.

2) There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites.

3) If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us. “Test.exe” is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers).

This method has already successfully provided information that we’re going to use in our ongoing legal battles against such criminals.

We will be happy to provide further information to ensure that no customer feels threatened by our security measures – we assure you that there is nothing in our products that would ever damage the trust you have placed in our company by being our customer.

So essentially, the company is saying that it only runs the password grabber on those who attempt to register pirated software, so everything is hunky dory. If you’re not committing a “crime” then you have nothing to worry about, right? (Unless, of course, the company is wrong in thinking that the S/N the user enters was posted on The Pirate Bay.)

A few observations:

  • First, using a “pirated” serial number to activate software is generally NOT illegal, although it is unlawful. Words matter. Copyright infringement—the use of, say, someone’s copyrighted software without or in excess of a license—is generally a civil violation (unlawful) that may entitle the copyright holder to compensatory or statutory damages. Only when it is done to a certain extent and for commercial advantage does it rise to the level of a “crime” and therefore illegal.
  • Second, the fact that someone may be committing a crime against you does not authorize you to commit a crime against them. Two wrongs don’t make a right, right?

Which then begs the question: Is the installation of a password dump program, which is intended in this case to act as a beacon or tracker, illegal?

Magic 8 Ball says: Situation hazy … ask again later.

At the outset, we have to be clear about what the FS “malware” did and did not do. And that appears to be in some dispute. Clearly, the program scanned the installed program for a “pirated” code, and if it was present, installed and activated the text.exe program. This transmitted something back to the mothership. So there’s something happening here, what it is ain’t exactly clear. According to a technical analysis of the code, the file invokes the password grabber, captures an output file from that grabber, encrypts the output file, and then sends that encrypted file (via HTTP, not HTTPS) to FS Labs. Presumably, the encrypted output file sent to Flight Simulator Labs was the deciphered userid’s and passwords stored on the Chrome browser. According the FS Labs, it retrieved the passwords used on specific pirate boards used for pirating the FS Software, explaining  that:

With our P3Dv4 installer, we discovered through more detailed installation logs that there was a specific set of pirate data that came up over and over again – so we decided to target that set of data directly. As a result, we made our server listen for a specific subset of data sent from the installer and when that was triggered, to dump that cracker’s information needed for us to gain access to those illicit web sites, so we could then forward the information to proper legal authorities.

So, Is it Legal?

Assuming that the software does what it claims to do, it would dump the credentials used by a person who attempted to install the software using a pirated code, but presumably only the credentials for the pirate website—and not all of the credentials.
First, of course, FS Labs is running code on people’s computers (both pirates and others) without their express consent, and which likely does things that the person did not consent. This might—and I repeat, might—violate the “unauthorized access” provision of the Computer Fraud and Abuse Act, 18 USC 1030 and related state or international laws. I mean, did you ever actually “consent” to the running of the individual file? Probably not.

The problem with applying the CFAA here is that computer programs do lots of things we may or may not know about, or expressly consent to. But we install them anyway. It’s not as much an “unauthorized access” or “exceeding authorized access” problem as it is a privacy or data capture problem. If I buy a word processing program (well, license it) and it captures my financial records and sends them to a third party (undisclosed to me), the program ran with my consent, but the data capture was not with my consent. Is this an “unauthorized access” to my files? The Magic 8 Ball is of little help.

Another statute is the “counterfeit access device” statute, 18 USC 1029. That statute makes it a crime to “traffic in” (e.g. transfer) stolen access devices, including stolen userid’s and passwords. If the program “stole” passwords and transferred them to the developer, this might violate the statute. However, the statute requires proof that the person acted “with intent to defraud.” Now, I doubt that FS Labs had the general intent to defraud, but it could be argued that the company intended to defraud users with pirated software, right?

Magic 8 Ball, any ideas?

Anytime you are running software on someone’s computer to do something that the user doesn’t know about, in a way that the user can’t determine, which the user would object to (even if that user is a criminal themselves), you are taking a risk. While Congress debates laws on “hack back” or even beaconing, right now, running such programs must be carefully evaluated and vetted by both programmers and—I daresay—lawyers.

So the best advice is to get the best advice. And avoid flying too close to the sun.

Sponsored Content
Upcoming Webinar
Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

According to Gartner, the application layer contains 90% of all vulnerabilities. However, do security experts and developers know what’s happening underneath the application layer? Organizations are aware they cannot afford to let potential system flaws or weaknesses in applications be exploited, but knowing the distinctions between these weaknesses can make ... Read More
May 29, 2018
Mark Rasch

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 25 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 15 posts and counting.See all posts by mark