1 00:00:01,440 --> 00:00:02,440 [Translated by {Iikka}{Yli-Kuivila} (ITKST56 course assignment at JYU.FI)] 2 00:00:03,880 --> 00:00:10,480 Herald: Good morning from C-Base, the space station beyond or under Berlin, 3 00:00:12,640 --> 00:00:19,120 welcomes you to day 2 of the RC3 streaming, we are starting in a few 4 00:00:19,120 --> 00:00:26,480 seconds with the "Catching the NSO Group's Pegasus spyware". This is something that 5 00:00:26,480 --> 00:00:32,800 has caught attention among the security and hacker communities over the world in 6 00:00:32,800 --> 00:00:38,400 the last, I would guess, two years or so. There have been some spectacular cases of 7 00:00:38,400 --> 00:00:46,720 murder, kidnappings, journalists being threatened, other things. The infamous 8 00:00:46,720 --> 00:00:53,280 software doing this is called Pegasus, it's marketed by a company known by the 9 00:00:53,280 --> 00:01:01,680 three-letter acronym NSO, whatever this stands for. And actually, Amnesty 10 00:01:01,680 --> 00:01:08,240 International and its I.T. department, so to say, has invested quite some effort 11 00:01:08,240 --> 00:01:17,280 into detecting whether a device has been infected by Pegasus or not. NSO marketed 12 00:01:17,280 --> 00:01:22,640 this, among other things, as so-called "undetectable", well undetectable as in 13 00:01:22,640 --> 00:01:28,640 software on a device, as we will see, and our speaker today, Donncha, Donncha O'Cearbhaill 14 00:01:29,440 --> 00:01:34,800 from Ireland and from Amnesty International, will be presenting how they 15 00:01:34,800 --> 00:01:41,600 developed detection tools for this nasty piece of spyware that has become so 16 00:01:41,600 --> 00:01:50,960 popular among secret actors, state actors and others around the world. OK, enough 17 00:01:50,960 --> 00:01:56,040 for the introduction, Donncha, the scene and the stream is yours. Good morning 18 00:01:56,040 --> 00:02:02,080 Donncha: Good morning, and thank you for that introduction. So as the intro said, 19 00:02:02,080 --> 00:02:06,480 today I'd like to talk to you about NSO group's Pegasus spyware, in particular I'd 20 00:02:06,480 --> 00:02:11,120 like to explain a little bit about how we at Amnesty have investigated Pegasus over 21 00:02:11,120 --> 00:02:16,480 the past few years and I'll also explain and demonstrate some of the tools we have 22 00:02:16,480 --> 00:02:22,480 developed and published, that others also investigate and detect Pegasus spyware 23 00:02:22,480 --> 00:02:25,840 potentially on their devices and the devices of other people in civil society. 24 00:02:27,760 --> 00:02:31,440 So my name is Donncha O'Cearbhaill and I am a technologist based at the Amnesty 25 00:02:31,440 --> 00:02:36,320 International Security Lab in Berlin with a small team who focuses on investigating 26 00:02:36,320 --> 00:02:42,640 targeted digital threats such as spyware, phishing and other kinds of surveillance 27 00:02:42,640 --> 00:02:46,880 that's directed against civil society and human rights defenders around the world. 28 00:02:49,440 --> 00:02:54,960 So as the intro said, Pegasus has got a lot of attention in the past few months. 29 00:02:56,800 --> 00:03:00,800 So you may have seen the Pegasus Project revelations that were published in July 30 00:03:00,800 --> 00:03:05,680 during the summer. The Pegasus Project was a global investigation into abuses linked 31 00:03:05,680 --> 00:03:11,520 to NSO group's Pegasus spyware. This investigation was based on a leaked 32 00:03:13,280 --> 00:03:19,120 dataset of 50,000 potential Pegasus targets, which Amnesty International and 33 00:03:19,120 --> 00:03:22,640 Forbidden Stories had access to, and so this global media investigation was 34 00:03:22,640 --> 00:03:26,960 coordinated by Forbidden Stories, with the participation of about 80 journalists from 35 00:03:26,960 --> 00:03:32,400 17 different media organisations around the world. During the Pegasus Project, 36 00:03:32,400 --> 00:03:36,960 Amnesty International took the role of a technical partner, and the focus for 37 00:03:36,960 --> 00:03:42,160 Amnesty International was to perform detailed innovative forensic analysis on 38 00:03:42,160 --> 00:03:46,720 the devices of potential targets, and through this kind of forensic analysis and 39 00:03:46,720 --> 00:03:51,040 this technical work we were able to identify traces of Pegasus, either 40 00:03:51,040 --> 00:03:59,360 targeting or infecting online devices. So over a multi-month project Amnesty 41 00:03:59,360 --> 00:04:04,720 Security Lab analyzed about 67 devices, and from these 67 devices of potential 42 00:04:04,720 --> 00:04:11,760 targets at least 37 showed clear traces of Pegasus targeting or infection. So this is 43 00:04:11,760 --> 00:04:15,360 really quite quite a high number of infected devices, and these devices 44 00:04:15,360 --> 00:04:21,520 included journalists, activists, opposition political figures, all kinds of 45 00:04:21,520 --> 00:04:24,572 people who were being unlawfully surveilled using Pegasus. Overall, of the 46 00:04:24,572 --> 00:04:31,934 phones we have checked, which were iPhones and which hadn't been replaced, which took 47 00:04:31,934 --> 00:04:36,711 data of the targeting, more than 80 percent of the phones that were on this 48 00:04:36,711 --> 00:04:42,767 list of potential targets showed traces of Pegasus. So in July these stories came out 49 00:04:42,777 --> 00:04:46,440 and they highlighted cases of of civil society being targeted, such as 50 00:04:46,440 --> 00:04:50,779 journalists in Hungary, activists in Morocco, activist Saudi Arabian 51 00:04:50,779 --> 00:04:56,734 dissidents, also family members of Jamal Khashoggi, which the investigation showed 52 00:04:56,734 --> 00:05:01,364 had been targeted with Pegasus spyware both before and after his his brutal 53 00:05:01,364 --> 00:05:06,183 murder. So, yeah, you can. You can go and read many of these stories online. Today 54 00:05:06,183 --> 00:05:10,113 I'd like to focus on and get to how we got there, how we developed these, these 55 00:05:10,113 --> 00:05:14,922 tools, how we developed this methodology for finding Pegasus. And also to explain 56 00:05:14,922 --> 00:05:20,460 about how you can also go and do this kind of searching for - for Pegasus and for 57 00:05:20,460 --> 00:05:27,235 other mobile spyware. So let's take a step back for a second and ask, so what exactly 58 00:05:27,235 --> 00:05:32,242 is Pegasus? Its name is well known, but what exactly is the software and how does 59 00:05:32,242 --> 00:05:37,240 it work? OK, so first thing to remember is that actually, while Pegasus have been 60 00:05:37,240 --> 00:05:41,197 gotten more well known in the last two years, it's not actually a new - a new 61 00:05:41,197 --> 00:05:45,100 tool or a new product. So we know Pegasus has been around and then developed by NSO 62 00:05:45,100 --> 00:05:52,843 Group since at least 2010. And on the left hand side here, the diagram, you can see a 63 00:05:52,843 --> 00:05:58,236 Pegasus brochure from 2010 where it describes how Pegasus can be installed on 64 00:05:58,236 --> 00:06:03,208 a BlackBerry devices. And we believe the original version of Pegasus was focused on 65 00:06:03,208 --> 00:06:06,716 BlackBerry because back in 2010, smartphones were less prevalent than they 66 00:06:06,716 --> 00:06:11,204 are now. BlackBerry is kind of a key target for some of the - the security 67 00:06:11,204 --> 00:06:16,855 agencies who may want to buy this kind of spyware. So it developed over time here on 68 00:06:16,855 --> 00:06:22,825 the right hand side, we can see some diagrams that were from a leaked Pegasus 69 00:06:22,825 --> 00:06:30,880 brochure that was published in 2014. In the first diagram, here it talks about how 70 00:06:30,880 --> 00:06:37,440 Pegasus is installed on a phone. In this example, it's showing how a Pegasus kind 71 00:06:37,440 --> 00:06:42,880 of infection link can be sent over SMS to the target device. And then if opened how 72 00:06:42,880 --> 00:06:46,320 the data can be collected and passed back to the - the operator of the Pegasus 73 00:06:46,320 --> 00:06:52,320 software. That's just one example of - from their own diagrams. Here in the 74 00:06:52,320 --> 00:06:57,360 circle below, you'll see a little bit of what Pegasus claims to be able to monitor. 75 00:06:57,360 --> 00:07:00,400 And if you look at it, you can see it's basically everything on the device. So 76 00:07:00,400 --> 00:07:03,520 it's talking about collecting email addresses, collecting SMS messages, 77 00:07:04,160 --> 00:07:08,640 tracking location data, even reading the calendar, turning on the microphone of the 78 00:07:08,640 --> 00:07:13,680 phone. And so bear in mind while this diagram is quite old, it's like six or 79 00:07:13,680 --> 00:07:18,320 seven years old, you get an idea of what kind of data the Pegasus software will try 80 00:07:18,320 --> 00:07:22,880 to collect from the phone. It's basically, it collected every kind of data on the 81 00:07:22,880 --> 00:07:25,600 phone that might be of interest to somebody who is carrying out the 82 00:07:25,600 --> 00:07:31,760 surveillance. One important thing to remember is that the Pegasus spyware is 83 00:07:31,760 --> 00:07:36,800 able to get very kind of deep access to the phone, so it's fundamentally able to 84 00:07:36,800 --> 00:07:41,680 access everything on the phone that the user is able to access and more. So even 85 00:07:41,680 --> 00:07:45,280 if you're using a messaging app such as Signal or Telegram, which may be 86 00:07:45,280 --> 00:07:50,400 encrypted, the Pegasus software is able to access that data and those messages before 87 00:07:50,400 --> 00:07:54,320 they're encrypted on the device. So even once their spyware running on the phone 88 00:07:54,320 --> 00:07:58,080 itself, none of these encrypted messaging apps will help because it has such low 89 00:07:58,080 --> 00:08:05,280 level access to the device. So it's a little bit about what exactly Pegasus 90 00:08:05,280 --> 00:08:09,920 tries to collect and what it - what it - what people can do with it using the 91 00:08:09,920 --> 00:08:17,296 Pegasus software. So where exactly did the investigations into Pegasus start? So we 92 00:08:17,296 --> 00:08:23,640 go back as far as 2016 was when Pegasus was first kind of identified in the wild, 93 00:08:23,640 --> 00:08:28,837 being a being used to target an activist. So in this case, in 2016, Pegasus was 94 00:08:28,837 --> 00:08:35,191 first found by Citizen Lab. Citizen lab is a group of researchers based in the 95 00:08:35,191 --> 00:08:40,241 University of Toronto in Canada, who also works on investigating spyware targeting 96 00:08:40,241 --> 00:08:47,034 civil society. So in this case, a UAE based human rights defender named Ahmed 97 00:08:47,034 --> 00:08:51,541 Mansoor began to receive suspicious messages over SMS. So you can see some 98 00:08:51,541 --> 00:08:56,136 screenshots of the messages on the right. So Ahmed Mansoor was cautious about these 99 00:08:56,136 --> 00:09:00,126 because in the past he had previously been targeted with other kinds of spyware 100 00:09:00,126 --> 00:09:03,934 tools, including - including Finfisher. So when he began to receive these 101 00:09:03,934 --> 00:09:08,027 messages, he - he was cautious about them and he shared them with Citizen Lab, who 102 00:09:08,027 --> 00:09:12,549 then began to investigate them. So what Citizen Lab realized is that these looked 103 00:09:12,549 --> 00:09:17,103 to be an attack message, and they opened these attack links on their own testing 104 00:09:17,103 --> 00:09:22,305 phone. When they did this they're able to capture the exploit that was being 105 00:09:22,305 --> 00:09:27,885 delivered over these links and also able to capture a copy of the Pegasus 106 00:09:27,885 --> 00:09:32,830 payload. So what happens when these links are opened is that the link is opened in a 107 00:09:32,830 --> 00:09:38,392 web browser such as Safari. When the link is opened, the Pegasus server would return 108 00:09:38,392 --> 00:09:44,108 to some JavaScript, some code that would exploit an unknown flaw in the Safari web 109 00:09:44,108 --> 00:09:48,368 browser and by kind of manipulating the Safari web browser and exploit this 110 00:09:48,368 --> 00:09:52,720 unknown flaw - they could then get their own code to start running inside this web 111 00:09:52,720 --> 00:09:58,107 browser. And eventually, with the help of some additional flaws, they could then get 112 00:09:58,107 --> 00:10:03,274 more privileged access on the iPhone and eventually install the full Pegasus 113 00:10:03,274 --> 00:10:10,800 payload. So, yes, Citizen Lab first found it in 2016, it was it was a very important 114 00:10:10,800 --> 00:10:17,360 discovery and it showed just how how serious some of the threats facing civil 115 00:10:17,360 --> 00:10:20,320 society were. That there were people willing to use these kinds of very 116 00:10:20,320 --> 00:10:23,680 expensive exploits to start targeting human rights defenders who are just doing 117 00:10:23,680 --> 00:10:27,840 their human rights work. Unfortunately, after this, Ahmed Mansoor continued to get 118 00:10:27,840 --> 00:10:32,800 harassed, and he was sentenced to prison, and he's currently still in prison from 119 00:10:32,800 --> 00:10:41,604 since 2017. So for about four years now. So when did we at Amnesty start 120 00:10:41,604 --> 00:10:44,171 investigating this. So our team has been investigating these kinds of threats for a 121 00:10:44,171 --> 00:10:49,470 while, but really we started focusing on NSO and investigating NSO in 2018 after an 122 00:10:49,470 --> 00:10:55,015 Amnesty colleague of ours started to receive some suspicious messages. So this 123 00:10:55,015 --> 00:10:59,289 - this colleague received in May 2018 received this message you can see here on 124 00:10:59,289 --> 00:11:03,732 the left. The message is written in Arabic. But it this it claims that there 125 00:11:03,732 --> 00:11:08,688 is going to be a protest happening shortly outside the Saudi Arabian Embassy. And 126 00:11:08,688 --> 00:11:13,088 they asked the Amnesty staff member, to to support the protest and then to click on 127 00:11:13,088 --> 00:11:18,880 this link for for more information. So fortunately, our Amnesty colleague, when 128 00:11:18,880 --> 00:11:21,680 they received this message, they got quite suspicious. They were like, this is just 129 00:11:21,680 --> 00:11:24,960 weird, I don't know this person. And so they shared a screenshot of this message 130 00:11:24,960 --> 00:11:29,840 with us at the Amnesty Security Lab, and we began to investigate. So quite quickly 131 00:11:29,840 --> 00:11:34,560 when we started looking at this domain name and the server, and we agreed it 132 00:11:34,560 --> 00:11:38,880 looked kind of suspicious. And we also managed to identify some additional 133 00:11:38,880 --> 00:11:45,200 domains and servers that were related to this original akhbar-arabia domain. And 134 00:11:45,200 --> 00:11:49,040 quite quickly, it started to appear to us that this was indeed something suspicious, 135 00:11:49,040 --> 00:11:52,000 and maybe it was some kind of an attack message. So at the time, we didn't know it 136 00:11:52,000 --> 00:11:59,280 was necessarily NSO Group. By looking at the original and initial servers here. We 137 00:11:59,280 --> 00:12:03,040 managed to create kind of a fingerprint, so some way of identifying the particular 138 00:12:03,040 --> 00:12:08,400 configuration of the domain name and the server sent inside of this message. With 139 00:12:08,400 --> 00:12:12,400 the aid of this fingerprint, we then began to do what's called an internet scan. So 140 00:12:12,400 --> 00:12:17,120 we connect it to every single server on the Internet, send a particular request 141 00:12:17,120 --> 00:12:20,240 and then find any other server on the Internet that matched this particular 142 00:12:20,240 --> 00:12:24,800 fingerprint, this particular configuration from this server. So by doing this 143 00:12:24,800 --> 00:12:30,080 internet scanning, what we found was 600 different domains all across the Internet 144 00:12:31,840 --> 00:12:34,640 that matched this fingerprint and that appeared to be related to the same kinds 145 00:12:34,640 --> 00:12:40,560 of attacks. So what was really was really key is that we found that these these 146 00:12:41,280 --> 00:12:45,360 domains were actually related to Pegasus because NSO Group had made one kind of key 147 00:12:45,360 --> 00:12:49,188 mistake or key flow when they were setting up this infrastructure. So what happened 148 00:12:49,188 --> 00:12:58,189 is that as described earlier Citizen Lab had previously identified servers being 149 00:12:58,189 --> 00:13:02,776 used by NSO Group in 2016 after the expose in 2016 NSO shut down all of 150 00:13:02,776 --> 00:13:07,034 these domains and infrastructure. And then began to set up new kind of infrastructure 151 00:13:07,034 --> 00:13:11,262 that would not be related to NSO or not linkable to NSO. Fortunately they made a 152 00:13:11,262 --> 00:13:15,019 mistake because they had reused one domain name from the previous set of 153 00:13:15,019 --> 00:13:19,800 infrastructure and also being used in this new infrastructure. So by finding this one 154 00:13:19,800 --> 00:13:24,666 domain out of 600 that had previously been in - in use by NSO, we're able to show 155 00:13:24,666 --> 00:13:28,986 that these 600 domains were also related to Pegasus. And so we're able to show that 156 00:13:28,986 --> 00:13:33,956 this message that was sent to our Amnesty International colleague was indeed related 157 00:13:33,956 --> 00:13:40,105 to Pegasus and was an attempt to to compromise their device. So we published 158 00:13:40,105 --> 00:13:46,116 these findings in August 2018, and at that time we also identified that another set 159 00:13:46,116 --> 00:13:51,076 Saudi-Arabian activists had similarly been targeted, with a Pegasus exploit message 160 00:13:51,076 --> 00:13:56,206 over WhatsApp. Following this, Amnesty International also supported a legal 161 00:13:56,206 --> 00:14:01,640 action in Israel, which asked the Israeli Ministry of Defense to revoke NSO's export 162 00:14:01,640 --> 00:14:06,979 licenses. To prevent this Pegasus software being sold to countries that would abuse 163 00:14:06,979 --> 00:14:12,255 it to target Amnesty and also target other human rights activists. Unfortunately 164 00:14:12,255 --> 00:14:18,291 later the Israeli court rejected the legal complaint and said that the Israeli 165 00:14:18,291 --> 00:14:22,820 Ministry of Defense had adequate safeguards in place to prevent NSO's 166 00:14:22,820 --> 00:14:29,965 exports being sold to countries who would abuse it. Here in the bottom on the left, 167 00:14:29,965 --> 00:14:36,240 you can see that. You can see a chart which shows the number of Pegasus servers 168 00:14:36,240 --> 00:14:41,411 online at the time. I mean, see here that when we published this report NSO acted 169 00:14:41,411 --> 00:14:46,826 quite quickly to shut down all 500 or 600 servers that were being used to deliver 170 00:14:46,826 --> 00:14:50,875 Pegasus. So this just shows that, you know, NSO is kind of reading these 171 00:14:50,875 --> 00:14:54,791 researches and paying attention to it. It is trying to avoid getting their 172 00:14:54,791 --> 00:14:58,878 infrastructure and servers discovered by by researchers who are investigating these 173 00:14:59,728 --> 00:15:16,240 kinds of abuses. So this is back in in 2018, so after discovering this attack 174 00:15:16,240 --> 00:15:21,612 against an Amnesty staff member we at Amnesty continued trying to investigate 175 00:15:21,612 --> 00:15:28,010 Pegasus to try to find more cases of abuse. We next found Pegasus targeting 176 00:15:28,010 --> 00:15:35,462 happening in Morocco in 2019. So you can see here on the right. This time, we found 177 00:15:35,462 --> 00:15:40,812 that a Moroccan human rights defender named Maati Monjib was being targeted 178 00:15:40,812 --> 00:15:46,596 repeatedly with Pegasus. When we checked his phone, we found that he had some 179 00:15:46,596 --> 00:15:52,419 suspicious messages there, saying that the messages claimed that there is some, some 180 00:15:52,419 --> 00:15:57,919 scandal or some news story, and they're asking the target to click on these links 181 00:15:57,919 --> 00:16:02,423 to find out more information. So when we looked at these these links, we knew 182 00:16:02,423 --> 00:16:06,696 immediately that they were Pegasus links, because we had previously identified these 183 00:16:06,696 --> 00:16:12,013 domains as one of the 600 domains, that were being used in 2018. So for example, 184 00:16:12,013 --> 00:16:16,825 you can see that in the second message on the right, we see the domain 185 00:16:16,825 --> 00:16:22,077 videosdownload.co. We knew it was Pegasus because we'd previously identified and 186 00:16:22,077 --> 00:16:30,080 published this domain in 2018. So this time we knew Maati was being targeted with 187 00:16:30,080 --> 00:16:34,960 Pegasus, but we realized we needed to do some more investigation to see if his 188 00:16:34,960 --> 00:16:38,880 phone was indeed compromised that we could collect more information from his device. 189 00:16:39,680 --> 00:16:43,200 So when we did this, we actually found something quite interesting on Maati's 190 00:16:43,200 --> 00:16:47,920 phone because we found what we believed was evidence of a new type of a targeting 191 00:16:47,920 --> 00:16:53,600 on his phone. Instead of relying on the target being tricked into clicking on a 192 00:16:53,600 --> 00:16:58,760 link which is maybe not reliable, or maybe the target can - can see something is 193 00:16:58,760 --> 00:17:04,240 suspicious. We instead saw them using an what's called a network injection attack. 194 00:17:04,240 --> 00:17:08,160 So how are network injection attack works is like this: So network injection 195 00:17:08,160 --> 00:17:15,040 involves having some kind of equipment or software running on the what access to the 196 00:17:15,040 --> 00:17:18,960 internet connection of the mobile device. So this can either be at the mobile phone 197 00:17:18,960 --> 00:17:23,120 network or potentially having some - some software or hardware running on the same 198 00:17:23,120 --> 00:17:28,480 Wi-Fi network as the target. And what it does is when the target is browsing the 199 00:17:28,480 --> 00:17:33,760 web on their phone, eventually, the target browses and clicks on link that goes to a 200 00:17:33,760 --> 00:17:39,440 regular http website. So without https. So when this regular http request is made, 201 00:17:40,160 --> 00:17:43,440 the software that's running on the upstream network can see this http 202 00:17:43,440 --> 00:17:47,520 request. And when the http request happens, it can instead, instead of 203 00:17:47,520 --> 00:17:51,920 returning the correct response to correct content, instead it returns a http 204 00:17:51,920 --> 00:17:57,040 redirect. And the http redirect will then send the browser of the phone to a 205 00:17:57,040 --> 00:18:02,480 malicious exploit site, which can then hack the phone. So in the case of Maati, 206 00:18:02,480 --> 00:18:06,160 we found that he had tried to go and check his email and typed in Yahoo.fr on his 207 00:18:06,160 --> 00:18:10,960 browser when he typed in Yahoo.fr - the software running on the on the upstream 208 00:18:10,960 --> 00:18:16,400 network saw this cleartext connection and then redirected his phone to this exploit 209 00:18:16,400 --> 00:18:19,920 link we see above. So you see the domain is quite suspicious: 210 00:18:19,920 --> 00:18:25,200 "get1tn0w.free247downloads.com". And again, it has some random characters at 211 00:18:25,200 --> 00:18:29,244 the end, which looks like a kind of an exploit link. So at the time, we suspected 212 00:18:29,244 --> 00:18:33,748 that this was was Pegasus, and it was a new way of delivering Pegasus without 213 00:18:33,748 --> 00:18:36,715 tricking the user into clicking on a link. But we weren't certain that it was 214 00:18:36,715 --> 00:18:44,021 Pegasus, potentially it was some other kind of spyware. Fortunately for us NSO 215 00:18:44,021 --> 00:18:51,288 helped to confirm that this really was Pegasus, because before we published this 216 00:18:51,288 --> 00:18:56,124 report, Amnesty wrote to NSO Group sharing our findings and interestingly one day 217 00:18:56,124 --> 00:19:00,470 after we shared the findings with NSO this spyware server got shut down and went 218 00:19:00,470 --> 00:19:05,609 offline. And this is already a week before the report was made publicly available. So 219 00:19:05,609 --> 00:19:09,280 that kind of confirmed to us that NSO really was controlling this infrastructure 220 00:19:09,280 --> 00:19:13,316 and were able to get it shutdown even when we'd only privately shared this 221 00:19:13,316 --> 00:19:18,652 information with with NSO. A bit later, we found some more information about how this 222 00:19:18,652 --> 00:19:23,854 attack may have been done - NSO at a trade fair was demonstrating some new type of 223 00:19:23,854 --> 00:19:28,132 hardware they had developed, which you can see here on the photo on the right. And we 224 00:19:28,132 --> 00:19:33,661 believe this this photo is of some kind of IMSI catcher or fake base station, which 225 00:19:33,661 --> 00:19:39,827 can run a fake mobile phone network. And then target's phone: so Maati could 226 00:19:39,827 --> 00:19:44,360 connect to this fake mobile phone base station. And from that position, it could 227 00:19:44,360 --> 00:19:49,339 be possible for NSO to redirect the phone to a malicious - a malicious exploit link. 228 00:19:49,339 --> 00:19:54,000 So we're not sure what happened in this case if this was the device that was used. 229 00:19:54,000 --> 00:19:57,912 But we believe the NSO is demonstrating or testing these kinds of what are called 230 00:19:57,912 --> 00:20:05,920 tactical infection methods. So this was where our findings were in Morocco - we 231 00:20:05,920 --> 00:20:11,200 started to realize that actually relying on checking for SMS messages, checking for 232 00:20:11,200 --> 00:20:17,280 links or relying on people coming to us with something suspicious wasn't going to 233 00:20:17,280 --> 00:20:21,520 work anymore because we began to see what were called zero-click attacks. And so all 234 00:20:21,520 --> 00:20:25,680 a Zero-click attack is is any way of infecting a device that doesn't rely on 235 00:20:25,680 --> 00:20:31,200 some interaction from the user. Doesn't rely on the user clicking on a link. So we 236 00:20:31,200 --> 00:20:33,760 can see here are some examples of other zero-click attacks that have been 237 00:20:33,760 --> 00:20:37,440 discovered over the past couple of years. I guess one of the first ones here was in 238 00:20:37,440 --> 00:20:43,840 2019, where NSO Group developed an exploit for a for WhatsApp, and it was then used 239 00:20:43,840 --> 00:20:51,280 by their customers to target at least 1400 different people around the world. All of 240 00:20:51,280 --> 00:20:58,400 this - how it worked is that the - the target was simply to receive a call over 241 00:20:58,400 --> 00:21:02,000 WhatsApp, even a missed call and the exploit would be able to compromise their 242 00:21:02,000 --> 00:21:06,000 phone without the use of clicking anything. As I described earlier, we saw 243 00:21:06,000 --> 00:21:09,840 these kinds of network injection attacks happen, and then later in 2020, Citizen 244 00:21:09,840 --> 00:21:18,320 Lab also found an iMessage zero-day being used to again compromise iPhone users 245 00:21:18,320 --> 00:21:23,680 without any interaction in 2020. So from our own investigations, we have found that 246 00:21:23,680 --> 00:21:30,960 NSO has been using various zero-click exploits since at least summer 2017 until 247 00:21:30,960 --> 00:21:35,480 July of this year. So we know it's not something that's quite new for NSO 248 00:21:35,480 --> 00:21:38,720 but at least it's something we've started only recently discovering in the 249 00:21:38,720 --> 00:21:42,320 past few years. And we've seen, NSO putting a lot of focus into developing 250 00:21:42,320 --> 00:21:52,775 these kinds of complicated but very powerful zero-click exploits. So now that 251 00:21:52,775 --> 00:21:56,720 we know that NSO and their customers are using these kind of zero-click attacks, we 252 00:21:56,720 --> 00:22:02,000 realized we needed to do something kind of more advanced to try and find these cases 253 00:22:02,000 --> 00:22:07,160 of cases of - of surveillance. The big problem with mobile devices is a lack of 254 00:22:07,160 --> 00:22:11,196 visibility, whereas on desktop or laptop computers, we have antivirus available or 255 00:22:11,196 --> 00:22:14,428 we have EDR systems available. There really is nothing similar that was 256 00:22:14,428 --> 00:22:18,240 available for mobile devices. So these kinds of attacks, especially zero-click 257 00:22:18,240 --> 00:22:26,000 attacks, are often going undetected. We got to investigate this. We realized that 258 00:22:26,000 --> 00:22:29,600 it was difficult to perform forensics on mobile devices. It's actually not 259 00:22:29,600 --> 00:22:34,080 impossible. We were somewhat surprised to realize that iPhones actually allow a 260 00:22:34,080 --> 00:22:38,960 significant amount of relevant data to be extracted from the phones themselves in 261 00:22:38,960 --> 00:22:43,680 the form of an iPhone backup. And so it's actually quite - quite possible to start 262 00:22:43,680 --> 00:22:48,800 doing a forensic analysis on iPhones. Unfortunately, Android devices we found 263 00:22:48,800 --> 00:22:52,880 were much more limited because of restrictions on the Android operating 264 00:22:52,880 --> 00:22:58,160 system. It isn't possible to extract much data in an Android backup, and so all 265 00:22:58,160 --> 00:23:02,000 we've really been able to do on Android is to simply check the SMS messages and maybe 266 00:23:02,000 --> 00:23:06,880 the browser history for some traces of - of targeting. But again, it's just it's 267 00:23:06,880 --> 00:23:11,760 much less data is available on Androids compared to iPhones. The other big problem 268 00:23:11,760 --> 00:23:15,520 we realized is that there's there's a lack of any kinds of public tools for 269 00:23:15,520 --> 00:23:19,120 consensual mobile forensics. All of the forensic tools that are out there are 270 00:23:19,120 --> 00:23:24,800 designed for - for people to extract data from phones that they don't want or their 271 00:23:24,800 --> 00:23:28,560 phones have been seized or phones that are somehow otherwise obtained. There's no 272 00:23:28,560 --> 00:23:35,440 there's no tools available to really check your own phone for signs of spyware. So 273 00:23:35,440 --> 00:23:40,560 this is where the Mobile Verification Toolkit comes into play. So - MVT - it is 274 00:23:40,560 --> 00:23:43,920 a public tool developed by Amnesty International and designed to simplify the 275 00:23:43,920 --> 00:23:48,720 process of analyzing mobile devices for traces of spyware. And here it's available 276 00:23:48,720 --> 00:23:53,360 on GitHub, you can go check it out. And just to highlight all of the 277 00:23:53,360 --> 00:23:57,520 cases of Pegasus targeting I've described previously in all the cases and traces 278 00:23:57,520 --> 00:24:01,600 that are present for the rest of the presentation, all of these have been found 279 00:24:01,600 --> 00:24:09,040 using MVT. So MVT really works to - to detect advanced spyware, including spyware 280 00:24:09,040 --> 00:24:14,560 using zero-click, zero-day exploits and really sophisticated stuff such as 281 00:24:14,560 --> 00:24:19,280 Pegasus. So while all of these different spyware vendors try to say: "Our thing is 282 00:24:19,280 --> 00:24:22,640 undetectable": It is definitely advanced, they definitely spent a lot of money in 283 00:24:22,640 --> 00:24:27,440 developing this stuff, but it's not magic. And if you're careful and diligent about 284 00:24:27,440 --> 00:24:30,240 checking the traces, there's always mistakes that are made. There's always 285 00:24:30,240 --> 00:24:35,472 ways of identifying potential suspicious behavior on these devices. And MVT it is 286 00:24:35,472 --> 00:24:44,640 written in Python, it's a very easy to install, and if you have PIP, you can just 287 00:24:44,640 --> 00:24:50,113 go a "pip3 install mvt" . And here's how it's how it's used. Again, it's very 288 00:24:50,113 --> 00:24:54,906 straightforward. To check an iPhone, you simply make a backup of the iPhone and you 289 00:24:54,906 --> 00:25:00,005 run this one command so it'll be "mvt-ios check-backup" and then you provide the 290 00:25:00,005 --> 00:25:05,301 backup folder. In the command here we also see what's called a stix-file. So a .stix 291 00:25:05,301 --> 00:25:09,959 file is simply a file containing indicators. This maybe like domain names 292 00:25:09,959 --> 00:25:15,187 or IP addresses, or process names that are known to be linked to a spyware tool. And 293 00:25:15,187 --> 00:25:19,648 so the MVT is a generic tool. It can be used with Pegasus indicators, but it also 294 00:25:19,648 --> 00:25:26,134 can be used with indicators for other spyware tools and could be used to detect 295 00:25:26,134 --> 00:25:31,889 other spyware. So MVT is a modular framework, it has modules for parsing 296 00:25:31,889 --> 00:25:36,705 different kinds of databases such as SMS messages or browser history or other kinds 297 00:25:36,705 --> 00:25:41,368 of files on the device. I'm going to go through and explain a few of the modules 298 00:25:41,368 --> 00:25:46,297 that are available in MVT and show how this can be used to - to find traces of 299 00:25:46,297 --> 00:25:53,640 Pegasus or other similar spyware tools. So one module that is quite useful is the SMS 300 00:25:53,640 --> 00:25:58,766 module, which is quite straightforward, it simply reads the SMS database in iPhone 301 00:25:58,766 --> 00:26:04,283 backup to extract all of the links from the SMS messages and check if any of those 302 00:26:04,283 --> 00:26:10,656 SMS messages contain links to known malicious domains. So in this case, we're 303 00:26:10,656 --> 00:26:14,707 checking a backup that is targeted with Pegasus, and we see that - we see that 304 00:26:14,707 --> 00:26:18,844 there's multiple domains that are found and are tied to Pegasus. We see this 305 00:26:18,844 --> 00:26:25,221 revolution-news.co, stopsms.biz and from what we know of NSO we've seen these 306 00:26:25,221 --> 00:26:32,883 kinds of exploit SMS used primarily between 2016 and 2018. We've also seen 307 00:26:32,883 --> 00:26:37,896 Pegasus links as far back as 2014, and as recently as 2020. So this has been quite 308 00:26:37,896 --> 00:26:43,200 common and I - if these zero-click attacks are not available, I think we'll still see 309 00:26:43,200 --> 00:26:51,348 these kinds of exploit links being sent in SMS. So another data source that's quite 310 00:26:51,348 --> 00:26:56,600 useful and quite helpful for finding traces of targeting is the Safari browser 311 00:26:56,600 --> 00:27:03,595 history. So what we've seen is we've seen some as we identify traces of exploit 312 00:27:03,595 --> 00:27:09,464 being recorded in Safari browser history, especially after a network injection 313 00:27:09,464 --> 00:27:14,294 attack. So in this case, while there's no link in SMS when a network injection 314 00:27:14,294 --> 00:27:18,800 attack happens the exploit server domain will be recorded in the browser history. 315 00:27:18,800 --> 00:27:22,506 And so by checking the browser history, we may be able to find evidence that this 316 00:27:22,506 --> 00:27:31,120 attack happened. So on the right here you can see a screenshot and this screenshot 317 00:27:31,120 --> 00:27:38,400 was actually taken by Moroccan journalist Omar Radi when he was being targeted with 318 00:27:38,400 --> 00:27:43,600 one of these network injection attacks in Morocco. So when he was browsing the web 319 00:27:43,600 --> 00:27:46,720 he clicked the link and then instantly redirected into this web page. And when 320 00:27:46,720 --> 00:27:49,920 this screenshot was taken, it was actually running the JavaScript trying to exploit 321 00:27:49,920 --> 00:27:55,440 his phone. So unfortunately, following the publication of this research Omar Radi was 322 00:27:55,440 --> 00:27:59,920 repeatedly harassed by the Moroccan authorities and then he was eventually 323 00:27:59,920 --> 00:28:04,556 jailed after an unfair trial, and he's currently - currently in jail. 324 00:28:06,806 --> 00:28:13,199 So another file quite useful in our investigations is something called the ID 325 00:28:13,199 --> 00:28:18,462 status cache file. So the ID status cache file is a file on iPhones, and it can 326 00:28:18,462 --> 00:28:23,671 track traces of any iCloud accounts which interacted with the device. This can 327 00:28:23,671 --> 00:28:27,408 be interacting with the device over a bunch of different Apple services, 328 00:28:27,408 --> 00:28:32,266 including iMessage, AirDrop, Apple Photos. And so what is really useful about this 329 00:28:32,266 --> 00:28:39,282 file, because it showed us which malicious accounts, which kind of Pegasus related 330 00:28:39,282 --> 00:28:46,080 accounts had been targeting a particular device. So what we know about Pegasus - we 331 00:28:46,080 --> 00:28:51,920 believe that these malicious accounts are - have been set up and have been used by 332 00:28:51,920 --> 00:28:58,240 one individual Pegasus customer. So you can see here in the first row, we see this 333 00:28:58,240 --> 00:29:04,480 email address linakeller and we saw this - this account being used to deliver a 334 00:29:04,480 --> 00:29:08,400 iMessage zero-day to quite a number of different activists. So we've seen it 335 00:29:08,400 --> 00:29:16,240 used to deliver exploits to two different Moroccan activists and a couple of French 336 00:29:16,240 --> 00:29:21,040 political figures. So by - by looking at which individuals have been targeted by 337 00:29:21,040 --> 00:29:24,720 the same, the same account, by the same customer we were able to kind of get a 338 00:29:24,720 --> 00:29:28,400 better idea of who that customer might be and have some idea about the attribution 339 00:29:28,400 --> 00:29:33,840 for that attack. The same in these other - in these other cases, for example we see 340 00:29:33,840 --> 00:29:39,200 the jessicadavies1345 email. This was found on the phone of two different 341 00:29:39,200 --> 00:29:44,160 Hungarian journalists. Same for the emmadavies' address and again for this 342 00:29:44,160 --> 00:29:49,120 final address here: williams enny. We found this on the phone of two different 343 00:29:50,560 --> 00:29:58,320 Hungarian individuals, hungarian activists. So this is really useful for us 344 00:29:58,320 --> 00:30:01,450 in our investigation because it really helped us get a better idea of who might 345 00:30:01,450 --> 00:30:10,480 be behind some of the attacks that we were seeing. So the previous logs 346 00:30:10,480 --> 00:30:15,840 I showed about SMS, data and browser history. These show kind of traces of 347 00:30:15,840 --> 00:30:19,280 targeting. They showed some of these had been sent a malicious link, but they don't 348 00:30:19,280 --> 00:30:23,920 necessarily prove that a phone has been successfully compromised. So what I will 349 00:30:23,920 --> 00:30:28,700 show now is some of the logs we can use to show that a device was indeed compromised. 350 00:30:28,800 --> 00:30:32,580 One of these files that was very useful for us in our investigations was the so- 351 00:30:32,580 --> 00:30:39,600 called data usage file. So the data usage file in an iPhone is a file that records 352 00:30:39,600 --> 00:30:43,920 information about how much mobile data traffic each process on the phone has 353 00:30:43,920 --> 00:30:49,120 used. So this may be used to, like help the iPhone keep track of, you know, which 354 00:30:49,120 --> 00:30:52,720 apps on your phone are using the most of your mobile data. But what is really 355 00:30:52,720 --> 00:30:56,640 helpful for this is that it actually recorded the names of some of the Pegasus 356 00:30:56,640 --> 00:31:01,162 processes and how much data each of these pegasus processes were using. So for all 357 00:31:01,162 --> 00:31:08,160 we know about NSO's Pegasus, we believe that when Pegasus is installed on a phone, 358 00:31:08,160 --> 00:31:13,666 it will kind of pick a random name that it uses to kind of hide itself in running on 359 00:31:13,666 --> 00:31:18,000 the system. Throughout our investigation we found about 50 different process names 360 00:31:18,000 --> 00:31:21,956 that the Pegasus process was using to try and hide itself. And once we identified 361 00:31:21,956 --> 00:31:26,087 these process names, then we could go and look for these Pegasus known Pegasus 362 00:31:26,087 --> 00:31:31,599 process names on devices of potential targets. What's happened, this database 363 00:31:31,599 --> 00:31:36,141 also shows a timestamp of when this process name was first kind of started on 364 00:31:36,141 --> 00:31:40,381 the device, when it was last seen on the device. And also it gives you some kind of 365 00:31:40,381 --> 00:31:44,570 information about how much data this process transferred. In some cases, this 366 00:31:44,570 --> 00:31:48,174 has been gigabytes of data which shows that really the Pegasus spyware was 367 00:31:48,174 --> 00:31:53,494 extracting a lot of data from the device. And again, this is all automated in MVT 368 00:31:53,494 --> 00:31:58,851 so if you check a phone using MVT with the Pegasus indicators, it'll show quite 369 00:31:58,851 --> 00:32:04,799 clearly if any of these processes have been found on the device. Another feature 370 00:32:04,799 --> 00:32:11,440 that's been very helpful for us and in our analysis is the timeline feature of MVT. 371 00:32:11,440 --> 00:32:17,291 So how the Timeline feature works is it takes all of the different indicators and 372 00:32:17,291 --> 00:32:21,285 modules on the phone, so it checks the - the SMS messages, it check the - the file 373 00:32:21,285 --> 00:32:27,119 system and every - every event, like every SMS message, every web browser lookup will 374 00:32:27,119 --> 00:32:33,228 all be recorded in a single file with the date that it happened. So by looking at 375 00:32:33,228 --> 00:32:38,557 this timeline, we can often see what different events happened around the same 376 00:32:38,557 --> 00:32:43,013 time as each other, and this can give us some idea - some idea about how attacks 377 00:32:43,013 --> 00:32:48,172 were actually delivered on this device. So I want to give you just one example of - 378 00:32:48,172 --> 00:32:52,405 of how this timeline can be used. Just so you know how to use this timeline in your 379 00:32:52,405 --> 00:32:59,885 own investigations. So this is actually a demonstration of the phone of a Rwandan 380 00:32:59,885 --> 00:33:06,284 activist who was targeted in June 2021 using the forcedentry, iMessage zero-day. 381 00:33:06,284 --> 00:33:13,898 So we can see here on the timeline that on 8:00 p.m. 8:45, we see the phone began to 382 00:33:13,898 --> 00:33:18,428 receive some push notifications over iMessage. So it seems it receives like 46 383 00:33:18,428 --> 00:33:24,940 push notifications. And then what we saw was that SMS attachments began to be 384 00:33:24,940 --> 00:33:29,821 written to the phone. So in the final line here, we see that a file is written - 385 00:33:29,821 --> 00:33:33,642 written to the SMS attachments directory. And if you look at the end of the line, we 386 00:33:33,642 --> 00:33:38,873 see that the - the file being written to disk actually had a .GIF attachment. So at 387 00:33:38,873 --> 00:33:44,406 the time we thought this was something to do with the exploit somehow. NSO was 388 00:33:44,406 --> 00:33:50,465 delivering their exploit in that GIF file. If we look a little bit later in the 389 00:33:50,465 --> 00:33:56,054 timeline, we see that about 10 minutes later, on the same day, a Pegasus process 390 00:33:56,054 --> 00:34:02,095 starts running on the phone. This otpgrefd process. Shortly afterwards, some 391 00:34:02,095 --> 00:34:06,789 additional files are written on disk and some more Pegasus processes start. So by 392 00:34:06,789 --> 00:34:12,059 looking at this timeline together, we can see quite clearly that the phone began to 393 00:34:12,059 --> 00:34:15,544 receive iMessage messages. These GIF attachments start to be written on the 394 00:34:15,544 --> 00:34:21,040 disk and then about 10 minutes later, the phone was compromised with the Pegasus. So 395 00:34:21,040 --> 00:34:23,360 remember here like - there was no interaction from the user - they didn't 396 00:34:23,360 --> 00:34:26,320 click on any link. As far as we are aware they I didn't even notice anything 397 00:34:26,320 --> 00:34:29,120 happening on the device. This simply silently these messages were being 398 00:34:29,120 --> 00:34:35,280 delivered and after 10 or 20 minutes, Pegasus began to gain access to the 399 00:34:35,280 --> 00:34:39,600 device. So we've shared some of these findings with Apple, and then later in 400 00:34:39,600 --> 00:34:46,640 September 2021, Apple - Citizen Lab identified a copy of this exploit on 401 00:34:46,640 --> 00:34:49,840 another - phone of an another activist and they shared it with Apple and Apple 402 00:34:49,840 --> 00:35:01,499 patched this vulnerability in September 2021. So that's a little bit of how MVT 403 00:35:01,499 --> 00:35:06,840 works and how some of this methodology works to identify Pegasus on a 404 00:35:06,840 --> 00:35:12,674 device. So since we published our forensic methodology and our tools, many other 405 00:35:12,674 --> 00:35:18,770 groups and organisations have been using these tools and methodology to check other 406 00:35:18,770 --> 00:35:24,469 devices for signs of Pegasus and found quite a number of new cases. Here on the 407 00:35:24,469 --> 00:35:28,796 top right you're going to see an example of another NGO "Frontline Defenders", who 408 00:35:28,796 --> 00:35:33,262 identified six Palestinian human rights defenders who had their devices hacked 409 00:35:33,274 --> 00:35:39,154 using Pegasus. And other case we see that the Belgian military intelligence 410 00:35:39,154 --> 00:35:43,985 services use a similar methodology to check the phones of journalists in 411 00:35:43,985 --> 00:35:48,670 Belgium, and they found that a journalist, Belgian journalist, Peter Verlinden, had 412 00:35:48,670 --> 00:35:53,809 his iPhone hacked who they suspected by Rwanda. Again, we see another case where 413 00:35:53,809 --> 00:35:58,620 French intelligence services confirmed that a number of French journalists had 414 00:35:58,620 --> 00:36:05,952 their phones hacked using using Pegasus again using a similar methodology. So what 415 00:36:05,952 --> 00:36:11,187 I'd like to highlight is MVT can really be useful in identifying traces of Pegasus, but also 416 00:36:11,187 --> 00:36:17,827 MVT is designed as a kind of generic mobile forensic tool. So when used with 417 00:36:17,827 --> 00:36:21,100 Pegasus indicators it will find Pegasus, but it also can be used to go and 418 00:36:21,100 --> 00:36:25,058 proactively search for new kinds of spyware. So I really recommend that if 419 00:36:25,058 --> 00:36:29,427 you're suspicious that phones may be targeted with this kind of spyware, you 420 00:36:29,427 --> 00:36:34,442 can use MVT to extract some data and then dig into it. If the person is a member of 421 00:36:34,442 --> 00:36:38,111 civil society or an activist then Amnesty and other organisations will be happy to 422 00:36:38,111 --> 00:36:44,270 help support these investigations. And also, MVT is an open source tool. It's 423 00:36:44,270 --> 00:36:49,067 based on different modules, and so we're always open to ideas for - for new modules 424 00:36:49,067 --> 00:36:54,368 and new detection ideas to help make this tool better and better able to detect new 425 00:36:54,368 --> 00:37:03,620 kinds of threats. One thing to remember about MVT it is - it's designed to detect 426 00:37:03,620 --> 00:37:06,738 some kind of spyware. Unfortunately, the people who develop these spyware, they're 427 00:37:06,738 --> 00:37:10,123 - they're smart people and they read these reports and they watch these kind of 428 00:37:10,123 --> 00:37:14,819 presentations. And every time we publish information about how to detect these 429 00:37:14,819 --> 00:37:20,352 kinds of spyware targeting civil society, the different spyware vendors and actors 430 00:37:20,352 --> 00:37:24,540 will try to improve their tools to avoid them being detected. They'll try to kind 431 00:37:24,540 --> 00:37:29,689 of upgrade their infrastructure to hide it again or to the better obscure their 432 00:37:29,689 --> 00:37:35,017 activities. So just to give an example, here's some of the development of NSO's 433 00:37:35,017 --> 00:37:38,960 own infrastructure over time. We see that after we published - Amnesty published the 434 00:37:38,960 --> 00:37:44,577 report in 2018 NSO infrastructure was shut down and then later over the next two 435 00:37:44,577 --> 00:37:49,966 years, it began to run more infrastructure, which was again shut down 436 00:37:49,966 --> 00:37:57,702 after discovery in - in 2021. So it's a constant arms race. And so while - while 437 00:37:57,702 --> 00:38:00,620 this - these tools are useful to detect Pegasus now, it's not always going to be 438 00:38:00,620 --> 00:38:04,827 just automatic, and it's important to do further research to try and identify new 439 00:38:04,827 --> 00:38:12,277 traces of new kinds of attacks. So what is the future for mobile spyware? So one 440 00:38:12,277 --> 00:38:16,628 thing I'd like to reiterate is that while we focus a lot on NSO Group and Pegasus in 441 00:38:16,628 --> 00:38:20,298 this research and in this talk and also there's been a lot of focus 442 00:38:20,298 --> 00:38:24,064 on NSO Group. It's not the only mobile spyware out there, and there's definitely 443 00:38:24,064 --> 00:38:28,680 many other players who are trying to get into the space and trying to also develop 444 00:38:28,680 --> 00:38:34,750 similar kinds of spyware tools, which are then sold to - to different customers. 445 00:38:34,750 --> 00:38:41,735 We've seen that from this investigation. We found at least 180 journalists who are 446 00:38:41,735 --> 00:38:45,280 potential targets of Pegasus and many other human rights activists and 447 00:38:45,280 --> 00:38:50,157 opposition politicians who have been targeted with these tools over the last number 448 00:38:50,157 --> 00:38:55,907 of years. So far, these threat actors and these - these state agencies are able to 449 00:38:55,907 --> 00:39:00,992 target activists and civil society with impunity due to a lack of visibility and 450 00:39:00,992 --> 00:39:05,222 telemetry on mobile platforms. They've just been getting away with it because 451 00:39:05,222 --> 00:39:08,668 they haven't been detected. So tools such as MVT can help expose some of these 452 00:39:08,668 --> 00:39:13,489 threats, but they need to be used more widely and need to be used with more civil 453 00:39:13,489 --> 00:39:18,781 society to really understand the full scope of these kinds of threats. And it's 454 00:39:18,781 --> 00:39:23,505 also important that industry, the tech industry and the security industry work 455 00:39:23,505 --> 00:39:27,296 closely with civil society to help detect and expose these threats because 456 00:39:27,296 --> 00:39:32,478 unfortunately, the people most at risk from these kinds of really serious attacks 457 00:39:32,478 --> 00:39:36,204 are some of the people who are the least equipped, both financially and technically 458 00:39:36,204 --> 00:39:43,120 to defend against them. So to conclude, I think we're going to continue to see 459 00:39:43,120 --> 00:39:49,440 attackers focusing on mobile. Mobile is where all the data is. No other place 460 00:39:49,440 --> 00:39:52,080 gives you as much insight into somebody's life and all their most innermost 461 00:39:52,080 --> 00:39:56,400 thoughts. Even just having a microphone in everybody's pocket in someone's pocket is 462 00:39:56,400 --> 00:40:01,680 such a powerful position to be in that we think companies and states will continue 463 00:40:01,680 --> 00:40:07,120 trying to develop these kinds of tools. We know - I think that zero-click exploits 464 00:40:07,120 --> 00:40:11,520 are going to be highly, highly desirable. So while Apple and others have done a 465 00:40:11,520 --> 00:40:15,920 great job in making attacks against iMessages more difficult, it's almost 466 00:40:15,920 --> 00:40:19,920 certain that these kinds of cyber surveillance companies will continue 467 00:40:19,920 --> 00:40:24,480 trying to develop zero-click exploits. If not for iMessage then maybe for other chat 468 00:40:24,480 --> 00:40:30,080 platforms. I don't know like Signal or Telegram or WhatsApp, they're going to try 469 00:40:30,080 --> 00:40:37,166 and attack other applications that activists are using. Unfortunately it's 470 00:40:37,166 --> 00:40:42,101 not possible for activists and civil society to protect themselves from these 471 00:40:42,101 --> 00:40:47,034 kinds of zero-day attacks from a technical sense. So we definitely need more active 472 00:40:47,034 --> 00:40:51,577 collaboration between civil society and key platform vendors to help identify and 473 00:40:51,577 --> 00:40:56,189 defend against these threats. And also, we urgently need better regulation to prevent 474 00:40:56,189 --> 00:41:00,790 these kinds of really sophisticated spyware tools being sold to states and 475 00:41:00,790 --> 00:41:07,217 agencies which have a long history of abusing them to target civil society and 476 00:41:07,217 --> 00:41:12,978 opposition. So thank you all for listening, and I'm happy to answer some 477 00:41:12,978 --> 00:41:17,750 questions now. If you have some questions or if you're concerned about, you are a 478 00:41:17,750 --> 00:41:20,680 member of civil society or an activist or are concerned about surveillance please 479 00:41:20,680 --> 00:41:24,868 feel free to contact us at share@amnesty.tech Thank you. 480 00:41:24,868 --> 00:41:30,602 Herald: Thank you Donncha. Thank you from C-Base. We have already taken some 481 00:41:30,602 --> 00:41:37,033 overtime this early hacker morning. There have been popping up some small questions 482 00:41:37,033 --> 00:41:42,736 on our internal here from our tiny audience at C-Base. We don't have that 483 00:41:42,736 --> 00:41:47,686 much time left. Just can you give us an indication: What is the pace of this 484 00:41:47,686 --> 00:41:53,558 ongoing war? Do you feel that NSO group is actively fighting MVT and your tool 485 00:41:53,558 --> 00:41:57,533 development or did - didn't you get this honor yet? 486 00:41:57,533 --> 00:42:04,998 D: Definitely. We've seen, even in the past year, we saw NSO starting to be more 487 00:42:04,998 --> 00:42:11,084 careful about cleaning up their forensic traces, and since 2020, they've begun to 488 00:42:11,084 --> 00:42:14,915 already clean some of the traces that we've been using. And it's clear they've 489 00:42:14,915 --> 00:42:17,781 realized that people are investigating that there is a risk of people discovering 490 00:42:17,781 --> 00:42:20,990 this stuff, and I feel like after the revelations of this summer, they're going 491 00:42:20,990 --> 00:42:25,781 to have a much more proactively trying to to clean up some of these traces. But as I 492 00:42:25,781 --> 00:42:30,800 said, NSO is one company out there, there's also many other companies trying 493 00:42:30,800 --> 00:42:35,120 to compete in the same space. So even if NSO gets better than, you know, other 494 00:42:35,120 --> 00:42:38,825 companies are still out there and can still be caught using MVT and 495 00:42:38,825 --> 00:42:44,324 fundamentally, even if they - they clean up some traces for any kind of failed 496 00:42:44,324 --> 00:42:48,065 attacks, these traces are still going to be left around because it won't be 497 00:42:48,065 --> 00:42:51,440 possible to for the spyware to clean up their traces. 498 00:42:51,440 --> 00:42:57,437 H: Uhm-Hmm. So one could still after an attack eventually, eventually on an old 499 00:42:57,437 --> 00:43:03,465 device years later discover that there had been some spyware activity, which may be 500 00:43:03,465 --> 00:43:09,870 in the long run interesting information about dark campaigns and things. So NSO is 501 00:43:09,870 --> 00:43:15,360 not the only actor, there will be more. Do you feel that there are just copycats in 502 00:43:15,360 --> 00:43:20,690 the market or do you think there will be completely new threats in the future? 503 00:43:20,690 --> 00:43:24,811 D: So I guess there's always there's lots of smart people who work for these 504 00:43:24,811 --> 00:43:29,580 companies who are trying to develop these tools. Just last - earlier this month, 505 00:43:29,580 --> 00:43:34,180 Citizen Lab published a report about another cyber surveillance vendor called 506 00:43:34,180 --> 00:43:40,759 Cytrox based in North Macedonia, and they were selling similar spyware, which is 507 00:43:40,759 --> 00:43:45,002 using kind of one-click attacks using links to help compromise iPhones and 508 00:43:45,002 --> 00:43:50,256 Android phones. So that's one company that's competing in this space. There's 509 00:43:50,256 --> 00:43:54,869 other companies doing doing similar kinds of targeting, but we believe, you know, 510 00:43:54,869 --> 00:43:58,766 NSO was definitely the biggest company in this space, and they had a lot of money to 511 00:43:58,766 --> 00:44:04,575 invest in, especially in these kind of zero-click attacks. So for now, we don't 512 00:44:04,575 --> 00:44:07,579 know if they're a company that's as big or sophisticated as NSO, but I think many 513 00:44:07,579 --> 00:44:11,769 others will be trying to take their place if NSO becomes less popular. 514 00:44:11,769 --> 00:44:19,466 H: I see. I see. OK, thank you very much. We have to go over to the - RC3 morning 515 00:44:19,466 --> 00:44:26,754 show in a few seconds. Thank you very much for this interesting talk this morning. 516 00:44:26,754 --> 00:44:33,970 Again, share@amnesty.tech is the address to go to. And this is probably one of the 517 00:44:33,970 --> 00:44:38,931 talks you want to watch again on media.ccc.de in a few days when it has 518 00:44:38,931 --> 00:44:45,760 been published. So greetings to Ireland. Thank you very much and we will meet and 519 00:44:45,760 --> 00:44:51,280 see again in real, I hope. Thank you. D: Thank you very much. Have a good day. 520 00:44:54,720 --> 00:45:03,000 Everything is licensed under CC by 4.0. And it is all for the community, to download 521 00:45:03,000 --> 00:45:03,570 Subtitles created by c3subtitles.de in the year 2022. Join, and help us! 522 00:45:03,571 --> 00:45:03,841 [Translated by {Iikka}{Yli-Kuivila} (ITKST56 course assignment at JYU.FI)]