0:00:01.440,0:00:02.440
[Translated by {Iikka}{Yli-Kuivila}[br](ITKST56 course assignment at JYU.FI)]

0:00:03.880,0:00:10.480
Herald: Good morning from C-Base, the[br]space station beyond or under Berlin,

0:00:12.640,0:00:19.120
welcomes you to day 2 of the RC3[br]streaming, we are starting in a few

0:00:19.120,0:00:26.480
seconds with the "Catching the NSO Group's[br]Pegasus spyware". This is something that

0:00:26.480,0:00:32.800
has caught attention among the security[br]and hacker communities over the world in

0:00:32.800,0:00:38.400
the last, I would guess, two years or so.[br]There have been some spectacular cases of

0:00:38.400,0:00:46.720
murder, kidnappings, journalists being[br]threatened, other things. The infamous

0:00:46.720,0:00:53.280
software doing this is called Pegasus,[br]it's marketed by a company known by the

0:00:53.280,0:01:01.680
three-letter acronym NSO, whatever this[br]stands for. And actually, Amnesty

0:01:01.680,0:01:08.240
International and its I.T. department, so[br]to say, has invested quite some effort

0:01:08.240,0:01:17.280
into detecting whether a device has been[br]infected by Pegasus or not. NSO marketed

0:01:17.280,0:01:22.640
this, among other things, as so-called[br]"undetectable", well undetectable as in

0:01:22.640,0:01:28.640
software on a device, as we will see, and[br]our speaker today, Donncha, Donncha O'Cearbhaill

0:01:29.440,0:01:34.800
from Ireland and from Amnesty[br]International, will be presenting how they

0:01:34.800,0:01:41.600
developed detection tools for this nasty[br]piece of spyware that has become so

0:01:41.600,0:01:50.960
popular among secret actors, state actors[br]and others around the world. OK, enough

0:01:50.960,0:01:56.040
for the introduction, Donncha, the scene[br]and the stream is yours. Good morning

0:01:56.040,0:02:02.080
Donncha: Good morning, and thank you for[br]that introduction. So as the intro said,

0:02:02.080,0:02:06.480
today I'd like to talk to you about NSO[br]group's Pegasus spyware, in particular I'd

0:02:06.480,0:02:11.120
like to explain a little bit about how we[br]at Amnesty have investigated Pegasus over

0:02:11.120,0:02:16.480
the past few years and I'll also explain and[br]demonstrate some of the tools we have

0:02:16.480,0:02:22.480
developed and published, that others also[br]investigate and detect Pegasus spyware

0:02:22.480,0:02:25.840
potentially on their devices and the[br]devices of other people in civil society.

0:02:27.760,0:02:31.440
So my name is Donncha O'Cearbhaill and I[br]am a technologist based at the Amnesty

0:02:31.440,0:02:36.320
International Security Lab in Berlin with[br]a small team who focuses on investigating

0:02:36.320,0:02:42.640
targeted digital threats such as spyware,[br]phishing and other kinds of surveillance

0:02:42.640,0:02:46.880
that's directed against civil society and[br]human rights defenders around the world.

0:02:49.440,0:02:54.960
So as the intro said, Pegasus has got a[br]lot of attention in the past few months.

0:02:56.800,0:03:00.800
So you may have seen the Pegasus Project[br]revelations that were published in July

0:03:00.800,0:03:05.680
during the summer. The Pegasus Project was[br]a global investigation into abuses linked

0:03:05.680,0:03:11.520
to NSO group's Pegasus spyware. This[br]investigation was based on a leaked

0:03:13.280,0:03:19.120
dataset of 50,000 potential Pegasus[br]targets, which Amnesty International and

0:03:19.120,0:03:22.640
Forbidden Stories had access to, and so[br]this global media investigation was

0:03:22.640,0:03:26.960
coordinated by Forbidden Stories, with the[br]participation of about 80 journalists from

0:03:26.960,0:03:32.400
17 different media organisations around[br]the world. During the Pegasus Project,

0:03:32.400,0:03:36.960
Amnesty International took the role of a[br]technical partner, and the focus for

0:03:36.960,0:03:42.160
Amnesty International was to perform[br]detailed innovative forensic analysis on

0:03:42.160,0:03:46.720
the devices of potential targets, and[br]through this kind of forensic analysis and

0:03:46.720,0:03:51.040
this technical work we were able to[br]identify traces of Pegasus, either

0:03:51.040,0:03:59.360
targeting or infecting online devices. So[br]over a multi-month project Amnesty

0:03:59.360,0:04:04.720
Security Lab analyzed about 67 devices,[br]and from these 67 devices of potential

0:04:04.720,0:04:11.760
targets at least 37 showed clear traces of[br]Pegasus targeting or infection. So this is

0:04:11.760,0:04:15.360
really quite quite a high number of[br]infected devices, and these devices

0:04:15.360,0:04:21.520
included journalists, activists,[br]opposition political figures, all kinds of

0:04:21.520,0:04:24.572
people who were being unlawfully[br]surveilled using Pegasus. Overall, of the

0:04:24.572,0:04:31.934
phones we have checked, which were iPhones[br]and which hadn't been replaced, which took

0:04:31.934,0:04:36.711
data of the targeting, more than 80[br]percent of the phones that were on this

0:04:36.711,0:04:42.767
list of potential targets showed traces of[br]Pegasus. So in July these stories came out

0:04:42.777,0:04:46.440
and they highlighted cases of of civil[br]society being targeted, such as

0:04:46.440,0:04:50.779
journalists in Hungary, activists in[br]Morocco, activist Saudi Arabian

0:04:50.779,0:04:56.734
dissidents, also family members of Jamal[br]Khashoggi, which the investigation showed

0:04:56.734,0:05:01.364
had been targeted with Pegasus spyware[br]both before and after his his brutal

0:05:01.364,0:05:06.183
murder. So, yeah, you can. You can go and[br]read many of these stories online. Today

0:05:06.183,0:05:10.113
I'd like to focus on and get to how we got[br]there, how we developed these, these

0:05:10.113,0:05:14.922
tools, how we developed this methodology[br]for finding Pegasus. And also to explain

0:05:14.922,0:05:20.460
about how you can also go and do this kind[br]of searching for - for Pegasus and for

0:05:20.460,0:05:27.235
other mobile spyware. So let's take a step[br]back for a second and ask, so what exactly

0:05:27.235,0:05:32.242
is Pegasus? Its name is well known, but[br]what exactly is the software and how does

0:05:32.242,0:05:37.240
it work? OK, so first thing to remember is[br]that actually, while Pegasus have been

0:05:37.240,0:05:41.197
gotten more well known in the last two[br]years, it's not actually a new - a new

0:05:41.197,0:05:45.100
tool or a new product. So we know Pegasus[br]has been around and then developed by NSO

0:05:45.100,0:05:52.843
Group since at least 2010. And on the left[br]hand side here, the diagram, you can see a

0:05:52.843,0:05:58.236
Pegasus brochure from 2010 where it[br]describes how Pegasus can be installed on

0:05:58.236,0:06:03.208
a BlackBerry devices. And we believe the[br]original version of Pegasus was focused on

0:06:03.208,0:06:06.716
BlackBerry because back in 2010,[br]smartphones were less prevalent than they

0:06:06.716,0:06:11.204
are now. BlackBerry is kind of a key[br]target for some of the - the security

0:06:11.204,0:06:16.855
agencies who may want to buy this kind of[br]spyware. So it developed over time here on

0:06:16.855,0:06:22.825
the right hand side, we can see some[br]diagrams that were from a leaked Pegasus

0:06:22.825,0:06:30.880
brochure that was published in 2014. In[br]the first diagram, here it talks about how

0:06:30.880,0:06:37.440
Pegasus is installed on a phone. In this[br]example, it's showing how a Pegasus kind

0:06:37.440,0:06:42.880
of infection link can be sent over SMS to[br]the target device. And then if opened how

0:06:42.880,0:06:46.320
the data can be collected and passed back[br]to the - the operator of the Pegasus

0:06:46.320,0:06:52.320
software. That's just one example of -[br]from their own diagrams. Here in the

0:06:52.320,0:06:57.360
circle below, you'll see a little bit of[br]what Pegasus claims to be able to monitor.

0:06:57.360,0:07:00.400
And if you look at it, you can see it's[br]basically everything on the device. So

0:07:00.400,0:07:03.520
it's talking about collecting email[br]addresses, collecting SMS messages,

0:07:04.160,0:07:08.640
tracking location data, even reading the[br]calendar, turning on the microphone of the

0:07:08.640,0:07:13.680
phone. And so bear in mind while this[br]diagram is quite old, it's like six or

0:07:13.680,0:07:18.320
seven years old, you get an idea of what[br]kind of data the Pegasus software will try

0:07:18.320,0:07:22.880
to collect from the phone. It's basically,[br]it collected every kind of data on the

0:07:22.880,0:07:25.600
phone that might be of interest to[br]somebody who is carrying out the

0:07:25.600,0:07:31.760
surveillance. One important thing to[br]remember is that the Pegasus spyware is

0:07:31.760,0:07:36.800
able to get very kind of deep access to[br]the phone, so it's fundamentally able to

0:07:36.800,0:07:41.680
access everything on the phone that the[br]user is able to access and more. So even

0:07:41.680,0:07:45.280
if you're using a messaging app such as[br]Signal or Telegram, which may be

0:07:45.280,0:07:50.400
encrypted, the Pegasus software is able to[br]access that data and those messages before

0:07:50.400,0:07:54.320
they're encrypted on the device. So even[br]once their spyware running on the phone

0:07:54.320,0:07:58.080
itself, none of these encrypted messaging[br]apps will help because it has such low

0:07:58.080,0:08:05.280
level access to the device. So it's a[br]little bit about what exactly Pegasus

0:08:05.280,0:08:09.920
tries to collect and what it - what it -[br]what people can do with it using the

0:08:09.920,0:08:17.296
Pegasus software. So where exactly did the[br]investigations into Pegasus start? So we

0:08:17.296,0:08:23.640
go back as far as 2016 was when Pegasus[br]was first kind of identified in the wild,

0:08:23.640,0:08:28.837
being a being used to target an activist.[br]So in this case, in 2016, Pegasus was

0:08:28.837,0:08:35.191
first found by Citizen Lab. Citizen lab[br]is a group of researchers based in the

0:08:35.191,0:08:40.241
University of Toronto in Canada, who also[br]works on investigating spyware targeting

0:08:40.241,0:08:47.034
civil society. So in this case, a UAE[br]based human rights defender named Ahmed

0:08:47.034,0:08:51.541
Mansoor began to receive suspicious[br]messages over SMS. So you can see some

0:08:51.541,0:08:56.136
screenshots of the messages on the right.[br]So Ahmed Mansoor was cautious about these

0:08:56.136,0:09:00.126
because in the past he had previously been[br]targeted with other kinds of spyware

0:09:00.126,0:09:03.934
tools, including - including Finfisher.[br]So when he began to receive these

0:09:03.934,0:09:08.027
messages, he - he was cautious about them[br]and he shared them with Citizen Lab, who

0:09:08.027,0:09:12.549
then began to investigate them. So what[br]Citizen Lab realized is that these looked

0:09:12.549,0:09:17.103
to be an attack message, and they opened[br]these attack links on their own testing

0:09:17.103,0:09:22.305
phone. When they did this they're able to[br]capture the exploit that was being

0:09:22.305,0:09:27.885
delivered over these links and also[br]able to capture a copy of the Pegasus

0:09:27.885,0:09:32.830
payload. So what happens when these links[br]are opened is that the link is opened in a

0:09:32.830,0:09:38.392
web browser such as Safari. When the link[br]is opened, the Pegasus server would return

0:09:38.392,0:09:44.108
to some JavaScript, some code that would[br]exploit an unknown flaw in the Safari web

0:09:44.108,0:09:48.368
browser and by kind of manipulating the[br]Safari web browser and exploit this

0:09:48.368,0:09:52.720
unknown flaw - they could then get their[br]own code to start running inside this web

0:09:52.720,0:09:58.107
browser. And eventually, with the help of[br]some additional flaws, they could then get

0:09:58.107,0:10:03.274
more privileged access on the iPhone and[br]eventually install the full Pegasus

0:10:03.274,0:10:10.800
payload. So, yes, Citizen Lab first found[br]it in 2016, it was it was a very important

0:10:10.800,0:10:17.360
discovery and it showed just how how[br]serious some of the threats facing civil

0:10:17.360,0:10:20.320
society were. That there were people[br]willing to use these kinds of very

0:10:20.320,0:10:23.680
expensive exploits to start targeting[br]human rights defenders who are just doing

0:10:23.680,0:10:27.840
their human rights work. Unfortunately,[br]after this, Ahmed Mansoor continued to get

0:10:27.840,0:10:32.800
harassed, and he was sentenced to prison,[br]and he's currently still in prison from

0:10:32.800,0:10:41.604
since 2017. So for about four years now.[br]So when did we at Amnesty start

0:10:41.604,0:10:44.171
investigating this. So our team has been[br]investigating these kinds of threats for a

0:10:44.171,0:10:49.470
while, but really we started focusing on[br]NSO and investigating NSO in 2018 after an

0:10:49.470,0:10:55.015
Amnesty colleague of ours started to[br]receive some suspicious messages. So this

0:10:55.015,0:10:59.289
- this colleague received in May 2018[br]received this message you can see here on

0:10:59.289,0:11:03.732
the left. The message is written in[br]Arabic. But it this it claims that there

0:11:03.732,0:11:08.688
is going to be a protest happening shortly[br]outside the Saudi Arabian Embassy. And

0:11:08.688,0:11:13.088
they asked the Amnesty staff member, to to[br]support the protest and then to click on

0:11:13.088,0:11:18.880
this link for for more information. So[br]fortunately, our Amnesty colleague, when

0:11:18.880,0:11:21.680
they received this message, they got quite[br]suspicious. They were like, this is just

0:11:21.680,0:11:24.960
weird, I don't know this person. And so[br]they shared a screenshot of this message

0:11:24.960,0:11:29.840
with us at the Amnesty Security Lab, and[br]we began to investigate. So quite quickly

0:11:29.840,0:11:34.560
when we started looking at this domain[br]name and the server, and we agreed it

0:11:34.560,0:11:38.880
looked kind of suspicious. And we also[br]managed to identify some additional

0:11:38.880,0:11:45.200
domains and servers that were related to[br]this original akhbar-arabia domain. And

0:11:45.200,0:11:49.040
quite quickly, it started to appear to us[br]that this was indeed something suspicious,

0:11:49.040,0:11:52.000
and maybe it was some kind of an attack[br]message. So at the time, we didn't know it

0:11:52.000,0:11:59.280
was necessarily NSO Group. By looking at[br]the original and initial servers here. We

0:11:59.280,0:12:03.040
managed to create kind of a fingerprint,[br]so some way of identifying the particular

0:12:03.040,0:12:08.400
configuration of the domain name and the[br]server sent inside of this message. With

0:12:08.400,0:12:12.400
the aid of this fingerprint, we then began[br]to do what's called an internet scan. So

0:12:12.400,0:12:17.120
we connect it to every single server on[br]the Internet, send a particular request

0:12:17.120,0:12:20.240
and then find any other server on the[br]Internet that matched this particular

0:12:20.240,0:12:24.800
fingerprint, this particular configuration[br]from this server. So by doing this

0:12:24.800,0:12:30.080
internet scanning, what we found was 600[br]different domains all across the Internet

0:12:31.840,0:12:34.640
that matched this fingerprint and that[br]appeared to be related to the same kinds

0:12:34.640,0:12:40.560
of attacks. So what was really was really[br]key is that we found that these these

0:12:41.280,0:12:45.360
domains were actually related to Pegasus[br]because NSO Group had made one kind of key

0:12:45.360,0:12:49.188
mistake or key flow when they were setting[br]up this infrastructure. So what happened

0:12:49.188,0:12:58.189
is that as described earlier Citizen Lab[br]had previously identified servers being

0:12:58.189,0:13:02.776
used by NSO Group in 2016 after the[br]expose in 2016 NSO shut down all of

0:13:02.776,0:13:07.034
these domains and infrastructure. And then[br]began to set up new kind of infrastructure

0:13:07.034,0:13:11.262
that would not be related to NSO or not[br]linkable to NSO. Fortunately they made a

0:13:11.262,0:13:15.019
mistake because they had reused one domain[br]name from the previous set of

0:13:15.019,0:13:19.800
infrastructure and also being used in this[br]new infrastructure. So by finding this one

0:13:19.800,0:13:24.666
domain out of 600 that had previously been[br]in - in use by NSO, we're able to show

0:13:24.666,0:13:28.986
that these 600 domains were also related[br]to Pegasus. And so we're able to show that

0:13:28.986,0:13:33.956
this message that was sent to our Amnesty[br]International colleague was indeed related

0:13:33.956,0:13:40.105
to Pegasus and was an attempt to to[br]compromise their device. So we published

0:13:40.105,0:13:46.116
these findings in August 2018, and at that[br]time we also identified that another set

0:13:46.116,0:13:51.076
Saudi-Arabian activists had similarly been[br]targeted, with a Pegasus exploit message

0:13:51.076,0:13:56.206
over WhatsApp. Following this, Amnesty[br]International also supported a legal

0:13:56.206,0:14:01.640
action in Israel, which asked the Israeli[br]Ministry of Defense to revoke NSO's export

0:14:01.640,0:14:06.979
licenses. To prevent this Pegasus software[br]being sold to countries that would abuse

0:14:06.979,0:14:12.255
it to target Amnesty and also target other[br]human rights activists. Unfortunately

0:14:12.255,0:14:18.291
later the Israeli court rejected the legal[br]complaint and said that the Israeli

0:14:18.291,0:14:22.820
Ministry of Defense had adequate[br]safeguards in place to prevent NSO's

0:14:22.820,0:14:29.965
exports being sold to countries who would[br]abuse it. Here in the bottom on the left,

0:14:29.965,0:14:36.240
you can see that. You can see a chart[br]which shows the number of Pegasus servers

0:14:36.240,0:14:41.411
online at the time. I mean, see here that[br]when we published this report NSO acted

0:14:41.411,0:14:46.826
quite quickly to shut down all 500 or 600[br]servers that were being used to deliver

0:14:46.826,0:14:50.875
Pegasus. So this just shows that, you[br]know, NSO is kind of reading these

0:14:50.875,0:14:54.791
researches and paying attention to it. It[br]is trying to avoid getting their

0:14:54.791,0:14:58.878
infrastructure and servers discovered by[br]by researchers who are investigating these

0:14:59.728,0:15:16.240
kinds of abuses. So this is back in in[br]2018, so after discovering this attack

0:15:16.240,0:15:21.612
against an Amnesty staff member we at[br]Amnesty continued trying to investigate

0:15:21.612,0:15:28.010
Pegasus to try to find more cases of[br]abuse. We next found Pegasus targeting

0:15:28.010,0:15:35.462
happening in Morocco in 2019. So you can[br]see here on the right. This time, we found

0:15:35.462,0:15:40.812
that a Moroccan human rights defender[br]named Maati Monjib was being targeted

0:15:40.812,0:15:46.596
repeatedly with Pegasus. When we checked[br]his phone, we found that he had some

0:15:46.596,0:15:52.419
suspicious messages there, saying that the[br]messages claimed that there is some, some

0:15:52.419,0:15:57.919
scandal or some news story, and they're[br]asking the target to click on these links

0:15:57.919,0:16:02.423
to find out more information. So when we[br]looked at these these links, we knew

0:16:02.423,0:16:06.696
immediately that they were Pegasus links,[br]because we had previously identified these

0:16:06.696,0:16:12.013
domains as one of the 600 domains, that[br]were being used in 2018. So for example,

0:16:12.013,0:16:16.825
you can see that in the second message on[br]the right, we see the domain

0:16:16.825,0:16:22.077
videosdownload.co. We knew it was Pegasus[br]because we'd previously identified and

0:16:22.077,0:16:30.080
published this domain in 2018. So this[br]time we knew Maati was being targeted with

0:16:30.080,0:16:34.960
Pegasus, but we realized we needed to do[br]some more investigation to see if his

0:16:34.960,0:16:38.880
phone was indeed compromised that we could[br]collect more information from his device.

0:16:39.680,0:16:43.200
So when we did this, we actually found[br]something quite interesting on Maati's

0:16:43.200,0:16:47.920
phone because we found what we believed[br]was evidence of a new type of a targeting

0:16:47.920,0:16:53.600
on his phone. Instead of relying on the[br]target being tricked into clicking on a

0:16:53.600,0:16:58.760
link which is maybe not reliable, or maybe[br]the target can - can see something is

0:16:58.760,0:17:04.240
suspicious. We instead saw them using an[br]what's called a network injection attack.

0:17:04.240,0:17:08.160
So how are network injection attack works[br]is like this: So network injection

0:17:08.160,0:17:15.040
involves having some kind of equipment or[br]software running on the what access to the

0:17:15.040,0:17:18.960
internet connection of the mobile device.[br]So this can either be at the mobile phone

0:17:18.960,0:17:23.120
network or potentially having some - some[br]software or hardware running on the same

0:17:23.120,0:17:28.480
Wi-Fi network as the target. And what it[br]does is when the target is browsing the

0:17:28.480,0:17:33.760
web on their phone, eventually, the target[br]browses and clicks on link that goes to a

0:17:33.760,0:17:39.440
regular http website. So without https. So[br]when this regular http request is made,

0:17:40.160,0:17:43.440
the software that's running on the[br]upstream network can see this http

0:17:43.440,0:17:47.520
request. And when the http request[br]happens, it can instead, instead of

0:17:47.520,0:17:51.920
returning the correct response to correct[br]content, instead it returns a http

0:17:51.920,0:17:57.040
redirect. And the http redirect will then[br]send the browser of the phone to a

0:17:57.040,0:18:02.480
malicious exploit site, which can then[br]hack the phone. So in the case of Maati,

0:18:02.480,0:18:06.160
we found that he had tried to go and check[br]his email and typed in Yahoo.fr on his

0:18:06.160,0:18:10.960
browser when he typed in Yahoo.fr - the[br]software running on the on the upstream

0:18:10.960,0:18:16.400
network saw this cleartext connection and[br]then redirected his phone to this exploit

0:18:16.400,0:18:19.920
link we see above. So you see the domain[br]is quite suspicious:

0:18:19.920,0:18:25.200
"get1tn0w.free247downloads.com". And[br]again, it has some random characters at

0:18:25.200,0:18:29.244
the end, which looks like a kind of an[br]exploit link. So at the time, we suspected

0:18:29.244,0:18:33.748
that this was was Pegasus, and it was a[br]new way of delivering Pegasus without

0:18:33.748,0:18:36.715
tricking the user into clicking on a link.[br]But we weren't certain that it was

0:18:36.715,0:18:44.021
Pegasus, potentially it was some other[br]kind of spyware. Fortunately for us NSO

0:18:44.021,0:18:51.288
helped to confirm that this really was[br]Pegasus, because before we published this

0:18:51.288,0:18:56.124
report, Amnesty wrote to NSO Group sharing[br]our findings and interestingly one day

0:18:56.124,0:19:00.470
after we shared the findings with NSO this[br]spyware server got shut down and went

0:19:00.470,0:19:05.609
offline. And this is already a week before[br]the report was made publicly available. So

0:19:05.609,0:19:09.280
that kind of confirmed to us that NSO[br]really was controlling this infrastructure

0:19:09.280,0:19:13.316
and were able to get it shutdown even when[br]we'd only privately shared this

0:19:13.316,0:19:18.652
information with with NSO. A bit later, we[br]found some more information about how this

0:19:18.652,0:19:23.854
attack may have been done - NSO at a trade[br]fair was demonstrating some new type of

0:19:23.854,0:19:28.132
hardware they had developed, which you can[br]see here on the photo on the right. And we

0:19:28.132,0:19:33.661
believe this this photo is of some kind of[br]IMSI catcher or fake base station, which

0:19:33.661,0:19:39.827
can run a fake mobile phone network. And[br]then target's phone: so Maati could

0:19:39.827,0:19:44.360
connect to this fake mobile phone base[br]station. And from that position, it could

0:19:44.360,0:19:49.339
be possible for NSO to redirect the phone[br]to a malicious - a malicious exploit link.

0:19:49.339,0:19:54.000
So we're not sure what happened in this[br]case if this was the device that was used.

0:19:54.000,0:19:57.912
But we believe the NSO is demonstrating[br]or testing these kinds of what are called

0:19:57.912,0:20:05.920
tactical infection methods. So this was[br]where our findings were in Morocco - we

0:20:05.920,0:20:11.200
started to realize that actually relying[br]on checking for SMS messages, checking for

0:20:11.200,0:20:17.280
links or relying on people coming to us[br]with something suspicious wasn't going to

0:20:17.280,0:20:21.520
work anymore because we began to see what[br]were called zero-click attacks. And so all

0:20:21.520,0:20:25.680
a Zero-click attack is is any way of[br]infecting a device that doesn't rely on

0:20:25.680,0:20:31.200
some interaction from the user. Doesn't[br]rely on the user clicking on a link. So we

0:20:31.200,0:20:33.760
can see here are some examples of other[br]zero-click attacks that have been

0:20:33.760,0:20:37.440
discovered over the past couple of years.[br]I guess one of the first ones here was in

0:20:37.440,0:20:43.840
2019, where NSO Group developed an exploit[br]for a for WhatsApp, and it was then used

0:20:43.840,0:20:51.280
by their customers to target at least 1400[br]different people around the world. All of

0:20:51.280,0:20:58.400
this - how it worked is that the - the[br]target was simply to receive a call over

0:20:58.400,0:21:02.000
WhatsApp, even a missed call and the[br]exploit would be able to compromise their

0:21:02.000,0:21:06.000
phone without the use of clicking[br]anything. As I described earlier, we saw

0:21:06.000,0:21:09.840
these kinds of network injection attacks[br]happen, and then later in 2020, Citizen

0:21:09.840,0:21:18.320
Lab also found an iMessage zero-day being[br]used to again compromise iPhone users

0:21:18.320,0:21:23.680
without any interaction in 2020. So from[br]our own investigations, we have found that

0:21:23.680,0:21:30.960
NSO has been using various zero-click[br]exploits since at least summer 2017 until

0:21:30.960,0:21:35.480
July of this year. So we know it's not[br]something that's quite new for NSO

0:21:35.480,0:21:38.720
but at least it's something we've[br]started only recently discovering in the

0:21:38.720,0:21:42.320
past few years. And we've seen, NSO[br]putting a lot of focus into developing

0:21:42.320,0:21:52.775
these kinds of complicated but very[br]powerful zero-click exploits. So now that

0:21:52.775,0:21:56.720
we know that NSO and their customers are[br]using these kind of zero-click attacks, we

0:21:56.720,0:22:02.000
realized we needed to do something kind of[br]more advanced to try and find these cases

0:22:02.000,0:22:07.160
of cases of - of surveillance. The big[br]problem with mobile devices is a lack of

0:22:07.160,0:22:11.196
visibility, whereas on desktop or laptop[br]computers, we have antivirus available or

0:22:11.196,0:22:14.428
we have EDR systems available. There[br]really is nothing similar that was

0:22:14.428,0:22:18.240
available for mobile devices. So these[br]kinds of attacks, especially zero-click

0:22:18.240,0:22:26.000
attacks, are often going undetected. We[br]got to investigate this. We realized that

0:22:26.000,0:22:29.600
it was difficult to perform forensics on[br]mobile devices. It's actually not

0:22:29.600,0:22:34.080
impossible. We were somewhat surprised to[br]realize that iPhones actually allow a

0:22:34.080,0:22:38.960
significant amount of relevant data to be[br]extracted from the phones themselves in

0:22:38.960,0:22:43.680
the form of an iPhone backup. And so it's[br]actually quite - quite possible to start

0:22:43.680,0:22:48.800
doing a forensic analysis on iPhones.[br]Unfortunately, Android devices we found

0:22:48.800,0:22:52.880
were much more limited because of[br]restrictions on the Android operating

0:22:52.880,0:22:58.160
system. It isn't possible to extract much[br]data in an Android backup, and so all

0:22:58.160,0:23:02.000
we've really been able to do on Android is[br]to simply check the SMS messages and maybe

0:23:02.000,0:23:06.880
the browser history for some traces of -[br]of targeting. But again, it's just it's

0:23:06.880,0:23:11.760
much less data is available on Androids[br]compared to iPhones. The other big problem

0:23:11.760,0:23:15.520
we realized is that there's there's a lack[br]of any kinds of public tools for

0:23:15.520,0:23:19.120
consensual mobile forensics. All of the[br]forensic tools that are out there are

0:23:19.120,0:23:24.800
designed for - for people to extract data[br]from phones that they don't want or their

0:23:24.800,0:23:28.560
phones have been seized or phones that are[br]somehow otherwise obtained. There's no

0:23:28.560,0:23:35.440
there's no tools available to really check[br]your own phone for signs of spyware. So

0:23:35.440,0:23:40.560
this is where the Mobile Verification[br]Toolkit comes into play. So - MVT - it is

0:23:40.560,0:23:43.920
a public tool developed by Amnesty[br]International and designed to simplify the

0:23:43.920,0:23:48.720
process of analyzing mobile devices for[br]traces of spyware. And here it's available

0:23:48.720,0:23:53.360
on GitHub, you can go check it out. And[br]just to highlight all of the

0:23:53.360,0:23:57.520
cases of Pegasus targeting I've described[br]previously in all the cases and traces

0:23:57.520,0:24:01.600
that are present for the rest of the[br]presentation, all of these have been found

0:24:01.600,0:24:09.040
using MVT. So MVT really works to - to[br]detect advanced spyware, including spyware

0:24:09.040,0:24:14.560
using zero-click, zero-day exploits and[br]really sophisticated stuff such as

0:24:14.560,0:24:19.280
Pegasus. So while all of these different[br]spyware vendors try to say: "Our thing is

0:24:19.280,0:24:22.640
undetectable": It is definitely advanced,[br]they definitely spent a lot of money in

0:24:22.640,0:24:27.440
developing this stuff, but it's not magic.[br]And if you're careful and diligent about

0:24:27.440,0:24:30.240
checking the traces, there's always[br]mistakes that are made. There's always

0:24:30.240,0:24:35.472
ways of identifying potential suspicious[br]behavior on these devices. And MVT it is

0:24:35.472,0:24:44.640
written in Python, it's a very easy to[br]install, and if you have PIP, you can just

0:24:44.640,0:24:50.113
go a "pip3 install mvt" . And here's how[br]it's how it's used. Again, it's very

0:24:50.113,0:24:54.906
straightforward. To check an iPhone, you[br]simply make a backup of the iPhone and you

0:24:54.906,0:25:00.005
run this one command so it'll be "mvt-ios[br]check-backup" and then you provide the

0:25:00.005,0:25:05.301
backup folder. In the command here we also[br]see what's called a stix-file. So a .stix

0:25:05.301,0:25:09.959
file is simply a file containing[br]indicators. This maybe like domain names

0:25:09.959,0:25:15.187
or IP addresses, or process names that are[br]known to be linked to a spyware tool. And

0:25:15.187,0:25:19.648
so the MVT is a generic tool. It can be[br]used with Pegasus indicators, but it also

0:25:19.648,0:25:26.134
can be used with indicators for other[br]spyware tools and could be used to detect

0:25:26.134,0:25:31.889
other spyware. So MVT is a modular[br]framework, it has modules for parsing

0:25:31.889,0:25:36.705
different kinds of databases such as SMS[br]messages or browser history or other kinds

0:25:36.705,0:25:41.368
of files on the device. I'm going to go[br]through and explain a few of the modules

0:25:41.368,0:25:46.297
that are available in MVT and show how[br]this can be used to - to find traces of

0:25:46.297,0:25:53.640
Pegasus or other similar spyware tools. So[br]one module that is quite useful is the SMS

0:25:53.640,0:25:58.766
module, which is quite straightforward, it[br]simply reads the SMS database in iPhone

0:25:58.766,0:26:04.283
backup to extract all of the links from[br]the SMS messages and check if any of those

0:26:04.283,0:26:10.656
SMS messages contain links to known[br]malicious domains. So in this case, we're

0:26:10.656,0:26:14.707
checking a backup that is targeted with[br]Pegasus, and we see that - we see that

0:26:14.707,0:26:18.844
there's multiple domains that are found[br]and are tied to Pegasus. We see this

0:26:18.844,0:26:25.221
revolution-news.co, stopsms.biz and[br]from what we know of NSO we've seen these

0:26:25.221,0:26:32.883
kinds of exploit SMS used primarily[br]between 2016 and 2018. We've also seen

0:26:32.883,0:26:37.896
Pegasus links as far back as 2014, and as[br]recently as 2020. So this has been quite

0:26:37.896,0:26:43.200
common and I - if these zero-click attacks[br]are not available, I think we'll still see

0:26:43.200,0:26:51.348
these kinds of exploit links being sent in[br]SMS. So another data source that's quite

0:26:51.348,0:26:56.600
useful and quite helpful for finding[br]traces of targeting is the Safari browser

0:26:56.600,0:27:03.595
history. So what we've seen is we've seen[br]some as we identify traces of exploit

0:27:03.595,0:27:09.464
being recorded in Safari browser history,[br]especially after a network injection

0:27:09.464,0:27:14.294
attack. So in this case, while there's no[br]link in SMS when a network injection

0:27:14.294,0:27:18.800
attack happens the exploit server domain[br]will be recorded in the browser history.

0:27:18.800,0:27:22.506
And so by checking the browser history, we[br]may be able to find evidence that this

0:27:22.506,0:27:31.120
attack happened. So on the right here you[br]can see a screenshot and this screenshot

0:27:31.120,0:27:38.400
was actually taken by Moroccan journalist[br]Omar Radi when he was being targeted with

0:27:38.400,0:27:43.600
one of these network injection attacks in[br]Morocco. So when he was browsing the web

0:27:43.600,0:27:46.720
he clicked the link and then instantly[br]redirected into this web page. And when

0:27:46.720,0:27:49.920
this screenshot was taken, it was actually[br]running the JavaScript trying to exploit

0:27:49.920,0:27:55.440
his phone. So unfortunately, following the[br]publication of this research Omar Radi was

0:27:55.440,0:27:59.920
repeatedly harassed by the Moroccan[br]authorities and then he was eventually

0:27:59.920,0:28:04.556
jailed after an unfair trial, and he's[br]currently - currently in jail.

0:28:06.806,0:28:13.199
So another file quite useful in our[br]investigations is something called the ID

0:28:13.199,0:28:18.462
status cache file. So the ID status cache[br]file is a file on iPhones, and it can

0:28:18.462,0:28:23.671
track traces of any iCloud accounts[br]which interacted with the device. This can

0:28:23.671,0:28:27.408
be interacting with the device over a[br]bunch of different Apple services,

0:28:27.408,0:28:32.266
including iMessage, AirDrop, Apple Photos.[br]And so what is really useful about this

0:28:32.266,0:28:39.282
file, because it showed us which malicious[br]accounts, which kind of Pegasus related

0:28:39.282,0:28:46.080
accounts had been targeting a particular[br]device. So what we know about Pegasus - we

0:28:46.080,0:28:51.920
believe that these malicious accounts are[br]- have been set up and have been used by

0:28:51.920,0:28:58.240
one individual Pegasus customer. So you[br]can see here in the first row, we see this

0:28:58.240,0:29:04.480
email address linakeller and we saw this -[br]this account being used to deliver a

0:29:04.480,0:29:08.400
iMessage zero-day to quite a number of[br]different activists. So we've seen it

0:29:08.400,0:29:16.240
used to deliver exploits to two different[br]Moroccan activists and a couple of French

0:29:16.240,0:29:21.040
political figures. So by - by looking at[br]which individuals have been targeted by

0:29:21.040,0:29:24.720
the same, the same account, by the same[br]customer we were able to kind of get a

0:29:24.720,0:29:28.400
better idea of who that customer might be[br]and have some idea about the attribution

0:29:28.400,0:29:33.840
for that attack. The same in these other -[br]in these other cases, for example we see

0:29:33.840,0:29:39.200
the jessicadavies1345 email. This was[br]found on the phone of two different

0:29:39.200,0:29:44.160
Hungarian journalists. Same for the[br]emmadavies' address and again for this

0:29:44.160,0:29:49.120
final address here: williams enny. We[br]found this on the phone of two different

0:29:50.560,0:29:58.320
Hungarian individuals, hungarian[br]activists. So this is really useful for us

0:29:58.320,0:30:01.450
in our investigation because it really[br]helped us get a better idea of who might

0:30:01.450,0:30:10.480
be behind some of the attacks that we were[br]seeing. So the previous logs

0:30:10.480,0:30:15.840
I showed about SMS, data and browser[br]history. These show kind of traces of

0:30:15.840,0:30:19.280
targeting. They showed some of these had[br]been sent a malicious link, but they don't

0:30:19.280,0:30:23.920
necessarily prove that a phone has been[br]successfully compromised. So what I will

0:30:23.920,0:30:28.700
show now is some of the logs we can use to[br]show that a device was indeed compromised.

0:30:28.800,0:30:32.580
One of these files that was very useful[br]for us in our investigations was the so-

0:30:32.580,0:30:39.600
called data usage file. So the data usage[br]file in an iPhone is a file that records

0:30:39.600,0:30:43.920
information about how much mobile data[br]traffic each process on the phone has

0:30:43.920,0:30:49.120
used. So this may be used to, like help[br]the iPhone keep track of, you know, which

0:30:49.120,0:30:52.720
apps on your phone are using the most of[br]your mobile data. But what is really

0:30:52.720,0:30:56.640
helpful for this is that it actually[br]recorded the names of some of the Pegasus

0:30:56.640,0:31:01.162
processes and how much data each of these[br]pegasus processes were using. So for all

0:31:01.162,0:31:08.160
we know about NSO's Pegasus, we believe[br]that when Pegasus is installed on a phone,

0:31:08.160,0:31:13.666
it will kind of pick a random name that it[br]uses to kind of hide itself in running on

0:31:13.666,0:31:18.000
the system. Throughout our investigation[br]we found about 50 different process names

0:31:18.000,0:31:21.956
that the Pegasus process was using to try[br]and hide itself. And once we identified

0:31:21.956,0:31:26.087
these process names, then we could go and[br]look for these Pegasus known Pegasus

0:31:26.087,0:31:31.599
process names on devices of potential[br]targets. What's happened, this database

0:31:31.599,0:31:36.141
also shows a timestamp of when this[br]process name was first kind of started on

0:31:36.141,0:31:40.381
the device, when it was last seen on the[br]device. And also it gives you some kind of

0:31:40.381,0:31:44.570
information about how much data this[br]process transferred. In some cases, this

0:31:44.570,0:31:48.174
has been gigabytes of data which shows[br]that really the Pegasus spyware was

0:31:48.174,0:31:53.494
extracting a lot of data from the device.[br]And again, this is all automated in MVT

0:31:53.494,0:31:58.851
so if you check a phone using MVT with the[br]Pegasus indicators, it'll show quite

0:31:58.851,0:32:04.799
clearly if any of these processes have[br]been found on the device. Another feature

0:32:04.799,0:32:11.440
that's been very helpful for us and in our[br]analysis is the timeline feature of MVT.

0:32:11.440,0:32:17.291
So how the Timeline feature works is it[br]takes all of the different indicators and

0:32:17.291,0:32:21.285
modules on the phone, so it checks the -[br]the SMS messages, it check the - the file

0:32:21.285,0:32:27.119
system and every - every event, like every[br]SMS message, every web browser lookup will

0:32:27.119,0:32:33.228
all be recorded in a single file with the[br]date that it happened. So by looking at

0:32:33.228,0:32:38.557
this timeline, we can often see what[br]different events happened around the same

0:32:38.557,0:32:43.013
time as each other, and this can give us[br]some idea - some idea about how attacks

0:32:43.013,0:32:48.172
were actually delivered on this device. So[br]I want to give you just one example of -

0:32:48.172,0:32:52.405
of how this timeline can be used. Just so[br]you know how to use this timeline in your

0:32:52.405,0:32:59.885
own investigations. So this is actually a[br]demonstration of the phone of a Rwandan

0:32:59.885,0:33:06.284
activist who was targeted in June 2021[br]using the forcedentry, iMessage zero-day.

0:33:06.284,0:33:13.898
So we can see here on the timeline that on[br]8:00 p.m. 8:45, we see the phone began to

0:33:13.898,0:33:18.428
receive some push notifications over[br]iMessage. So it seems it receives like 46

0:33:18.428,0:33:24.940
push notifications. And then what we saw[br]was that SMS attachments began to be

0:33:24.940,0:33:29.821
written to the phone. So in the final line[br]here, we see that a file is written -

0:33:29.821,0:33:33.642
written to the SMS attachments directory.[br]And if you look at the end of the line, we

0:33:33.642,0:33:38.873
see that the - the file being written to[br]disk actually had a .GIF attachment. So at

0:33:38.873,0:33:44.406
the time we thought this was something to[br]do with the exploit somehow. NSO was

0:33:44.406,0:33:50.465
delivering their exploit in that GIF file.[br]If we look a little bit later in the

0:33:50.465,0:33:56.054
timeline, we see that about 10 minutes[br]later, on the same day, a Pegasus process

0:33:56.054,0:34:02.095
starts running on the phone. This otpgrefd[br]process. Shortly afterwards, some

0:34:02.095,0:34:06.789
additional files are written on disk and[br]some more Pegasus processes start. So by

0:34:06.789,0:34:12.059
looking at this timeline together, we can[br]see quite clearly that the phone began to

0:34:12.059,0:34:15.544
receive iMessage messages. These GIF[br]attachments start to be written on the

0:34:15.544,0:34:21.040
disk and then about 10 minutes later, the[br]phone was compromised with the Pegasus. So

0:34:21.040,0:34:23.360
remember here like - there was no[br]interaction from the user - they didn't

0:34:23.360,0:34:26.320
click on any link. As far as we are aware[br]they I didn't even notice anything

0:34:26.320,0:34:29.120
happening on the device. This simply[br]silently these messages were being

0:34:29.120,0:34:35.280
delivered and after 10 or 20 minutes,[br]Pegasus began to gain access to the

0:34:35.280,0:34:39.600
device. So we've shared some of these[br]findings with Apple, and then later in

0:34:39.600,0:34:46.640
September 2021, Apple - Citizen Lab[br]identified a copy of this exploit on

0:34:46.640,0:34:49.840
another - phone of an another activist and[br]they shared it with Apple and Apple

0:34:49.840,0:35:01.499
patched this vulnerability in September[br]2021. So that's a little bit of how MVT

0:35:01.499,0:35:06.840
works and how some of this methodology[br]works to identify Pegasus on a

0:35:06.840,0:35:12.674
device. So since we published our forensic[br]methodology and our tools, many other

0:35:12.674,0:35:18.770
groups and organisations have been using[br]these tools and methodology to check other

0:35:18.770,0:35:24.469
devices for signs of Pegasus and found[br]quite a number of new cases. Here on the

0:35:24.469,0:35:28.796
top right you're going to see an example[br]of another NGO "Frontline Defenders", who

0:35:28.796,0:35:33.262
identified six Palestinian human rights[br]defenders who had their devices hacked

0:35:33.274,0:35:39.154
using Pegasus. And other case we see[br]that the Belgian military intelligence

0:35:39.154,0:35:43.985
services use a similar methodology to[br]check the phones of journalists in

0:35:43.985,0:35:48.670
Belgium, and they found that a journalist,[br]Belgian journalist, Peter Verlinden, had

0:35:48.670,0:35:53.809
his iPhone hacked who they suspected by[br]Rwanda. Again, we see another case where

0:35:53.809,0:35:58.620
French intelligence services confirmed[br]that a number of French journalists had

0:35:58.620,0:36:05.952
their phones hacked using using Pegasus[br]again using a similar methodology. So what

0:36:05.952,0:36:11.187
I'd like to highlight is MVT can really be[br]useful in identifying traces of Pegasus, but also

0:36:11.187,0:36:17.827
MVT is designed as a kind of generic[br]mobile forensic tool. So when used with

0:36:17.827,0:36:21.100
Pegasus indicators it will find Pegasus,[br]but it also can be used to go and

0:36:21.100,0:36:25.058
proactively search for new kinds of[br]spyware. So I really recommend that if

0:36:25.058,0:36:29.427
you're suspicious that phones may be[br]targeted with this kind of spyware, you

0:36:29.427,0:36:34.442
can use MVT to extract some data and then[br]dig into it. If the person is a member of

0:36:34.442,0:36:38.111
civil society or an activist then Amnesty[br]and other organisations will be happy to

0:36:38.111,0:36:44.270
help support these investigations. And[br]also, MVT is an open source tool. It's

0:36:44.270,0:36:49.067
based on different modules, and so we're[br]always open to ideas for - for new modules

0:36:49.067,0:36:54.368
and new detection ideas to help make this[br]tool better and better able to detect new

0:36:54.368,0:37:03.620
kinds of threats. One thing to remember[br]about MVT it is - it's designed to detect

0:37:03.620,0:37:06.738
some kind of spyware. Unfortunately, the[br]people who develop these spyware, they're

0:37:06.738,0:37:10.123
- they're smart people and they read these[br]reports and they watch these kind of

0:37:10.123,0:37:14.819
presentations. And every time we publish[br]information about how to detect these

0:37:14.819,0:37:20.352
kinds of spyware targeting civil society,[br]the different spyware vendors and actors

0:37:20.352,0:37:24.540
will try to improve their tools to avoid[br]them being detected. They'll try to kind

0:37:24.540,0:37:29.689
of upgrade their infrastructure to hide it[br]again or to the better obscure their

0:37:29.689,0:37:35.017
activities. So just to give an example,[br]here's some of the development of NSO's

0:37:35.017,0:37:38.960
own infrastructure over time. We see that[br]after we published - Amnesty published the

0:37:38.960,0:37:44.577
report in 2018 NSO infrastructure was shut[br]down and then later over the next two

0:37:44.577,0:37:49.966
years, it began to run more[br]infrastructure, which was again shut down

0:37:49.966,0:37:57.702
after discovery in - in 2021. So it's a[br]constant arms race. And so while - while

0:37:57.702,0:38:00.620
this - these tools are useful to detect[br]Pegasus now, it's not always going to be

0:38:00.620,0:38:04.827
just automatic, and it's important to do[br]further research to try and identify new

0:38:04.827,0:38:12.277
traces of new kinds of attacks. So what is[br]the future for mobile spyware? So one

0:38:12.277,0:38:16.628
thing I'd like to reiterate is that while[br]we focus a lot on NSO Group and Pegasus in

0:38:16.628,0:38:20.298
this research and in this[br]talk and also there's been a lot of focus

0:38:20.298,0:38:24.064
on NSO Group. It's not the only mobile[br]spyware out there, and there's definitely

0:38:24.064,0:38:28.680
many other players who are trying to get[br]into the space and trying to also develop

0:38:28.680,0:38:34.750
similar kinds of spyware tools, which are[br]then sold to - to different customers.

0:38:34.750,0:38:41.735
We've seen that from this investigation.[br]We found at least 180 journalists who are

0:38:41.735,0:38:45.280
potential targets of Pegasus and many[br]other human rights activists and

0:38:45.280,0:38:50.157
opposition politicians who have been[br]targeted with these tools over the last number

0:38:50.157,0:38:55.907
of years. So far, these threat actors and[br]these - these state agencies are able to

0:38:55.907,0:39:00.992
target activists and civil society with[br]impunity due to a lack of visibility and

0:39:00.992,0:39:05.222
telemetry on mobile platforms. They've[br]just been getting away with it because

0:39:05.222,0:39:08.668
they haven't been detected. So tools such[br]as MVT can help expose some of these

0:39:08.668,0:39:13.489
threats, but they need to be used more[br]widely and need to be used with more civil

0:39:13.489,0:39:18.781
society to really understand the full[br]scope of these kinds of threats. And it's

0:39:18.781,0:39:23.505
also important that industry, the tech[br]industry and the security industry work

0:39:23.505,0:39:27.296
closely with civil society to help detect[br]and expose these threats because

0:39:27.296,0:39:32.478
unfortunately, the people most at risk[br]from these kinds of really serious attacks

0:39:32.478,0:39:36.204
are some of the people who are the least[br]equipped, both financially and technically

0:39:36.204,0:39:43.120
to defend against them. So to conclude,[br]I think we're going to continue to see

0:39:43.120,0:39:49.440
attackers focusing on mobile. Mobile is[br]where all the data is. No other place

0:39:49.440,0:39:52.080
gives you as much insight into somebody's[br]life and all their most innermost

0:39:52.080,0:39:56.400
thoughts. Even just having a microphone in[br]everybody's pocket in someone's pocket is

0:39:56.400,0:40:01.680
such a powerful position to be in that we[br]think companies and states will continue

0:40:01.680,0:40:07.120
trying to develop these kinds of tools. We[br]know - I think that zero-click exploits

0:40:07.120,0:40:11.520
are going to be highly, highly desirable.[br]So while Apple and others have done a

0:40:11.520,0:40:15.920
great job in making attacks against[br]iMessages more difficult, it's almost

0:40:15.920,0:40:19.920
certain that these kinds of cyber[br]surveillance companies will continue

0:40:19.920,0:40:24.480
trying to develop zero-click exploits. If[br]not for iMessage then maybe for other chat

0:40:24.480,0:40:30.080
platforms. I don't know like Signal or[br]Telegram or WhatsApp, they're going to try

0:40:30.080,0:40:37.166
and attack other applications that[br]activists are using. Unfortunately it's

0:40:37.166,0:40:42.101
not possible for activists and civil[br]society to protect themselves from these

0:40:42.101,0:40:47.034
kinds of zero-day attacks from a technical[br]sense. So we definitely need more active

0:40:47.034,0:40:51.577
collaboration between civil society and[br]key platform vendors to help identify and

0:40:51.577,0:40:56.189
defend against these threats. And also, we[br]urgently need better regulation to prevent

0:40:56.189,0:41:00.790
these kinds of really sophisticated[br]spyware tools being sold to states and

0:41:00.790,0:41:07.217
agencies which have a long history of[br]abusing them to target civil society and

0:41:07.217,0:41:12.978
opposition. So thank you all for[br]listening, and I'm happy to answer some

0:41:12.978,0:41:17.750
questions now. If you have some questions[br]or if you're concerned about, you are a

0:41:17.750,0:41:20.680
member of civil society or an activist [br]or are concerned about surveillance please

0:41:20.680,0:41:24.868
feel free to contact us at share@amnesty.tech [br]Thank you.

0:41:24.868,0:41:30.602
Herald: Thank you Donncha. Thank you from[br]C-Base. We have already taken some

0:41:30.602,0:41:37.033
overtime this early hacker morning. There[br]have been popping up some small questions

0:41:37.033,0:41:42.736
on our internal here from our tiny[br]audience at C-Base. We don't have that

0:41:42.736,0:41:47.686
much time left. Just can you give us an[br]indication: What is the pace of this

0:41:47.686,0:41:53.558
ongoing war? Do you feel that NSO group is[br]actively fighting MVT and your tool

0:41:53.558,0:41:57.533
development or did - didn't you get this[br]honor yet?

0:41:57.533,0:42:04.998
D: Definitely. We've seen, even in the[br]past year, we saw NSO starting to be more

0:42:04.998,0:42:11.084
careful about cleaning up their forensic[br]traces, and since 2020, they've begun to

0:42:11.084,0:42:14.915
already clean some of the traces that[br]we've been using. And it's clear they've

0:42:14.915,0:42:17.781
realized that people are investigating[br]that there is a risk of people discovering

0:42:17.781,0:42:20.990
this stuff, and I feel like after the[br]revelations of this summer, they're going

0:42:20.990,0:42:25.781
to have a much more proactively trying to[br]to clean up some of these traces. But as I

0:42:25.781,0:42:30.800
said, NSO is one company out there,[br]there's also many other companies trying

0:42:30.800,0:42:35.120
to compete in the same space. So even if[br]NSO gets better than, you know, other

0:42:35.120,0:42:38.825
companies are still out there and can[br]still be caught using MVT and

0:42:38.825,0:42:44.324
fundamentally, even if they - they clean[br]up some traces for any kind of failed

0:42:44.324,0:42:48.065
attacks, these traces are still going to[br]be left around because it won't be

0:42:48.065,0:42:51.440
possible to for the spyware to clean up[br]their traces.

0:42:51.440,0:42:57.437
H: Uhm-Hmm. So one could still after an[br]attack eventually, eventually on an old

0:42:57.437,0:43:03.465
device years later discover that there had[br]been some spyware activity, which may be

0:43:03.465,0:43:09.870
in the long run interesting information[br]about dark campaigns and things. So NSO is

0:43:09.870,0:43:15.360
not the only actor, there will be more. Do[br]you feel that there are just copycats in

0:43:15.360,0:43:20.690
the market or do you think there will be[br]completely new threats in the future?

0:43:20.690,0:43:24.811
D: So I guess there's always there's lots[br]of smart people who work for these

0:43:24.811,0:43:29.580
companies who are trying to develop these[br]tools. Just last - earlier this month,

0:43:29.580,0:43:34.180
Citizen Lab published a report about[br]another cyber surveillance vendor called

0:43:34.180,0:43:40.759
Cytrox based in North Macedonia, and they[br]were selling similar spyware, which is

0:43:40.759,0:43:45.002
using kind of one-click attacks using[br]links to help compromise iPhones and

0:43:45.002,0:43:50.256
Android phones. So that's one company[br]that's competing in this space. There's

0:43:50.256,0:43:54.869
other companies doing doing similar kinds[br]of targeting, but we believe, you know,

0:43:54.869,0:43:58.766
NSO was definitely the biggest company in[br]this space, and they had a lot of money to

0:43:58.766,0:44:04.575
invest in, especially in these kind of[br]zero-click attacks. So for now, we don't

0:44:04.575,0:44:07.579
know if they're a company that's as big or[br]sophisticated as NSO, but I think many

0:44:07.579,0:44:11.769
others will be trying to take their place[br]if NSO becomes less popular.

0:44:11.769,0:44:19.466
H: I see. I see. OK, thank you very much.[br]We have to go over to the - RC3 morning

0:44:19.466,0:44:26.754
show in a few seconds. Thank you very much[br]for this interesting talk this morning.

0:44:26.754,0:44:33.970
Again, share@amnesty.tech is the address[br]to go to. And this is probably one of the

0:44:33.970,0:44:38.931
talks you want to watch again on[br]media.ccc.de in a few days when it has

0:44:38.931,0:44:45.760
been published. So greetings to Ireland.[br]Thank you very much and we will meet and

0:44:45.760,0:44:51.280
see again in real, I hope. Thank you.[br]D: Thank you very much. Have a good day.

0:44:54.720,0:45:03.000
Everything is licensed under CC by 4.0.[br]And it is all for the community, to download

0:45:03.000,0:45:03.570
Subtitles created by c3subtitles.de[br]in the year 2022. Join, and help us!

0:45:03.571,0:45:03.841
[Translated by {Iikka}{Yli-Kuivila} (ITKST56 course assignment at JYU.FI)]