[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:01.44,0:00:02.44,Default,,0000,0000,0000,,[Translated by {Iikka}{Yli-Kuivila}\N(ITKST56 course assignment at JYU.FI)]
Dialogue: 0,0:00:03.88,0:00:10.48,Default,,0000,0000,0000,,Herald: Good morning from C-Base, the\Nspace station beyond or under Berlin,
Dialogue: 0,0:00:12.64,0:00:19.12,Default,,0000,0000,0000,,welcomes you to day 2 of the RC3\Nstreaming, we are starting in a few
Dialogue: 0,0:00:19.12,0:00:26.48,Default,,0000,0000,0000,,seconds with the "Catching the NSO Group's\NPegasus spyware". This is something that
Dialogue: 0,0:00:26.48,0:00:32.80,Default,,0000,0000,0000,,has caught attention among the security\Nand hacker communities over the world in
Dialogue: 0,0:00:32.80,0:00:38.40,Default,,0000,0000,0000,,the last, I would guess, two years or so.\NThere have been some spectacular cases of
Dialogue: 0,0:00:38.40,0:00:46.72,Default,,0000,0000,0000,,murder, kidnappings, journalists being\Nthreatened, other things. The infamous
Dialogue: 0,0:00:46.72,0:00:53.28,Default,,0000,0000,0000,,software doing this is called Pegasus,\Nit's marketed by a company known by the
Dialogue: 0,0:00:53.28,0:01:01.68,Default,,0000,0000,0000,,three-letter acronym NSO, whatever this\Nstands for. And actually, Amnesty
Dialogue: 0,0:01:01.68,0:01:08.24,Default,,0000,0000,0000,,International and its I.T. department, so\Nto say, has invested quite some effort
Dialogue: 0,0:01:08.24,0:01:17.28,Default,,0000,0000,0000,,into detecting whether a device has been\Ninfected by Pegasus or not. NSO marketed
Dialogue: 0,0:01:17.28,0:01:22.64,Default,,0000,0000,0000,,this, among other things, as so-called\N"undetectable", well undetectable as in
Dialogue: 0,0:01:22.64,0:01:28.64,Default,,0000,0000,0000,,software on a device, as we will see, and\Nour speaker today, Donncha, Donncha O'Cearbhaill
Dialogue: 0,0:01:29.44,0:01:34.80,Default,,0000,0000,0000,,from Ireland and from Amnesty\NInternational, will be presenting how they
Dialogue: 0,0:01:34.80,0:01:41.60,Default,,0000,0000,0000,,developed detection tools for this nasty\Npiece of spyware that has become so
Dialogue: 0,0:01:41.60,0:01:50.96,Default,,0000,0000,0000,,popular among secret actors, state actors\Nand others around the world. OK, enough
Dialogue: 0,0:01:50.96,0:01:56.04,Default,,0000,0000,0000,,for the introduction, Donncha, the scene\Nand the stream is yours. Good morning
Dialogue: 0,0:01:56.04,0:02:02.08,Default,,0000,0000,0000,,Donncha: Good morning, and thank you for\Nthat introduction. So as the intro said,
Dialogue: 0,0:02:02.08,0:02:06.48,Default,,0000,0000,0000,,today I'd like to talk to you about NSO\Ngroup's Pegasus spyware, in particular I'd
Dialogue: 0,0:02:06.48,0:02:11.12,Default,,0000,0000,0000,,like to explain a little bit about how we\Nat Amnesty have investigated Pegasus over
Dialogue: 0,0:02:11.12,0:02:16.48,Default,,0000,0000,0000,,the past few years and I'll also explain and\Ndemonstrate some of the tools we have
Dialogue: 0,0:02:16.48,0:02:22.48,Default,,0000,0000,0000,,developed and published, that others also\Ninvestigate and detect Pegasus spyware
Dialogue: 0,0:02:22.48,0:02:25.84,Default,,0000,0000,0000,,potentially on their devices and the\Ndevices of other people in civil society.
Dialogue: 0,0:02:27.76,0:02:31.44,Default,,0000,0000,0000,,So my name is Donncha O'Cearbhaill and I\Nam a technologist based at the Amnesty
Dialogue: 0,0:02:31.44,0:02:36.32,Default,,0000,0000,0000,,International Security Lab in Berlin with\Na small team who focuses on investigating
Dialogue: 0,0:02:36.32,0:02:42.64,Default,,0000,0000,0000,,targeted digital threats such as spyware,\Nphishing and other kinds of surveillance
Dialogue: 0,0:02:42.64,0:02:46.88,Default,,0000,0000,0000,,that's directed against civil society and\Nhuman rights defenders around the world.
Dialogue: 0,0:02:49.44,0:02:54.96,Default,,0000,0000,0000,,So as the intro said, Pegasus has got a\Nlot of attention in the past few months.
Dialogue: 0,0:02:56.80,0:03:00.80,Default,,0000,0000,0000,,So you may have seen the Pegasus Project\Nrevelations that were published in July
Dialogue: 0,0:03:00.80,0:03:05.68,Default,,0000,0000,0000,,during the summer. The Pegasus Project was\Na global investigation into abuses linked
Dialogue: 0,0:03:05.68,0:03:11.52,Default,,0000,0000,0000,,to NSO group's Pegasus spyware. This\Ninvestigation was based on a leaked
Dialogue: 0,0:03:13.28,0:03:19.12,Default,,0000,0000,0000,,dataset of 50,000 potential Pegasus\Ntargets, which Amnesty International and
Dialogue: 0,0:03:19.12,0:03:22.64,Default,,0000,0000,0000,,Forbidden Stories had access to, and so\Nthis global media investigation was
Dialogue: 0,0:03:22.64,0:03:26.96,Default,,0000,0000,0000,,coordinated by Forbidden Stories, with the\Nparticipation of about 80 journalists from
Dialogue: 0,0:03:26.96,0:03:32.40,Default,,0000,0000,0000,,17 different media organisations around\Nthe world. During the Pegasus Project,
Dialogue: 0,0:03:32.40,0:03:36.96,Default,,0000,0000,0000,,Amnesty International took the role of a\Ntechnical partner, and the focus for
Dialogue: 0,0:03:36.96,0:03:42.16,Default,,0000,0000,0000,,Amnesty International was to perform\Ndetailed innovative forensic analysis on
Dialogue: 0,0:03:42.16,0:03:46.72,Default,,0000,0000,0000,,the devices of potential targets, and\Nthrough this kind of forensic analysis and
Dialogue: 0,0:03:46.72,0:03:51.04,Default,,0000,0000,0000,,this technical work we were able to\Nidentify traces of Pegasus, either
Dialogue: 0,0:03:51.04,0:03:59.36,Default,,0000,0000,0000,,targeting or infecting online devices. So\Nover a multi-month project Amnesty
Dialogue: 0,0:03:59.36,0:04:04.72,Default,,0000,0000,0000,,Security Lab analyzed about 67 devices,\Nand from these 67 devices of potential
Dialogue: 0,0:04:04.72,0:04:11.76,Default,,0000,0000,0000,,targets at least 37 showed clear traces of\NPegasus targeting or infection. So this is
Dialogue: 0,0:04:11.76,0:04:15.36,Default,,0000,0000,0000,,really quite quite a high number of\Ninfected devices, and these devices
Dialogue: 0,0:04:15.36,0:04:21.52,Default,,0000,0000,0000,,included journalists, activists,\Nopposition political figures, all kinds of
Dialogue: 0,0:04:21.52,0:04:24.57,Default,,0000,0000,0000,,people who were being unlawfully\Nsurveilled using Pegasus. Overall, of the
Dialogue: 0,0:04:24.57,0:04:31.93,Default,,0000,0000,0000,,phones we have checked, which were iPhones\Nand which hadn't been replaced, which took
Dialogue: 0,0:04:31.93,0:04:36.71,Default,,0000,0000,0000,,data of the targeting, more than 80\Npercent of the phones that were on this
Dialogue: 0,0:04:36.71,0:04:42.77,Default,,0000,0000,0000,,list of potential targets showed traces of\NPegasus. So in July these stories came out
Dialogue: 0,0:04:42.78,0:04:46.44,Default,,0000,0000,0000,,and they highlighted cases of of civil\Nsociety being targeted, such as
Dialogue: 0,0:04:46.44,0:04:50.78,Default,,0000,0000,0000,,journalists in Hungary, activists in\NMorocco, activist Saudi Arabian
Dialogue: 0,0:04:50.78,0:04:56.73,Default,,0000,0000,0000,,dissidents, also family members of Jamal\NKhashoggi, which the investigation showed
Dialogue: 0,0:04:56.73,0:05:01.36,Default,,0000,0000,0000,,had been targeted with Pegasus spyware\Nboth before and after his his brutal
Dialogue: 0,0:05:01.36,0:05:06.18,Default,,0000,0000,0000,,murder. So, yeah, you can. You can go and\Nread many of these stories online. Today
Dialogue: 0,0:05:06.18,0:05:10.11,Default,,0000,0000,0000,,I'd like to focus on and get to how we got\Nthere, how we developed these, these
Dialogue: 0,0:05:10.11,0:05:14.92,Default,,0000,0000,0000,,tools, how we developed this methodology\Nfor finding Pegasus. And also to explain
Dialogue: 0,0:05:14.92,0:05:20.46,Default,,0000,0000,0000,,about how you can also go and do this kind\Nof searching for - for Pegasus and for
Dialogue: 0,0:05:20.46,0:05:27.24,Default,,0000,0000,0000,,other mobile spyware. So let's take a step\Nback for a second and ask, so what exactly
Dialogue: 0,0:05:27.24,0:05:32.24,Default,,0000,0000,0000,,is Pegasus? Its name is well known, but\Nwhat exactly is the software and how does
Dialogue: 0,0:05:32.24,0:05:37.24,Default,,0000,0000,0000,,it work? OK, so first thing to remember is\Nthat actually, while Pegasus have been
Dialogue: 0,0:05:37.24,0:05:41.20,Default,,0000,0000,0000,,gotten more well known in the last two\Nyears, it's not actually a new - a new
Dialogue: 0,0:05:41.20,0:05:45.10,Default,,0000,0000,0000,,tool or a new product. So we know Pegasus\Nhas been around and then developed by NSO
Dialogue: 0,0:05:45.10,0:05:52.84,Default,,0000,0000,0000,,Group since at least 2010. And on the left\Nhand side here, the diagram, you can see a
Dialogue: 0,0:05:52.84,0:05:58.24,Default,,0000,0000,0000,,Pegasus brochure from 2010 where it\Ndescribes how Pegasus can be installed on
Dialogue: 0,0:05:58.24,0:06:03.21,Default,,0000,0000,0000,,a BlackBerry devices. And we believe the\Noriginal version of Pegasus was focused on
Dialogue: 0,0:06:03.21,0:06:06.72,Default,,0000,0000,0000,,BlackBerry because back in 2010,\Nsmartphones were less prevalent than they
Dialogue: 0,0:06:06.72,0:06:11.20,Default,,0000,0000,0000,,are now. BlackBerry is kind of a key\Ntarget for some of the - the security
Dialogue: 0,0:06:11.20,0:06:16.86,Default,,0000,0000,0000,,agencies who may want to buy this kind of\Nspyware. So it developed over time here on
Dialogue: 0,0:06:16.86,0:06:22.82,Default,,0000,0000,0000,,the right hand side, we can see some\Ndiagrams that were from a leaked Pegasus
Dialogue: 0,0:06:22.82,0:06:30.88,Default,,0000,0000,0000,,brochure that was published in 2014. In\Nthe first diagram, here it talks about how
Dialogue: 0,0:06:30.88,0:06:37.44,Default,,0000,0000,0000,,Pegasus is installed on a phone. In this\Nexample, it's showing how a Pegasus kind
Dialogue: 0,0:06:37.44,0:06:42.88,Default,,0000,0000,0000,,of infection link can be sent over SMS to\Nthe target device. And then if opened how
Dialogue: 0,0:06:42.88,0:06:46.32,Default,,0000,0000,0000,,the data can be collected and passed back\Nto the - the operator of the Pegasus
Dialogue: 0,0:06:46.32,0:06:52.32,Default,,0000,0000,0000,,software. That's just one example of -\Nfrom their own diagrams. Here in the
Dialogue: 0,0:06:52.32,0:06:57.36,Default,,0000,0000,0000,,circle below, you'll see a little bit of\Nwhat Pegasus claims to be able to monitor.
Dialogue: 0,0:06:57.36,0:07:00.40,Default,,0000,0000,0000,,And if you look at it, you can see it's\Nbasically everything on the device. So
Dialogue: 0,0:07:00.40,0:07:03.52,Default,,0000,0000,0000,,it's talking about collecting email\Naddresses, collecting SMS messages,
Dialogue: 0,0:07:04.16,0:07:08.64,Default,,0000,0000,0000,,tracking location data, even reading the\Ncalendar, turning on the microphone of the
Dialogue: 0,0:07:08.64,0:07:13.68,Default,,0000,0000,0000,,phone. And so bear in mind while this\Ndiagram is quite old, it's like six or
Dialogue: 0,0:07:13.68,0:07:18.32,Default,,0000,0000,0000,,seven years old, you get an idea of what\Nkind of data the Pegasus software will try
Dialogue: 0,0:07:18.32,0:07:22.88,Default,,0000,0000,0000,,to collect from the phone. It's basically,\Nit collected every kind of data on the
Dialogue: 0,0:07:22.88,0:07:25.60,Default,,0000,0000,0000,,phone that might be of interest to\Nsomebody who is carrying out the
Dialogue: 0,0:07:25.60,0:07:31.76,Default,,0000,0000,0000,,surveillance. One important thing to\Nremember is that the Pegasus spyware is
Dialogue: 0,0:07:31.76,0:07:36.80,Default,,0000,0000,0000,,able to get very kind of deep access to\Nthe phone, so it's fundamentally able to
Dialogue: 0,0:07:36.80,0:07:41.68,Default,,0000,0000,0000,,access everything on the phone that the\Nuser is able to access and more. So even
Dialogue: 0,0:07:41.68,0:07:45.28,Default,,0000,0000,0000,,if you're using a messaging app such as\NSignal or Telegram, which may be
Dialogue: 0,0:07:45.28,0:07:50.40,Default,,0000,0000,0000,,encrypted, the Pegasus software is able to\Naccess that data and those messages before
Dialogue: 0,0:07:50.40,0:07:54.32,Default,,0000,0000,0000,,they're encrypted on the device. So even\Nonce their spyware running on the phone
Dialogue: 0,0:07:54.32,0:07:58.08,Default,,0000,0000,0000,,itself, none of these encrypted messaging\Napps will help because it has such low
Dialogue: 0,0:07:58.08,0:08:05.28,Default,,0000,0000,0000,,level access to the device. So it's a\Nlittle bit about what exactly Pegasus
Dialogue: 0,0:08:05.28,0:08:09.92,Default,,0000,0000,0000,,tries to collect and what it - what it -\Nwhat people can do with it using the
Dialogue: 0,0:08:09.92,0:08:17.30,Default,,0000,0000,0000,,Pegasus software. So where exactly did the\Ninvestigations into Pegasus start? So we
Dialogue: 0,0:08:17.30,0:08:23.64,Default,,0000,0000,0000,,go back as far as 2016 was when Pegasus\Nwas first kind of identified in the wild,
Dialogue: 0,0:08:23.64,0:08:28.84,Default,,0000,0000,0000,,being a being used to target an activist.\NSo in this case, in 2016, Pegasus was
Dialogue: 0,0:08:28.84,0:08:35.19,Default,,0000,0000,0000,,first found by Citizen Lab. Citizen lab\Nis a group of researchers based in the
Dialogue: 0,0:08:35.19,0:08:40.24,Default,,0000,0000,0000,,University of Toronto in Canada, who also\Nworks on investigating spyware targeting
Dialogue: 0,0:08:40.24,0:08:47.03,Default,,0000,0000,0000,,civil society. So in this case, a UAE\Nbased human rights defender named Ahmed
Dialogue: 0,0:08:47.03,0:08:51.54,Default,,0000,0000,0000,,Mansoor began to receive suspicious\Nmessages over SMS. So you can see some
Dialogue: 0,0:08:51.54,0:08:56.14,Default,,0000,0000,0000,,screenshots of the messages on the right.\NSo Ahmed Mansoor was cautious about these
Dialogue: 0,0:08:56.14,0:09:00.13,Default,,0000,0000,0000,,because in the past he had previously been\Ntargeted with other kinds of spyware
Dialogue: 0,0:09:00.13,0:09:03.93,Default,,0000,0000,0000,,tools, including - including Finfisher.\NSo when he began to receive these
Dialogue: 0,0:09:03.93,0:09:08.03,Default,,0000,0000,0000,,messages, he - he was cautious about them\Nand he shared them with Citizen Lab, who
Dialogue: 0,0:09:08.03,0:09:12.55,Default,,0000,0000,0000,,then began to investigate them. So what\NCitizen Lab realized is that these looked
Dialogue: 0,0:09:12.55,0:09:17.10,Default,,0000,0000,0000,,to be an attack message, and they opened\Nthese attack links on their own testing
Dialogue: 0,0:09:17.10,0:09:22.30,Default,,0000,0000,0000,,phone. When they did this they're able to\Ncapture the exploit that was being
Dialogue: 0,0:09:22.30,0:09:27.88,Default,,0000,0000,0000,,delivered over these links and also\Nable to capture a copy of the Pegasus
Dialogue: 0,0:09:27.88,0:09:32.83,Default,,0000,0000,0000,,payload. So what happens when these links\Nare opened is that the link is opened in a
Dialogue: 0,0:09:32.83,0:09:38.39,Default,,0000,0000,0000,,web browser such as Safari. When the link\Nis opened, the Pegasus server would return
Dialogue: 0,0:09:38.39,0:09:44.11,Default,,0000,0000,0000,,to some JavaScript, some code that would\Nexploit an unknown flaw in the Safari web
Dialogue: 0,0:09:44.11,0:09:48.37,Default,,0000,0000,0000,,browser and by kind of manipulating the\NSafari web browser and exploit this
Dialogue: 0,0:09:48.37,0:09:52.72,Default,,0000,0000,0000,,unknown flaw - they could then get their\Nown code to start running inside this web
Dialogue: 0,0:09:52.72,0:09:58.11,Default,,0000,0000,0000,,browser. And eventually, with the help of\Nsome additional flaws, they could then get
Dialogue: 0,0:09:58.11,0:10:03.27,Default,,0000,0000,0000,,more privileged access on the iPhone and\Neventually install the full Pegasus
Dialogue: 0,0:10:03.27,0:10:10.80,Default,,0000,0000,0000,,payload. So, yes, Citizen Lab first found\Nit in 2016, it was it was a very important
Dialogue: 0,0:10:10.80,0:10:17.36,Default,,0000,0000,0000,,discovery and it showed just how how\Nserious some of the threats facing civil
Dialogue: 0,0:10:17.36,0:10:20.32,Default,,0000,0000,0000,,society were. That there were people\Nwilling to use these kinds of very
Dialogue: 0,0:10:20.32,0:10:23.68,Default,,0000,0000,0000,,expensive exploits to start targeting\Nhuman rights defenders who are just doing
Dialogue: 0,0:10:23.68,0:10:27.84,Default,,0000,0000,0000,,their human rights work. Unfortunately,\Nafter this, Ahmed Mansoor continued to get
Dialogue: 0,0:10:27.84,0:10:32.80,Default,,0000,0000,0000,,harassed, and he was sentenced to prison,\Nand he's currently still in prison from
Dialogue: 0,0:10:32.80,0:10:41.60,Default,,0000,0000,0000,,since 2017. So for about four years now.\NSo when did we at Amnesty start
Dialogue: 0,0:10:41.60,0:10:44.17,Default,,0000,0000,0000,,investigating this. So our team has been\Ninvestigating these kinds of threats for a
Dialogue: 0,0:10:44.17,0:10:49.47,Default,,0000,0000,0000,,while, but really we started focusing on\NNSO and investigating NSO in 2018 after an
Dialogue: 0,0:10:49.47,0:10:55.02,Default,,0000,0000,0000,,Amnesty colleague of ours started to\Nreceive some suspicious messages. So this
Dialogue: 0,0:10:55.02,0:10:59.29,Default,,0000,0000,0000,,- this colleague received in May 2018\Nreceived this message you can see here on
Dialogue: 0,0:10:59.29,0:11:03.73,Default,,0000,0000,0000,,the left. The message is written in\NArabic. But it this it claims that there
Dialogue: 0,0:11:03.73,0:11:08.69,Default,,0000,0000,0000,,is going to be a protest happening shortly\Noutside the Saudi Arabian Embassy. And
Dialogue: 0,0:11:08.69,0:11:13.09,Default,,0000,0000,0000,,they asked the Amnesty staff member, to to\Nsupport the protest and then to click on
Dialogue: 0,0:11:13.09,0:11:18.88,Default,,0000,0000,0000,,this link for for more information. So\Nfortunately, our Amnesty colleague, when
Dialogue: 0,0:11:18.88,0:11:21.68,Default,,0000,0000,0000,,they received this message, they got quite\Nsuspicious. They were like, this is just
Dialogue: 0,0:11:21.68,0:11:24.96,Default,,0000,0000,0000,,weird, I don't know this person. And so\Nthey shared a screenshot of this message
Dialogue: 0,0:11:24.96,0:11:29.84,Default,,0000,0000,0000,,with us at the Amnesty Security Lab, and\Nwe began to investigate. So quite quickly
Dialogue: 0,0:11:29.84,0:11:34.56,Default,,0000,0000,0000,,when we started looking at this domain\Nname and the server, and we agreed it
Dialogue: 0,0:11:34.56,0:11:38.88,Default,,0000,0000,0000,,looked kind of suspicious. And we also\Nmanaged to identify some additional
Dialogue: 0,0:11:38.88,0:11:45.20,Default,,0000,0000,0000,,domains and servers that were related to\Nthis original akhbar-arabia domain. And
Dialogue: 0,0:11:45.20,0:11:49.04,Default,,0000,0000,0000,,quite quickly, it started to appear to us\Nthat this was indeed something suspicious,
Dialogue: 0,0:11:49.04,0:11:52.00,Default,,0000,0000,0000,,and maybe it was some kind of an attack\Nmessage. So at the time, we didn't know it
Dialogue: 0,0:11:52.00,0:11:59.28,Default,,0000,0000,0000,,was necessarily NSO Group. By looking at\Nthe original and initial servers here. We
Dialogue: 0,0:11:59.28,0:12:03.04,Default,,0000,0000,0000,,managed to create kind of a fingerprint,\Nso some way of identifying the particular
Dialogue: 0,0:12:03.04,0:12:08.40,Default,,0000,0000,0000,,configuration of the domain name and the\Nserver sent inside of this message. With
Dialogue: 0,0:12:08.40,0:12:12.40,Default,,0000,0000,0000,,the aid of this fingerprint, we then began\Nto do what's called an internet scan. So
Dialogue: 0,0:12:12.40,0:12:17.12,Default,,0000,0000,0000,,we connect it to every single server on\Nthe Internet, send a particular request
Dialogue: 0,0:12:17.12,0:12:20.24,Default,,0000,0000,0000,,and then find any other server on the\NInternet that matched this particular
Dialogue: 0,0:12:20.24,0:12:24.80,Default,,0000,0000,0000,,fingerprint, this particular configuration\Nfrom this server. So by doing this
Dialogue: 0,0:12:24.80,0:12:30.08,Default,,0000,0000,0000,,internet scanning, what we found was 600\Ndifferent domains all across the Internet
Dialogue: 0,0:12:31.84,0:12:34.64,Default,,0000,0000,0000,,that matched this fingerprint and that\Nappeared to be related to the same kinds
Dialogue: 0,0:12:34.64,0:12:40.56,Default,,0000,0000,0000,,of attacks. So what was really was really\Nkey is that we found that these these
Dialogue: 0,0:12:41.28,0:12:45.36,Default,,0000,0000,0000,,domains were actually related to Pegasus\Nbecause NSO Group had made one kind of key
Dialogue: 0,0:12:45.36,0:12:49.19,Default,,0000,0000,0000,,mistake or key flow when they were setting\Nup this infrastructure. So what happened
Dialogue: 0,0:12:49.19,0:12:58.19,Default,,0000,0000,0000,,is that as described earlier Citizen Lab\Nhad previously identified servers being
Dialogue: 0,0:12:58.19,0:13:02.78,Default,,0000,0000,0000,,used by NSO Group in 2016 after the\Nexpose in 2016 NSO shut down all of
Dialogue: 0,0:13:02.78,0:13:07.03,Default,,0000,0000,0000,,these domains and infrastructure. And then\Nbegan to set up new kind of infrastructure
Dialogue: 0,0:13:07.03,0:13:11.26,Default,,0000,0000,0000,,that would not be related to NSO or not\Nlinkable to NSO. Fortunately they made a
Dialogue: 0,0:13:11.26,0:13:15.02,Default,,0000,0000,0000,,mistake because they had reused one domain\Nname from the previous set of
Dialogue: 0,0:13:15.02,0:13:19.80,Default,,0000,0000,0000,,infrastructure and also being used in this\Nnew infrastructure. So by finding this one
Dialogue: 0,0:13:19.80,0:13:24.67,Default,,0000,0000,0000,,domain out of 600 that had previously been\Nin - in use by NSO, we're able to show
Dialogue: 0,0:13:24.67,0:13:28.99,Default,,0000,0000,0000,,that these 600 domains were also related\Nto Pegasus. And so we're able to show that
Dialogue: 0,0:13:28.99,0:13:33.96,Default,,0000,0000,0000,,this message that was sent to our Amnesty\NInternational colleague was indeed related
Dialogue: 0,0:13:33.96,0:13:40.10,Default,,0000,0000,0000,,to Pegasus and was an attempt to to\Ncompromise their device. So we published
Dialogue: 0,0:13:40.10,0:13:46.12,Default,,0000,0000,0000,,these findings in August 2018, and at that\Ntime we also identified that another set
Dialogue: 0,0:13:46.12,0:13:51.08,Default,,0000,0000,0000,,Saudi-Arabian activists had similarly been\Ntargeted, with a Pegasus exploit message
Dialogue: 0,0:13:51.08,0:13:56.21,Default,,0000,0000,0000,,over WhatsApp. Following this, Amnesty\NInternational also supported a legal
Dialogue: 0,0:13:56.21,0:14:01.64,Default,,0000,0000,0000,,action in Israel, which asked the Israeli\NMinistry of Defense to revoke NSO's export
Dialogue: 0,0:14:01.64,0:14:06.98,Default,,0000,0000,0000,,licenses. To prevent this Pegasus software\Nbeing sold to countries that would abuse
Dialogue: 0,0:14:06.98,0:14:12.26,Default,,0000,0000,0000,,it to target Amnesty and also target other\Nhuman rights activists. Unfortunately
Dialogue: 0,0:14:12.26,0:14:18.29,Default,,0000,0000,0000,,later the Israeli court rejected the legal\Ncomplaint and said that the Israeli
Dialogue: 0,0:14:18.29,0:14:22.82,Default,,0000,0000,0000,,Ministry of Defense had adequate\Nsafeguards in place to prevent NSO's
Dialogue: 0,0:14:22.82,0:14:29.96,Default,,0000,0000,0000,,exports being sold to countries who would\Nabuse it. Here in the bottom on the left,
Dialogue: 0,0:14:29.96,0:14:36.24,Default,,0000,0000,0000,,you can see that. You can see a chart\Nwhich shows the number of Pegasus servers
Dialogue: 0,0:14:36.24,0:14:41.41,Default,,0000,0000,0000,,online at the time. I mean, see here that\Nwhen we published this report NSO acted
Dialogue: 0,0:14:41.41,0:14:46.83,Default,,0000,0000,0000,,quite quickly to shut down all 500 or 600\Nservers that were being used to deliver
Dialogue: 0,0:14:46.83,0:14:50.88,Default,,0000,0000,0000,,Pegasus. So this just shows that, you\Nknow, NSO is kind of reading these
Dialogue: 0,0:14:50.88,0:14:54.79,Default,,0000,0000,0000,,researches and paying attention to it. It\Nis trying to avoid getting their
Dialogue: 0,0:14:54.79,0:14:58.88,Default,,0000,0000,0000,,infrastructure and servers discovered by\Nby researchers who are investigating these
Dialogue: 0,0:14:59.73,0:15:16.24,Default,,0000,0000,0000,,kinds of abuses. So this is back in in\N2018, so after discovering this attack
Dialogue: 0,0:15:16.24,0:15:21.61,Default,,0000,0000,0000,,against an Amnesty staff member we at\NAmnesty continued trying to investigate
Dialogue: 0,0:15:21.61,0:15:28.01,Default,,0000,0000,0000,,Pegasus to try to find more cases of\Nabuse. We next found Pegasus targeting
Dialogue: 0,0:15:28.01,0:15:35.46,Default,,0000,0000,0000,,happening in Morocco in 2019. So you can\Nsee here on the right. This time, we found
Dialogue: 0,0:15:35.46,0:15:40.81,Default,,0000,0000,0000,,that a Moroccan human rights defender\Nnamed Maati Monjib was being targeted
Dialogue: 0,0:15:40.81,0:15:46.60,Default,,0000,0000,0000,,repeatedly with Pegasus. When we checked\Nhis phone, we found that he had some
Dialogue: 0,0:15:46.60,0:15:52.42,Default,,0000,0000,0000,,suspicious messages there, saying that the\Nmessages claimed that there is some, some
Dialogue: 0,0:15:52.42,0:15:57.92,Default,,0000,0000,0000,,scandal or some news story, and they're\Nasking the target to click on these links
Dialogue: 0,0:15:57.92,0:16:02.42,Default,,0000,0000,0000,,to find out more information. So when we\Nlooked at these these links, we knew
Dialogue: 0,0:16:02.42,0:16:06.70,Default,,0000,0000,0000,,immediately that they were Pegasus links,\Nbecause we had previously identified these
Dialogue: 0,0:16:06.70,0:16:12.01,Default,,0000,0000,0000,,domains as one of the 600 domains, that\Nwere being used in 2018. So for example,
Dialogue: 0,0:16:12.01,0:16:16.82,Default,,0000,0000,0000,,you can see that in the second message on\Nthe right, we see the domain
Dialogue: 0,0:16:16.82,0:16:22.08,Default,,0000,0000,0000,,videosdownload.co. We knew it was Pegasus\Nbecause we'd previously identified and
Dialogue: 0,0:16:22.08,0:16:30.08,Default,,0000,0000,0000,,published this domain in 2018. So this\Ntime we knew Maati was being targeted with
Dialogue: 0,0:16:30.08,0:16:34.96,Default,,0000,0000,0000,,Pegasus, but we realized we needed to do\Nsome more investigation to see if his
Dialogue: 0,0:16:34.96,0:16:38.88,Default,,0000,0000,0000,,phone was indeed compromised that we could\Ncollect more information from his device.
Dialogue: 0,0:16:39.68,0:16:43.20,Default,,0000,0000,0000,,So when we did this, we actually found\Nsomething quite interesting on Maati's
Dialogue: 0,0:16:43.20,0:16:47.92,Default,,0000,0000,0000,,phone because we found what we believed\Nwas evidence of a new type of a targeting
Dialogue: 0,0:16:47.92,0:16:53.60,Default,,0000,0000,0000,,on his phone. Instead of relying on the\Ntarget being tricked into clicking on a
Dialogue: 0,0:16:53.60,0:16:58.76,Default,,0000,0000,0000,,link which is maybe not reliable, or maybe\Nthe target can - can see something is
Dialogue: 0,0:16:58.76,0:17:04.24,Default,,0000,0000,0000,,suspicious. We instead saw them using an\Nwhat's called a network injection attack.
Dialogue: 0,0:17:04.24,0:17:08.16,Default,,0000,0000,0000,,So how are network injection attack works\Nis like this: So network injection
Dialogue: 0,0:17:08.16,0:17:15.04,Default,,0000,0000,0000,,involves having some kind of equipment or\Nsoftware running on the what access to the
Dialogue: 0,0:17:15.04,0:17:18.96,Default,,0000,0000,0000,,internet connection of the mobile device.\NSo this can either be at the mobile phone
Dialogue: 0,0:17:18.96,0:17:23.12,Default,,0000,0000,0000,,network or potentially having some - some\Nsoftware or hardware running on the same
Dialogue: 0,0:17:23.12,0:17:28.48,Default,,0000,0000,0000,,Wi-Fi network as the target. And what it\Ndoes is when the target is browsing the
Dialogue: 0,0:17:28.48,0:17:33.76,Default,,0000,0000,0000,,web on their phone, eventually, the target\Nbrowses and clicks on link that goes to a
Dialogue: 0,0:17:33.76,0:17:39.44,Default,,0000,0000,0000,,regular http website. So without https. So\Nwhen this regular http request is made,
Dialogue: 0,0:17:40.16,0:17:43.44,Default,,0000,0000,0000,,the software that's running on the\Nupstream network can see this http
Dialogue: 0,0:17:43.44,0:17:47.52,Default,,0000,0000,0000,,request. And when the http request\Nhappens, it can instead, instead of
Dialogue: 0,0:17:47.52,0:17:51.92,Default,,0000,0000,0000,,returning the correct response to correct\Ncontent, instead it returns a http
Dialogue: 0,0:17:51.92,0:17:57.04,Default,,0000,0000,0000,,redirect. And the http redirect will then\Nsend the browser of the phone to a
Dialogue: 0,0:17:57.04,0:18:02.48,Default,,0000,0000,0000,,malicious exploit site, which can then\Nhack the phone. So in the case of Maati,
Dialogue: 0,0:18:02.48,0:18:06.16,Default,,0000,0000,0000,,we found that he had tried to go and check\Nhis email and typed in Yahoo.fr on his
Dialogue: 0,0:18:06.16,0:18:10.96,Default,,0000,0000,0000,,browser when he typed in Yahoo.fr - the\Nsoftware running on the on the upstream
Dialogue: 0,0:18:10.96,0:18:16.40,Default,,0000,0000,0000,,network saw this cleartext connection and\Nthen redirected his phone to this exploit
Dialogue: 0,0:18:16.40,0:18:19.92,Default,,0000,0000,0000,,link we see above. So you see the domain\Nis quite suspicious:
Dialogue: 0,0:18:19.92,0:18:25.20,Default,,0000,0000,0000,,"get1tn0w.free247downloads.com". And\Nagain, it has some random characters at
Dialogue: 0,0:18:25.20,0:18:29.24,Default,,0000,0000,0000,,the end, which looks like a kind of an\Nexploit link. So at the time, we suspected
Dialogue: 0,0:18:29.24,0:18:33.75,Default,,0000,0000,0000,,that this was was Pegasus, and it was a\Nnew way of delivering Pegasus without
Dialogue: 0,0:18:33.75,0:18:36.72,Default,,0000,0000,0000,,tricking the user into clicking on a link.\NBut we weren't certain that it was
Dialogue: 0,0:18:36.72,0:18:44.02,Default,,0000,0000,0000,,Pegasus, potentially it was some other\Nkind of spyware. Fortunately for us NSO
Dialogue: 0,0:18:44.02,0:18:51.29,Default,,0000,0000,0000,,helped to confirm that this really was\NPegasus, because before we published this
Dialogue: 0,0:18:51.29,0:18:56.12,Default,,0000,0000,0000,,report, Amnesty wrote to NSO Group sharing\Nour findings and interestingly one day
Dialogue: 0,0:18:56.12,0:19:00.47,Default,,0000,0000,0000,,after we shared the findings with NSO this\Nspyware server got shut down and went
Dialogue: 0,0:19:00.47,0:19:05.61,Default,,0000,0000,0000,,offline. And this is already a week before\Nthe report was made publicly available. So
Dialogue: 0,0:19:05.61,0:19:09.28,Default,,0000,0000,0000,,that kind of confirmed to us that NSO\Nreally was controlling this infrastructure
Dialogue: 0,0:19:09.28,0:19:13.32,Default,,0000,0000,0000,,and were able to get it shutdown even when\Nwe'd only privately shared this
Dialogue: 0,0:19:13.32,0:19:18.65,Default,,0000,0000,0000,,information with with NSO. A bit later, we\Nfound some more information about how this
Dialogue: 0,0:19:18.65,0:19:23.85,Default,,0000,0000,0000,,attack may have been done - NSO at a trade\Nfair was demonstrating some new type of
Dialogue: 0,0:19:23.85,0:19:28.13,Default,,0000,0000,0000,,hardware they had developed, which you can\Nsee here on the photo on the right. And we
Dialogue: 0,0:19:28.13,0:19:33.66,Default,,0000,0000,0000,,believe this this photo is of some kind of\NIMSI catcher or fake base station, which
Dialogue: 0,0:19:33.66,0:19:39.83,Default,,0000,0000,0000,,can run a fake mobile phone network. And\Nthen target's phone: so Maati could
Dialogue: 0,0:19:39.83,0:19:44.36,Default,,0000,0000,0000,,connect to this fake mobile phone base\Nstation. And from that position, it could
Dialogue: 0,0:19:44.36,0:19:49.34,Default,,0000,0000,0000,,be possible for NSO to redirect the phone\Nto a malicious - a malicious exploit link.
Dialogue: 0,0:19:49.34,0:19:54.00,Default,,0000,0000,0000,,So we're not sure what happened in this\Ncase if this was the device that was used.
Dialogue: 0,0:19:54.00,0:19:57.91,Default,,0000,0000,0000,,But we believe the NSO is demonstrating\Nor testing these kinds of what are called
Dialogue: 0,0:19:57.91,0:20:05.92,Default,,0000,0000,0000,,tactical infection methods. So this was\Nwhere our findings were in Morocco - we
Dialogue: 0,0:20:05.92,0:20:11.20,Default,,0000,0000,0000,,started to realize that actually relying\Non checking for SMS messages, checking for
Dialogue: 0,0:20:11.20,0:20:17.28,Default,,0000,0000,0000,,links or relying on people coming to us\Nwith something suspicious wasn't going to
Dialogue: 0,0:20:17.28,0:20:21.52,Default,,0000,0000,0000,,work anymore because we began to see what\Nwere called zero-click attacks. And so all
Dialogue: 0,0:20:21.52,0:20:25.68,Default,,0000,0000,0000,,a Zero-click attack is is any way of\Ninfecting a device that doesn't rely on
Dialogue: 0,0:20:25.68,0:20:31.20,Default,,0000,0000,0000,,some interaction from the user. Doesn't\Nrely on the user clicking on a link. So we
Dialogue: 0,0:20:31.20,0:20:33.76,Default,,0000,0000,0000,,can see here are some examples of other\Nzero-click attacks that have been
Dialogue: 0,0:20:33.76,0:20:37.44,Default,,0000,0000,0000,,discovered over the past couple of years.\NI guess one of the first ones here was in
Dialogue: 0,0:20:37.44,0:20:43.84,Default,,0000,0000,0000,,2019, where NSO Group developed an exploit\Nfor a for WhatsApp, and it was then used
Dialogue: 0,0:20:43.84,0:20:51.28,Default,,0000,0000,0000,,by their customers to target at least 1400\Ndifferent people around the world. All of
Dialogue: 0,0:20:51.28,0:20:58.40,Default,,0000,0000,0000,,this - how it worked is that the - the\Ntarget was simply to receive a call over
Dialogue: 0,0:20:58.40,0:21:02.00,Default,,0000,0000,0000,,WhatsApp, even a missed call and the\Nexploit would be able to compromise their
Dialogue: 0,0:21:02.00,0:21:06.00,Default,,0000,0000,0000,,phone without the use of clicking\Nanything. As I described earlier, we saw
Dialogue: 0,0:21:06.00,0:21:09.84,Default,,0000,0000,0000,,these kinds of network injection attacks\Nhappen, and then later in 2020, Citizen
Dialogue: 0,0:21:09.84,0:21:18.32,Default,,0000,0000,0000,,Lab also found an iMessage zero-day being\Nused to again compromise iPhone users
Dialogue: 0,0:21:18.32,0:21:23.68,Default,,0000,0000,0000,,without any interaction in 2020. So from\Nour own investigations, we have found that
Dialogue: 0,0:21:23.68,0:21:30.96,Default,,0000,0000,0000,,NSO has been using various zero-click\Nexploits since at least summer 2017 until
Dialogue: 0,0:21:30.96,0:21:35.48,Default,,0000,0000,0000,,July of this year. So we know it's not\Nsomething that's quite new for NSO
Dialogue: 0,0:21:35.48,0:21:38.72,Default,,0000,0000,0000,,but at least it's something we've\Nstarted only recently discovering in the
Dialogue: 0,0:21:38.72,0:21:42.32,Default,,0000,0000,0000,,past few years. And we've seen, NSO\Nputting a lot of focus into developing
Dialogue: 0,0:21:42.32,0:21:52.78,Default,,0000,0000,0000,,these kinds of complicated but very\Npowerful zero-click exploits. So now that
Dialogue: 0,0:21:52.78,0:21:56.72,Default,,0000,0000,0000,,we know that NSO and their customers are\Nusing these kind of zero-click attacks, we
Dialogue: 0,0:21:56.72,0:22:02.00,Default,,0000,0000,0000,,realized we needed to do something kind of\Nmore advanced to try and find these cases
Dialogue: 0,0:22:02.00,0:22:07.16,Default,,0000,0000,0000,,of cases of - of surveillance. The big\Nproblem with mobile devices is a lack of
Dialogue: 0,0:22:07.16,0:22:11.20,Default,,0000,0000,0000,,visibility, whereas on desktop or laptop\Ncomputers, we have antivirus available or
Dialogue: 0,0:22:11.20,0:22:14.43,Default,,0000,0000,0000,,we have EDR systems available. There\Nreally is nothing similar that was
Dialogue: 0,0:22:14.43,0:22:18.24,Default,,0000,0000,0000,,available for mobile devices. So these\Nkinds of attacks, especially zero-click
Dialogue: 0,0:22:18.24,0:22:26.00,Default,,0000,0000,0000,,attacks, are often going undetected. We\Ngot to investigate this. We realized that
Dialogue: 0,0:22:26.00,0:22:29.60,Default,,0000,0000,0000,,it was difficult to perform forensics on\Nmobile devices. It's actually not
Dialogue: 0,0:22:29.60,0:22:34.08,Default,,0000,0000,0000,,impossible. We were somewhat surprised to\Nrealize that iPhones actually allow a
Dialogue: 0,0:22:34.08,0:22:38.96,Default,,0000,0000,0000,,significant amount of relevant data to be\Nextracted from the phones themselves in
Dialogue: 0,0:22:38.96,0:22:43.68,Default,,0000,0000,0000,,the form of an iPhone backup. And so it's\Nactually quite - quite possible to start
Dialogue: 0,0:22:43.68,0:22:48.80,Default,,0000,0000,0000,,doing a forensic analysis on iPhones.\NUnfortunately, Android devices we found
Dialogue: 0,0:22:48.80,0:22:52.88,Default,,0000,0000,0000,,were much more limited because of\Nrestrictions on the Android operating
Dialogue: 0,0:22:52.88,0:22:58.16,Default,,0000,0000,0000,,system. It isn't possible to extract much\Ndata in an Android backup, and so all
Dialogue: 0,0:22:58.16,0:23:02.00,Default,,0000,0000,0000,,we've really been able to do on Android is\Nto simply check the SMS messages and maybe
Dialogue: 0,0:23:02.00,0:23:06.88,Default,,0000,0000,0000,,the browser history for some traces of -\Nof targeting. But again, it's just it's
Dialogue: 0,0:23:06.88,0:23:11.76,Default,,0000,0000,0000,,much less data is available on Androids\Ncompared to iPhones. The other big problem
Dialogue: 0,0:23:11.76,0:23:15.52,Default,,0000,0000,0000,,we realized is that there's there's a lack\Nof any kinds of public tools for
Dialogue: 0,0:23:15.52,0:23:19.12,Default,,0000,0000,0000,,consensual mobile forensics. All of the\Nforensic tools that are out there are
Dialogue: 0,0:23:19.12,0:23:24.80,Default,,0000,0000,0000,,designed for - for people to extract data\Nfrom phones that they don't want or their
Dialogue: 0,0:23:24.80,0:23:28.56,Default,,0000,0000,0000,,phones have been seized or phones that are\Nsomehow otherwise obtained. There's no
Dialogue: 0,0:23:28.56,0:23:35.44,Default,,0000,0000,0000,,there's no tools available to really check\Nyour own phone for signs of spyware. So
Dialogue: 0,0:23:35.44,0:23:40.56,Default,,0000,0000,0000,,this is where the Mobile Verification\NToolkit comes into play. So - MVT - it is
Dialogue: 0,0:23:40.56,0:23:43.92,Default,,0000,0000,0000,,a public tool developed by Amnesty\NInternational and designed to simplify the
Dialogue: 0,0:23:43.92,0:23:48.72,Default,,0000,0000,0000,,process of analyzing mobile devices for\Ntraces of spyware. And here it's available
Dialogue: 0,0:23:48.72,0:23:53.36,Default,,0000,0000,0000,,on GitHub, you can go check it out. And\Njust to highlight all of the
Dialogue: 0,0:23:53.36,0:23:57.52,Default,,0000,0000,0000,,cases of Pegasus targeting I've described\Npreviously in all the cases and traces
Dialogue: 0,0:23:57.52,0:24:01.60,Default,,0000,0000,0000,,that are present for the rest of the\Npresentation, all of these have been found
Dialogue: 0,0:24:01.60,0:24:09.04,Default,,0000,0000,0000,,using MVT. So MVT really works to - to\Ndetect advanced spyware, including spyware
Dialogue: 0,0:24:09.04,0:24:14.56,Default,,0000,0000,0000,,using zero-click, zero-day exploits and\Nreally sophisticated stuff such as
Dialogue: 0,0:24:14.56,0:24:19.28,Default,,0000,0000,0000,,Pegasus. So while all of these different\Nspyware vendors try to say: "Our thing is
Dialogue: 0,0:24:19.28,0:24:22.64,Default,,0000,0000,0000,,undetectable": It is definitely advanced,\Nthey definitely spent a lot of money in
Dialogue: 0,0:24:22.64,0:24:27.44,Default,,0000,0000,0000,,developing this stuff, but it's not magic.\NAnd if you're careful and diligent about
Dialogue: 0,0:24:27.44,0:24:30.24,Default,,0000,0000,0000,,checking the traces, there's always\Nmistakes that are made. There's always
Dialogue: 0,0:24:30.24,0:24:35.47,Default,,0000,0000,0000,,ways of identifying potential suspicious\Nbehavior on these devices. And MVT it is
Dialogue: 0,0:24:35.47,0:24:44.64,Default,,0000,0000,0000,,written in Python, it's a very easy to\Ninstall, and if you have PIP, you can just
Dialogue: 0,0:24:44.64,0:24:50.11,Default,,0000,0000,0000,,go a "pip3 install mvt" . And here's how\Nit's how it's used. Again, it's very
Dialogue: 0,0:24:50.11,0:24:54.91,Default,,0000,0000,0000,,straightforward. To check an iPhone, you\Nsimply make a backup of the iPhone and you
Dialogue: 0,0:24:54.91,0:25:00.00,Default,,0000,0000,0000,,run this one command so it'll be "mvt-ios\Ncheck-backup" and then you provide the
Dialogue: 0,0:25:00.00,0:25:05.30,Default,,0000,0000,0000,,backup folder. In the command here we also\Nsee what's called a stix-file. So a .stix
Dialogue: 0,0:25:05.30,0:25:09.96,Default,,0000,0000,0000,,file is simply a file containing\Nindicators. This maybe like domain names
Dialogue: 0,0:25:09.96,0:25:15.19,Default,,0000,0000,0000,,or IP addresses, or process names that are\Nknown to be linked to a spyware tool. And
Dialogue: 0,0:25:15.19,0:25:19.65,Default,,0000,0000,0000,,so the MVT is a generic tool. It can be\Nused with Pegasus indicators, but it also
Dialogue: 0,0:25:19.65,0:25:26.13,Default,,0000,0000,0000,,can be used with indicators for other\Nspyware tools and could be used to detect
Dialogue: 0,0:25:26.13,0:25:31.89,Default,,0000,0000,0000,,other spyware. So MVT is a modular\Nframework, it has modules for parsing
Dialogue: 0,0:25:31.89,0:25:36.70,Default,,0000,0000,0000,,different kinds of databases such as SMS\Nmessages or browser history or other kinds
Dialogue: 0,0:25:36.70,0:25:41.37,Default,,0000,0000,0000,,of files on the device. I'm going to go\Nthrough and explain a few of the modules
Dialogue: 0,0:25:41.37,0:25:46.30,Default,,0000,0000,0000,,that are available in MVT and show how\Nthis can be used to - to find traces of
Dialogue: 0,0:25:46.30,0:25:53.64,Default,,0000,0000,0000,,Pegasus or other similar spyware tools. So\None module that is quite useful is the SMS
Dialogue: 0,0:25:53.64,0:25:58.77,Default,,0000,0000,0000,,module, which is quite straightforward, it\Nsimply reads the SMS database in iPhone
Dialogue: 0,0:25:58.77,0:26:04.28,Default,,0000,0000,0000,,backup to extract all of the links from\Nthe SMS messages and check if any of those
Dialogue: 0,0:26:04.28,0:26:10.66,Default,,0000,0000,0000,,SMS messages contain links to known\Nmalicious domains. So in this case, we're
Dialogue: 0,0:26:10.66,0:26:14.71,Default,,0000,0000,0000,,checking a backup that is targeted with\NPegasus, and we see that - we see that
Dialogue: 0,0:26:14.71,0:26:18.84,Default,,0000,0000,0000,,there's multiple domains that are found\Nand are tied to Pegasus. We see this
Dialogue: 0,0:26:18.84,0:26:25.22,Default,,0000,0000,0000,,revolution-news.co, stopsms.biz and\Nfrom what we know of NSO we've seen these
Dialogue: 0,0:26:25.22,0:26:32.88,Default,,0000,0000,0000,,kinds of exploit SMS used primarily\Nbetween 2016 and 2018. We've also seen
Dialogue: 0,0:26:32.88,0:26:37.90,Default,,0000,0000,0000,,Pegasus links as far back as 2014, and as\Nrecently as 2020. So this has been quite
Dialogue: 0,0:26:37.90,0:26:43.20,Default,,0000,0000,0000,,common and I - if these zero-click attacks\Nare not available, I think we'll still see
Dialogue: 0,0:26:43.20,0:26:51.35,Default,,0000,0000,0000,,these kinds of exploit links being sent in\NSMS. So another data source that's quite
Dialogue: 0,0:26:51.35,0:26:56.60,Default,,0000,0000,0000,,useful and quite helpful for finding\Ntraces of targeting is the Safari browser
Dialogue: 0,0:26:56.60,0:27:03.60,Default,,0000,0000,0000,,history. So what we've seen is we've seen\Nsome as we identify traces of exploit
Dialogue: 0,0:27:03.60,0:27:09.46,Default,,0000,0000,0000,,being recorded in Safari browser history,\Nespecially after a network injection
Dialogue: 0,0:27:09.46,0:27:14.29,Default,,0000,0000,0000,,attack. So in this case, while there's no\Nlink in SMS when a network injection
Dialogue: 0,0:27:14.29,0:27:18.80,Default,,0000,0000,0000,,attack happens the exploit server domain\Nwill be recorded in the browser history.
Dialogue: 0,0:27:18.80,0:27:22.51,Default,,0000,0000,0000,,And so by checking the browser history, we\Nmay be able to find evidence that this
Dialogue: 0,0:27:22.51,0:27:31.12,Default,,0000,0000,0000,,attack happened. So on the right here you\Ncan see a screenshot and this screenshot
Dialogue: 0,0:27:31.12,0:27:38.40,Default,,0000,0000,0000,,was actually taken by Moroccan journalist\NOmar Radi when he was being targeted with
Dialogue: 0,0:27:38.40,0:27:43.60,Default,,0000,0000,0000,,one of these network injection attacks in\NMorocco. So when he was browsing the web
Dialogue: 0,0:27:43.60,0:27:46.72,Default,,0000,0000,0000,,he clicked the link and then instantly\Nredirected into this web page. And when
Dialogue: 0,0:27:46.72,0:27:49.92,Default,,0000,0000,0000,,this screenshot was taken, it was actually\Nrunning the JavaScript trying to exploit
Dialogue: 0,0:27:49.92,0:27:55.44,Default,,0000,0000,0000,,his phone. So unfortunately, following the\Npublication of this research Omar Radi was
Dialogue: 0,0:27:55.44,0:27:59.92,Default,,0000,0000,0000,,repeatedly harassed by the Moroccan\Nauthorities and then he was eventually
Dialogue: 0,0:27:59.92,0:28:04.56,Default,,0000,0000,0000,,jailed after an unfair trial, and he's\Ncurrently - currently in jail.
Dialogue: 0,0:28:06.81,0:28:13.20,Default,,0000,0000,0000,,So another file quite useful in our\Ninvestigations is something called the ID
Dialogue: 0,0:28:13.20,0:28:18.46,Default,,0000,0000,0000,,status cache file. So the ID status cache\Nfile is a file on iPhones, and it can
Dialogue: 0,0:28:18.46,0:28:23.67,Default,,0000,0000,0000,,track traces of any iCloud accounts\Nwhich interacted with the device. This can
Dialogue: 0,0:28:23.67,0:28:27.41,Default,,0000,0000,0000,,be interacting with the device over a\Nbunch of different Apple services,
Dialogue: 0,0:28:27.41,0:28:32.27,Default,,0000,0000,0000,,including iMessage, AirDrop, Apple Photos.\NAnd so what is really useful about this
Dialogue: 0,0:28:32.27,0:28:39.28,Default,,0000,0000,0000,,file, because it showed us which malicious\Naccounts, which kind of Pegasus related
Dialogue: 0,0:28:39.28,0:28:46.08,Default,,0000,0000,0000,,accounts had been targeting a particular\Ndevice. So what we know about Pegasus - we
Dialogue: 0,0:28:46.08,0:28:51.92,Default,,0000,0000,0000,,believe that these malicious accounts are\N- have been set up and have been used by
Dialogue: 0,0:28:51.92,0:28:58.24,Default,,0000,0000,0000,,one individual Pegasus customer. So you\Ncan see here in the first row, we see this
Dialogue: 0,0:28:58.24,0:29:04.48,Default,,0000,0000,0000,,email address linakeller and we saw this -\Nthis account being used to deliver a
Dialogue: 0,0:29:04.48,0:29:08.40,Default,,0000,0000,0000,,iMessage zero-day to quite a number of\Ndifferent activists. So we've seen it
Dialogue: 0,0:29:08.40,0:29:16.24,Default,,0000,0000,0000,,used to deliver exploits to two different\NMoroccan activists and a couple of French
Dialogue: 0,0:29:16.24,0:29:21.04,Default,,0000,0000,0000,,political figures. So by - by looking at\Nwhich individuals have been targeted by
Dialogue: 0,0:29:21.04,0:29:24.72,Default,,0000,0000,0000,,the same, the same account, by the same\Ncustomer we were able to kind of get a
Dialogue: 0,0:29:24.72,0:29:28.40,Default,,0000,0000,0000,,better idea of who that customer might be\Nand have some idea about the attribution
Dialogue: 0,0:29:28.40,0:29:33.84,Default,,0000,0000,0000,,for that attack. The same in these other -\Nin these other cases, for example we see
Dialogue: 0,0:29:33.84,0:29:39.20,Default,,0000,0000,0000,,the jessicadavies1345 email. This was\Nfound on the phone of two different
Dialogue: 0,0:29:39.20,0:29:44.16,Default,,0000,0000,0000,,Hungarian journalists. Same for the\Nemmadavies' address and again for this
Dialogue: 0,0:29:44.16,0:29:49.12,Default,,0000,0000,0000,,final address here: williams enny. We\Nfound this on the phone of two different
Dialogue: 0,0:29:50.56,0:29:58.32,Default,,0000,0000,0000,,Hungarian individuals, hungarian\Nactivists. So this is really useful for us
Dialogue: 0,0:29:58.32,0:30:01.45,Default,,0000,0000,0000,,in our investigation because it really\Nhelped us get a better idea of who might
Dialogue: 0,0:30:01.45,0:30:10.48,Default,,0000,0000,0000,,be behind some of the attacks that we were\Nseeing. So the previous logs
Dialogue: 0,0:30:10.48,0:30:15.84,Default,,0000,0000,0000,,I showed about SMS, data and browser\Nhistory. These show kind of traces of
Dialogue: 0,0:30:15.84,0:30:19.28,Default,,0000,0000,0000,,targeting. They showed some of these had\Nbeen sent a malicious link, but they don't
Dialogue: 0,0:30:19.28,0:30:23.92,Default,,0000,0000,0000,,necessarily prove that a phone has been\Nsuccessfully compromised. So what I will
Dialogue: 0,0:30:23.92,0:30:28.70,Default,,0000,0000,0000,,show now is some of the logs we can use to\Nshow that a device was indeed compromised.
Dialogue: 0,0:30:28.80,0:30:32.58,Default,,0000,0000,0000,,One of these files that was very useful\Nfor us in our investigations was the so-
Dialogue: 0,0:30:32.58,0:30:39.60,Default,,0000,0000,0000,,called data usage file. So the data usage\Nfile in an iPhone is a file that records
Dialogue: 0,0:30:39.60,0:30:43.92,Default,,0000,0000,0000,,information about how much mobile data\Ntraffic each process on the phone has
Dialogue: 0,0:30:43.92,0:30:49.12,Default,,0000,0000,0000,,used. So this may be used to, like help\Nthe iPhone keep track of, you know, which
Dialogue: 0,0:30:49.12,0:30:52.72,Default,,0000,0000,0000,,apps on your phone are using the most of\Nyour mobile data. But what is really
Dialogue: 0,0:30:52.72,0:30:56.64,Default,,0000,0000,0000,,helpful for this is that it actually\Nrecorded the names of some of the Pegasus
Dialogue: 0,0:30:56.64,0:31:01.16,Default,,0000,0000,0000,,processes and how much data each of these\Npegasus processes were using. So for all
Dialogue: 0,0:31:01.16,0:31:08.16,Default,,0000,0000,0000,,we know about NSO's Pegasus, we believe\Nthat when Pegasus is installed on a phone,
Dialogue: 0,0:31:08.16,0:31:13.67,Default,,0000,0000,0000,,it will kind of pick a random name that it\Nuses to kind of hide itself in running on
Dialogue: 0,0:31:13.67,0:31:18.00,Default,,0000,0000,0000,,the system. Throughout our investigation\Nwe found about 50 different process names
Dialogue: 0,0:31:18.00,0:31:21.96,Default,,0000,0000,0000,,that the Pegasus process was using to try\Nand hide itself. And once we identified
Dialogue: 0,0:31:21.96,0:31:26.09,Default,,0000,0000,0000,,these process names, then we could go and\Nlook for these Pegasus known Pegasus
Dialogue: 0,0:31:26.09,0:31:31.60,Default,,0000,0000,0000,,process names on devices of potential\Ntargets. What's happened, this database
Dialogue: 0,0:31:31.60,0:31:36.14,Default,,0000,0000,0000,,also shows a timestamp of when this\Nprocess name was first kind of started on
Dialogue: 0,0:31:36.14,0:31:40.38,Default,,0000,0000,0000,,the device, when it was last seen on the\Ndevice. And also it gives you some kind of
Dialogue: 0,0:31:40.38,0:31:44.57,Default,,0000,0000,0000,,information about how much data this\Nprocess transferred. In some cases, this
Dialogue: 0,0:31:44.57,0:31:48.17,Default,,0000,0000,0000,,has been gigabytes of data which shows\Nthat really the Pegasus spyware was
Dialogue: 0,0:31:48.17,0:31:53.49,Default,,0000,0000,0000,,extracting a lot of data from the device.\NAnd again, this is all automated in MVT
Dialogue: 0,0:31:53.49,0:31:58.85,Default,,0000,0000,0000,,so if you check a phone using MVT with the\NPegasus indicators, it'll show quite
Dialogue: 0,0:31:58.85,0:32:04.80,Default,,0000,0000,0000,,clearly if any of these processes have\Nbeen found on the device. Another feature
Dialogue: 0,0:32:04.80,0:32:11.44,Default,,0000,0000,0000,,that's been very helpful for us and in our\Nanalysis is the timeline feature of MVT.
Dialogue: 0,0:32:11.44,0:32:17.29,Default,,0000,0000,0000,,So how the Timeline feature works is it\Ntakes all of the different indicators and
Dialogue: 0,0:32:17.29,0:32:21.28,Default,,0000,0000,0000,,modules on the phone, so it checks the -\Nthe SMS messages, it check the - the file
Dialogue: 0,0:32:21.28,0:32:27.12,Default,,0000,0000,0000,,system and every - every event, like every\NSMS message, every web browser lookup will
Dialogue: 0,0:32:27.12,0:32:33.23,Default,,0000,0000,0000,,all be recorded in a single file with the\Ndate that it happened. So by looking at
Dialogue: 0,0:32:33.23,0:32:38.56,Default,,0000,0000,0000,,this timeline, we can often see what\Ndifferent events happened around the same
Dialogue: 0,0:32:38.56,0:32:43.01,Default,,0000,0000,0000,,time as each other, and this can give us\Nsome idea - some idea about how attacks
Dialogue: 0,0:32:43.01,0:32:48.17,Default,,0000,0000,0000,,were actually delivered on this device. So\NI want to give you just one example of -
Dialogue: 0,0:32:48.17,0:32:52.40,Default,,0000,0000,0000,,of how this timeline can be used. Just so\Nyou know how to use this timeline in your
Dialogue: 0,0:32:52.40,0:32:59.88,Default,,0000,0000,0000,,own investigations. So this is actually a\Ndemonstration of the phone of a Rwandan
Dialogue: 0,0:32:59.88,0:33:06.28,Default,,0000,0000,0000,,activist who was targeted in June 2021\Nusing the forcedentry, iMessage zero-day.
Dialogue: 0,0:33:06.28,0:33:13.90,Default,,0000,0000,0000,,So we can see here on the timeline that on\N8:00 p.m. 8:45, we see the phone began to
Dialogue: 0,0:33:13.90,0:33:18.43,Default,,0000,0000,0000,,receive some push notifications over\NiMessage. So it seems it receives like 46
Dialogue: 0,0:33:18.43,0:33:24.94,Default,,0000,0000,0000,,push notifications. And then what we saw\Nwas that SMS attachments began to be
Dialogue: 0,0:33:24.94,0:33:29.82,Default,,0000,0000,0000,,written to the phone. So in the final line\Nhere, we see that a file is written -
Dialogue: 0,0:33:29.82,0:33:33.64,Default,,0000,0000,0000,,written to the SMS attachments directory.\NAnd if you look at the end of the line, we
Dialogue: 0,0:33:33.64,0:33:38.87,Default,,0000,0000,0000,,see that the - the file being written to\Ndisk actually had a .GIF attachment. So at
Dialogue: 0,0:33:38.87,0:33:44.41,Default,,0000,0000,0000,,the time we thought this was something to\Ndo with the exploit somehow. NSO was
Dialogue: 0,0:33:44.41,0:33:50.46,Default,,0000,0000,0000,,delivering their exploit in that GIF file.\NIf we look a little bit later in the
Dialogue: 0,0:33:50.46,0:33:56.05,Default,,0000,0000,0000,,timeline, we see that about 10 minutes\Nlater, on the same day, a Pegasus process
Dialogue: 0,0:33:56.05,0:34:02.10,Default,,0000,0000,0000,,starts running on the phone. This otpgrefd\Nprocess. Shortly afterwards, some
Dialogue: 0,0:34:02.10,0:34:06.79,Default,,0000,0000,0000,,additional files are written on disk and\Nsome more Pegasus processes start. So by
Dialogue: 0,0:34:06.79,0:34:12.06,Default,,0000,0000,0000,,looking at this timeline together, we can\Nsee quite clearly that the phone began to
Dialogue: 0,0:34:12.06,0:34:15.54,Default,,0000,0000,0000,,receive iMessage messages. These GIF\Nattachments start to be written on the
Dialogue: 0,0:34:15.54,0:34:21.04,Default,,0000,0000,0000,,disk and then about 10 minutes later, the\Nphone was compromised with the Pegasus. So
Dialogue: 0,0:34:21.04,0:34:23.36,Default,,0000,0000,0000,,remember here like - there was no\Ninteraction from the user - they didn't
Dialogue: 0,0:34:23.36,0:34:26.32,Default,,0000,0000,0000,,click on any link. As far as we are aware\Nthey I didn't even notice anything
Dialogue: 0,0:34:26.32,0:34:29.12,Default,,0000,0000,0000,,happening on the device. This simply\Nsilently these messages were being
Dialogue: 0,0:34:29.12,0:34:35.28,Default,,0000,0000,0000,,delivered and after 10 or 20 minutes,\NPegasus began to gain access to the
Dialogue: 0,0:34:35.28,0:34:39.60,Default,,0000,0000,0000,,device. So we've shared some of these\Nfindings with Apple, and then later in
Dialogue: 0,0:34:39.60,0:34:46.64,Default,,0000,0000,0000,,September 2021, Apple - Citizen Lab\Nidentified a copy of this exploit on
Dialogue: 0,0:34:46.64,0:34:49.84,Default,,0000,0000,0000,,another - phone of an another activist and\Nthey shared it with Apple and Apple
Dialogue: 0,0:34:49.84,0:35:01.50,Default,,0000,0000,0000,,patched this vulnerability in September\N2021. So that's a little bit of how MVT
Dialogue: 0,0:35:01.50,0:35:06.84,Default,,0000,0000,0000,,works and how some of this methodology\Nworks to identify Pegasus on a
Dialogue: 0,0:35:06.84,0:35:12.67,Default,,0000,0000,0000,,device. So since we published our forensic\Nmethodology and our tools, many other
Dialogue: 0,0:35:12.67,0:35:18.77,Default,,0000,0000,0000,,groups and organisations have been using\Nthese tools and methodology to check other
Dialogue: 0,0:35:18.77,0:35:24.47,Default,,0000,0000,0000,,devices for signs of Pegasus and found\Nquite a number of new cases. Here on the
Dialogue: 0,0:35:24.47,0:35:28.80,Default,,0000,0000,0000,,top right you're going to see an example\Nof another NGO "Frontline Defenders", who
Dialogue: 0,0:35:28.80,0:35:33.26,Default,,0000,0000,0000,,identified six Palestinian human rights\Ndefenders who had their devices hacked
Dialogue: 0,0:35:33.27,0:35:39.15,Default,,0000,0000,0000,,using Pegasus. And other case we see\Nthat the Belgian military intelligence
Dialogue: 0,0:35:39.15,0:35:43.98,Default,,0000,0000,0000,,services use a similar methodology to\Ncheck the phones of journalists in
Dialogue: 0,0:35:43.98,0:35:48.67,Default,,0000,0000,0000,,Belgium, and they found that a journalist,\NBelgian journalist, Peter Verlinden, had
Dialogue: 0,0:35:48.67,0:35:53.81,Default,,0000,0000,0000,,his iPhone hacked who they suspected by\NRwanda. Again, we see another case where
Dialogue: 0,0:35:53.81,0:35:58.62,Default,,0000,0000,0000,,French intelligence services confirmed\Nthat a number of French journalists had
Dialogue: 0,0:35:58.62,0:36:05.95,Default,,0000,0000,0000,,their phones hacked using using Pegasus\Nagain using a similar methodology. So what
Dialogue: 0,0:36:05.95,0:36:11.19,Default,,0000,0000,0000,,I'd like to highlight is MVT can really be\Nuseful in identifying traces of Pegasus, but also
Dialogue: 0,0:36:11.19,0:36:17.83,Default,,0000,0000,0000,,MVT is designed as a kind of generic\Nmobile forensic tool. So when used with
Dialogue: 0,0:36:17.83,0:36:21.10,Default,,0000,0000,0000,,Pegasus indicators it will find Pegasus,\Nbut it also can be used to go and
Dialogue: 0,0:36:21.10,0:36:25.06,Default,,0000,0000,0000,,proactively search for new kinds of\Nspyware. So I really recommend that if
Dialogue: 0,0:36:25.06,0:36:29.43,Default,,0000,0000,0000,,you're suspicious that phones may be\Ntargeted with this kind of spyware, you
Dialogue: 0,0:36:29.43,0:36:34.44,Default,,0000,0000,0000,,can use MVT to extract some data and then\Ndig into it. If the person is a member of
Dialogue: 0,0:36:34.44,0:36:38.11,Default,,0000,0000,0000,,civil society or an activist then Amnesty\Nand other organisations will be happy to
Dialogue: 0,0:36:38.11,0:36:44.27,Default,,0000,0000,0000,,help support these investigations. And\Nalso, MVT is an open source tool. It's
Dialogue: 0,0:36:44.27,0:36:49.07,Default,,0000,0000,0000,,based on different modules, and so we're\Nalways open to ideas for - for new modules
Dialogue: 0,0:36:49.07,0:36:54.37,Default,,0000,0000,0000,,and new detection ideas to help make this\Ntool better and better able to detect new
Dialogue: 0,0:36:54.37,0:37:03.62,Default,,0000,0000,0000,,kinds of threats. One thing to remember\Nabout MVT it is - it's designed to detect
Dialogue: 0,0:37:03.62,0:37:06.74,Default,,0000,0000,0000,,some kind of spyware. Unfortunately, the\Npeople who develop these spyware, they're
Dialogue: 0,0:37:06.74,0:37:10.12,Default,,0000,0000,0000,,- they're smart people and they read these\Nreports and they watch these kind of
Dialogue: 0,0:37:10.12,0:37:14.82,Default,,0000,0000,0000,,presentations. And every time we publish\Ninformation about how to detect these
Dialogue: 0,0:37:14.82,0:37:20.35,Default,,0000,0000,0000,,kinds of spyware targeting civil society,\Nthe different spyware vendors and actors
Dialogue: 0,0:37:20.35,0:37:24.54,Default,,0000,0000,0000,,will try to improve their tools to avoid\Nthem being detected. They'll try to kind
Dialogue: 0,0:37:24.54,0:37:29.69,Default,,0000,0000,0000,,of upgrade their infrastructure to hide it\Nagain or to the better obscure their
Dialogue: 0,0:37:29.69,0:37:35.02,Default,,0000,0000,0000,,activities. So just to give an example,\Nhere's some of the development of NSO's
Dialogue: 0,0:37:35.02,0:37:38.96,Default,,0000,0000,0000,,own infrastructure over time. We see that\Nafter we published - Amnesty published the
Dialogue: 0,0:37:38.96,0:37:44.58,Default,,0000,0000,0000,,report in 2018 NSO infrastructure was shut\Ndown and then later over the next two
Dialogue: 0,0:37:44.58,0:37:49.97,Default,,0000,0000,0000,,years, it began to run more\Ninfrastructure, which was again shut down
Dialogue: 0,0:37:49.97,0:37:57.70,Default,,0000,0000,0000,,after discovery in - in 2021. So it's a\Nconstant arms race. And so while - while
Dialogue: 0,0:37:57.70,0:38:00.62,Default,,0000,0000,0000,,this - these tools are useful to detect\NPegasus now, it's not always going to be
Dialogue: 0,0:38:00.62,0:38:04.83,Default,,0000,0000,0000,,just automatic, and it's important to do\Nfurther research to try and identify new
Dialogue: 0,0:38:04.83,0:38:12.28,Default,,0000,0000,0000,,traces of new kinds of attacks. So what is\Nthe future for mobile spyware? So one
Dialogue: 0,0:38:12.28,0:38:16.63,Default,,0000,0000,0000,,thing I'd like to reiterate is that while\Nwe focus a lot on NSO Group and Pegasus in
Dialogue: 0,0:38:16.63,0:38:20.30,Default,,0000,0000,0000,,this research and in this\Ntalk and also there's been a lot of focus
Dialogue: 0,0:38:20.30,0:38:24.06,Default,,0000,0000,0000,,on NSO Group. It's not the only mobile\Nspyware out there, and there's definitely
Dialogue: 0,0:38:24.06,0:38:28.68,Default,,0000,0000,0000,,many other players who are trying to get\Ninto the space and trying to also develop
Dialogue: 0,0:38:28.68,0:38:34.75,Default,,0000,0000,0000,,similar kinds of spyware tools, which are\Nthen sold to - to different customers.
Dialogue: 0,0:38:34.75,0:38:41.74,Default,,0000,0000,0000,,We've seen that from this investigation.\NWe found at least 180 journalists who are
Dialogue: 0,0:38:41.74,0:38:45.28,Default,,0000,0000,0000,,potential targets of Pegasus and many\Nother human rights activists and
Dialogue: 0,0:38:45.28,0:38:50.16,Default,,0000,0000,0000,,opposition politicians who have been\Ntargeted with these tools over the last number
Dialogue: 0,0:38:50.16,0:38:55.91,Default,,0000,0000,0000,,of years. So far, these threat actors and\Nthese - these state agencies are able to
Dialogue: 0,0:38:55.91,0:39:00.99,Default,,0000,0000,0000,,target activists and civil society with\Nimpunity due to a lack of visibility and
Dialogue: 0,0:39:00.99,0:39:05.22,Default,,0000,0000,0000,,telemetry on mobile platforms. They've\Njust been getting away with it because
Dialogue: 0,0:39:05.22,0:39:08.67,Default,,0000,0000,0000,,they haven't been detected. So tools such\Nas MVT can help expose some of these
Dialogue: 0,0:39:08.67,0:39:13.49,Default,,0000,0000,0000,,threats, but they need to be used more\Nwidely and need to be used with more civil
Dialogue: 0,0:39:13.49,0:39:18.78,Default,,0000,0000,0000,,society to really understand the full\Nscope of these kinds of threats. And it's
Dialogue: 0,0:39:18.78,0:39:23.50,Default,,0000,0000,0000,,also important that industry, the tech\Nindustry and the security industry work
Dialogue: 0,0:39:23.50,0:39:27.30,Default,,0000,0000,0000,,closely with civil society to help detect\Nand expose these threats because
Dialogue: 0,0:39:27.30,0:39:32.48,Default,,0000,0000,0000,,unfortunately, the people most at risk\Nfrom these kinds of really serious attacks
Dialogue: 0,0:39:32.48,0:39:36.20,Default,,0000,0000,0000,,are some of the people who are the least\Nequipped, both financially and technically
Dialogue: 0,0:39:36.20,0:39:43.12,Default,,0000,0000,0000,,to defend against them. So to conclude,\NI think we're going to continue to see
Dialogue: 0,0:39:43.12,0:39:49.44,Default,,0000,0000,0000,,attackers focusing on mobile. Mobile is\Nwhere all the data is. No other place
Dialogue: 0,0:39:49.44,0:39:52.08,Default,,0000,0000,0000,,gives you as much insight into somebody's\Nlife and all their most innermost
Dialogue: 0,0:39:52.08,0:39:56.40,Default,,0000,0000,0000,,thoughts. Even just having a microphone in\Neverybody's pocket in someone's pocket is
Dialogue: 0,0:39:56.40,0:40:01.68,Default,,0000,0000,0000,,such a powerful position to be in that we\Nthink companies and states will continue
Dialogue: 0,0:40:01.68,0:40:07.12,Default,,0000,0000,0000,,trying to develop these kinds of tools. We\Nknow - I think that zero-click exploits
Dialogue: 0,0:40:07.12,0:40:11.52,Default,,0000,0000,0000,,are going to be highly, highly desirable.\NSo while Apple and others have done a
Dialogue: 0,0:40:11.52,0:40:15.92,Default,,0000,0000,0000,,great job in making attacks against\NiMessages more difficult, it's almost
Dialogue: 0,0:40:15.92,0:40:19.92,Default,,0000,0000,0000,,certain that these kinds of cyber\Nsurveillance companies will continue
Dialogue: 0,0:40:19.92,0:40:24.48,Default,,0000,0000,0000,,trying to develop zero-click exploits. If\Nnot for iMessage then maybe for other chat
Dialogue: 0,0:40:24.48,0:40:30.08,Default,,0000,0000,0000,,platforms. I don't know like Signal or\NTelegram or WhatsApp, they're going to try
Dialogue: 0,0:40:30.08,0:40:37.17,Default,,0000,0000,0000,,and attack other applications that\Nactivists are using. Unfortunately it's
Dialogue: 0,0:40:37.17,0:40:42.10,Default,,0000,0000,0000,,not possible for activists and civil\Nsociety to protect themselves from these
Dialogue: 0,0:40:42.10,0:40:47.03,Default,,0000,0000,0000,,kinds of zero-day attacks from a technical\Nsense. So we definitely need more active
Dialogue: 0,0:40:47.03,0:40:51.58,Default,,0000,0000,0000,,collaboration between civil society and\Nkey platform vendors to help identify and
Dialogue: 0,0:40:51.58,0:40:56.19,Default,,0000,0000,0000,,defend against these threats. And also, we\Nurgently need better regulation to prevent
Dialogue: 0,0:40:56.19,0:41:00.79,Default,,0000,0000,0000,,these kinds of really sophisticated\Nspyware tools being sold to states and
Dialogue: 0,0:41:00.79,0:41:07.22,Default,,0000,0000,0000,,agencies which have a long history of\Nabusing them to target civil society and
Dialogue: 0,0:41:07.22,0:41:12.98,Default,,0000,0000,0000,,opposition. So thank you all for\Nlistening, and I'm happy to answer some
Dialogue: 0,0:41:12.98,0:41:17.75,Default,,0000,0000,0000,,questions now. If you have some questions\Nor if you're concerned about, you are a
Dialogue: 0,0:41:17.75,0:41:20.68,Default,,0000,0000,0000,,member of civil society or an activist \Nor are concerned about surveillance please
Dialogue: 0,0:41:20.68,0:41:24.87,Default,,0000,0000,0000,,feel free to contact us at share@amnesty.tech \NThank you.
Dialogue: 0,0:41:24.87,0:41:30.60,Default,,0000,0000,0000,,Herald: Thank you Donncha. Thank you from\NC-Base. We have already taken some
Dialogue: 0,0:41:30.60,0:41:37.03,Default,,0000,0000,0000,,overtime this early hacker morning. There\Nhave been popping up some small questions
Dialogue: 0,0:41:37.03,0:41:42.74,Default,,0000,0000,0000,,on our internal here from our tiny\Naudience at C-Base. We don't have that
Dialogue: 0,0:41:42.74,0:41:47.69,Default,,0000,0000,0000,,much time left. Just can you give us an\Nindication: What is the pace of this
Dialogue: 0,0:41:47.69,0:41:53.56,Default,,0000,0000,0000,,ongoing war? Do you feel that NSO group is\Nactively fighting MVT and your tool
Dialogue: 0,0:41:53.56,0:41:57.53,Default,,0000,0000,0000,,development or did - didn't you get this\Nhonor yet?
Dialogue: 0,0:41:57.53,0:42:04.100,Default,,0000,0000,0000,,D: Definitely. We've seen, even in the\Npast year, we saw NSO starting to be more
Dialogue: 0,0:42:04.100,0:42:11.08,Default,,0000,0000,0000,,careful about cleaning up their forensic\Ntraces, and since 2020, they've begun to
Dialogue: 0,0:42:11.08,0:42:14.92,Default,,0000,0000,0000,,already clean some of the traces that\Nwe've been using. And it's clear they've
Dialogue: 0,0:42:14.92,0:42:17.78,Default,,0000,0000,0000,,realized that people are investigating\Nthat there is a risk of people discovering
Dialogue: 0,0:42:17.78,0:42:20.99,Default,,0000,0000,0000,,this stuff, and I feel like after the\Nrevelations of this summer, they're going
Dialogue: 0,0:42:20.99,0:42:25.78,Default,,0000,0000,0000,,to have a much more proactively trying to\Nto clean up some of these traces. But as I
Dialogue: 0,0:42:25.78,0:42:30.80,Default,,0000,0000,0000,,said, NSO is one company out there,\Nthere's also many other companies trying
Dialogue: 0,0:42:30.80,0:42:35.12,Default,,0000,0000,0000,,to compete in the same space. So even if\NNSO gets better than, you know, other
Dialogue: 0,0:42:35.12,0:42:38.82,Default,,0000,0000,0000,,companies are still out there and can\Nstill be caught using MVT and
Dialogue: 0,0:42:38.82,0:42:44.32,Default,,0000,0000,0000,,fundamentally, even if they - they clean\Nup some traces for any kind of failed
Dialogue: 0,0:42:44.32,0:42:48.06,Default,,0000,0000,0000,,attacks, these traces are still going to\Nbe left around because it won't be
Dialogue: 0,0:42:48.06,0:42:51.44,Default,,0000,0000,0000,,possible to for the spyware to clean up\Ntheir traces.
Dialogue: 0,0:42:51.44,0:42:57.44,Default,,0000,0000,0000,,H: Uhm-Hmm. So one could still after an\Nattack eventually, eventually on an old
Dialogue: 0,0:42:57.44,0:43:03.46,Default,,0000,0000,0000,,device years later discover that there had\Nbeen some spyware activity, which may be
Dialogue: 0,0:43:03.46,0:43:09.87,Default,,0000,0000,0000,,in the long run interesting information\Nabout dark campaigns and things. So NSO is
Dialogue: 0,0:43:09.87,0:43:15.36,Default,,0000,0000,0000,,not the only actor, there will be more. Do\Nyou feel that there are just copycats in
Dialogue: 0,0:43:15.36,0:43:20.69,Default,,0000,0000,0000,,the market or do you think there will be\Ncompletely new threats in the future?
Dialogue: 0,0:43:20.69,0:43:24.81,Default,,0000,0000,0000,,D: So I guess there's always there's lots\Nof smart people who work for these
Dialogue: 0,0:43:24.81,0:43:29.58,Default,,0000,0000,0000,,companies who are trying to develop these\Ntools. Just last - earlier this month,
Dialogue: 0,0:43:29.58,0:43:34.18,Default,,0000,0000,0000,,Citizen Lab published a report about\Nanother cyber surveillance vendor called
Dialogue: 0,0:43:34.18,0:43:40.76,Default,,0000,0000,0000,,Cytrox based in North Macedonia, and they\Nwere selling similar spyware, which is
Dialogue: 0,0:43:40.76,0:43:45.00,Default,,0000,0000,0000,,using kind of one-click attacks using\Nlinks to help compromise iPhones and
Dialogue: 0,0:43:45.00,0:43:50.26,Default,,0000,0000,0000,,Android phones. So that's one company\Nthat's competing in this space. There's
Dialogue: 0,0:43:50.26,0:43:54.87,Default,,0000,0000,0000,,other companies doing doing similar kinds\Nof targeting, but we believe, you know,
Dialogue: 0,0:43:54.87,0:43:58.77,Default,,0000,0000,0000,,NSO was definitely the biggest company in\Nthis space, and they had a lot of money to
Dialogue: 0,0:43:58.77,0:44:04.58,Default,,0000,0000,0000,,invest in, especially in these kind of\Nzero-click attacks. So for now, we don't
Dialogue: 0,0:44:04.58,0:44:07.58,Default,,0000,0000,0000,,know if they're a company that's as big or\Nsophisticated as NSO, but I think many
Dialogue: 0,0:44:07.58,0:44:11.77,Default,,0000,0000,0000,,others will be trying to take their place\Nif NSO becomes less popular.
Dialogue: 0,0:44:11.77,0:44:19.47,Default,,0000,0000,0000,,H: I see. I see. OK, thank you very much.\NWe have to go over to the - RC3 morning
Dialogue: 0,0:44:19.47,0:44:26.75,Default,,0000,0000,0000,,show in a few seconds. Thank you very much\Nfor this interesting talk this morning.
Dialogue: 0,0:44:26.75,0:44:33.97,Default,,0000,0000,0000,,Again, share@amnesty.tech is the address\Nto go to. And this is probably one of the
Dialogue: 0,0:44:33.97,0:44:38.93,Default,,0000,0000,0000,,talks you want to watch again on\Nmedia.ccc.de in a few days when it has
Dialogue: 0,0:44:38.93,0:44:45.76,Default,,0000,0000,0000,,been published. So greetings to Ireland.\NThank you very much and we will meet and
Dialogue: 0,0:44:45.76,0:44:51.28,Default,,0000,0000,0000,,see again in real, I hope. Thank you.\ND: Thank you very much. Have a good day.
Dialogue: 0,0:44:54.72,0:45:03.00,Default,,0000,0000,0000,,Everything is licensed under CC by 4.0.\NAnd it is all for the community, to download
Dialogue: 0,0:45:03.00,0:45:03.57,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2022. Join, and help us!
Dialogue: 0,0:45:03.57,0:45:03.84,Default,,0000,0000,0000,,[Translated by {Iikka}{Yli-Kuivila} (ITKST56 course assignment at JYU.FI)]