WEBVTT

00:00:01.440 --> 00:00:02.440
[Translated by {Iikka}{Yli-Kuivila}
(ITKST56 course assignment at JYU.FI)]

00:00:03.880 --> 00:00:10.480
Herald: Good morning from C-Base, the
space station beyond or under Berlin,

00:00:12.640 --> 00:00:19.120
welcomes you to day 2 of the RC3
streaming, we are starting in a few

00:00:19.120 --> 00:00:26.480
seconds with the "Catching the NSO Group's
Pegasus spyware". This is something that

00:00:26.480 --> 00:00:32.800
has caught attention among the security
and hacker communities over the world in

00:00:32.800 --> 00:00:38.400
the last, I would guess, two years or so.
There have been some spectacular cases of

00:00:38.400 --> 00:00:46.720
murder, kidnappings, journalists being
threatened, other things. The infamous

00:00:46.720 --> 00:00:53.280
software doing this is called Pegasus,
it's marketed by a company known by the

00:00:53.280 --> 00:01:01.680
three-letter acronym NSO, whatever this
stands for. And actually, Amnesty

00:01:01.680 --> 00:01:08.240
International and its I.T. department, so
to say, has invested quite some effort

00:01:08.240 --> 00:01:17.280
into detecting whether a device has been
infected by Pegasus or not. NSO marketed

00:01:17.280 --> 00:01:22.640
this, among other things, as so-called
"undetectable", well undetectable as in

00:01:22.640 --> 00:01:28.640
software on a device, as we will see, and
our speaker today, Donncha, Donncha O'Cearbhaill

00:01:29.440 --> 00:01:34.800
from Ireland and from Amnesty
International, will be presenting how they

00:01:34.800 --> 00:01:41.600
developed detection tools for this nasty
piece of spyware that has become so

00:01:41.600 --> 00:01:50.960
popular among secret actors, state actors
and others around the world. OK, enough

00:01:50.960 --> 00:01:56.040
for the introduction, Donncha, the scene
and the stream is yours. Good morning

00:01:56.040 --> 00:02:02.080
Donncha: Good morning, and thank you for
that introduction. So as the intro said,

00:02:02.080 --> 00:02:06.480
today I'd like to talk to you about NSO
group's Pegasus spyware, in particular I'd

00:02:06.480 --> 00:02:11.120
like to explain a little bit about how we
at Amnesty have investigated Pegasus over

00:02:11.120 --> 00:02:16.480
the past few years and I'll also explain and
demonstrate some of the tools we have

00:02:16.480 --> 00:02:22.480
developed and published, that others also
investigate and detect Pegasus spyware

00:02:22.480 --> 00:02:25.840
potentially on their devices and the
devices of other people in civil society.

00:02:27.760 --> 00:02:31.440
So my name is Donncha O'Cearbhaill and I
am a technologist based at the Amnesty

00:02:31.440 --> 00:02:36.320
International Security Lab in Berlin with
a small team who focuses on investigating

00:02:36.320 --> 00:02:42.640
targeted digital threats such as spyware,
phishing and other kinds of surveillance

00:02:42.640 --> 00:02:46.880
that's directed against civil society and
human rights defenders around the world.

00:02:49.440 --> 00:02:54.960
So as the intro said, Pegasus has got a
lot of attention in the past few months.

00:02:56.800 --> 00:03:00.800
So you may have seen the Pegasus Project
revelations that were published in July

00:03:00.800 --> 00:03:05.680
during the summer. The Pegasus Project was
a global investigation into abuses linked

00:03:05.680 --> 00:03:11.520
to NSO group's Pegasus spyware. This
investigation was based on a leaked

00:03:13.280 --> 00:03:19.120
dataset of 50,000 potential Pegasus
targets, which Amnesty International and

00:03:19.120 --> 00:03:22.640
Forbidden Stories had access to, and so
this global media investigation was

00:03:22.640 --> 00:03:26.960
coordinated by Forbidden Stories, with the
participation of about 80 journalists from

00:03:26.960 --> 00:03:32.400
17 different media organisations around
the world. During the Pegasus Project,

00:03:32.400 --> 00:03:36.960
Amnesty International took the role of a
technical partner, and the focus for

00:03:36.960 --> 00:03:42.160
Amnesty International was to perform
detailed innovative forensic analysis on

00:03:42.160 --> 00:03:46.720
the devices of potential targets, and
through this kind of forensic analysis and

00:03:46.720 --> 00:03:51.040
this technical work we were able to
identify traces of Pegasus, either

00:03:51.040 --> 00:03:59.360
targeting or infecting online devices. So
over a multi-month project Amnesty

00:03:59.360 --> 00:04:04.720
Security Lab analyzed about 67 devices,
and from these 67 devices of potential

00:04:04.720 --> 00:04:11.760
targets at least 37 showed clear traces of
Pegasus targeting or infection. So this is

00:04:11.760 --> 00:04:15.360
really quite quite a high number of
infected devices, and these devices

00:04:15.360 --> 00:04:21.520
included journalists, activists,
opposition political figures, all kinds of

00:04:21.520 --> 00:04:24.572
people who were being unlawfully
surveilled using Pegasus. Overall, of the

00:04:24.572 --> 00:04:31.934
phones we have checked, which were iPhones
and which hadn't been replaced, which took

00:04:31.934 --> 00:04:36.711
data of the targeting, more than 80
percent of the phones that were on this

00:04:36.711 --> 00:04:42.767
list of potential targets showed traces of
Pegasus. So in July these stories came out

00:04:42.777 --> 00:04:46.440
and they highlighted cases of of civil
society being targeted, such as

00:04:46.440 --> 00:04:50.779
journalists in Hungary, activists in
Morocco, activist Saudi Arabian

00:04:50.779 --> 00:04:56.734
dissidents, also family members of Jamal
Khashoggi, which the investigation showed

00:04:56.734 --> 00:05:01.364
had been targeted with Pegasus spyware
both before and after his his brutal

00:05:01.364 --> 00:05:06.183
murder. So, yeah, you can. You can go and
read many of these stories online. Today

00:05:06.183 --> 00:05:10.113
I'd like to focus on and get to how we got
there, how we developed these, these

00:05:10.113 --> 00:05:14.922
tools, how we developed this methodology
for finding Pegasus. And also to explain

00:05:14.922 --> 00:05:20.460
about how you can also go and do this kind
of searching for - for Pegasus and for

00:05:20.460 --> 00:05:27.235
other mobile spyware. So let's take a step
back for a second and ask, so what exactly

00:05:27.235 --> 00:05:32.242
is Pegasus? Its name is well known, but
what exactly is the software and how does

00:05:32.242 --> 00:05:37.240
it work? OK, so first thing to remember is
that actually, while Pegasus have been

00:05:37.240 --> 00:05:41.197
gotten more well known in the last two
years, it's not actually a new - a new

00:05:41.197 --> 00:05:45.100
tool or a new product. So we know Pegasus
has been around and then developed by NSO

00:05:45.100 --> 00:05:52.843
Group since at least 2010. And on the left
hand side here, the diagram, you can see a

00:05:52.843 --> 00:05:58.236
Pegasus brochure from 2010 where it
describes how Pegasus can be installed on

00:05:58.236 --> 00:06:03.208
a BlackBerry devices. And we believe the
original version of Pegasus was focused on

00:06:03.208 --> 00:06:06.716
BlackBerry because back in 2010,
smartphones were less prevalent than they

00:06:06.716 --> 00:06:11.204
are now. BlackBerry is kind of a key
target for some of the - the security

00:06:11.204 --> 00:06:16.855
agencies who may want to buy this kind of
spyware. So it developed over time here on

00:06:16.855 --> 00:06:22.825
the right hand side, we can see some
diagrams that were from a leaked Pegasus

00:06:22.825 --> 00:06:30.880
brochure that was published in 2014. In
the first diagram, here it talks about how

00:06:30.880 --> 00:06:37.440
Pegasus is installed on a phone. In this
example, it's showing how a Pegasus kind

00:06:37.440 --> 00:06:42.880
of infection link can be sent over SMS to
the target device. And then if opened how

00:06:42.880 --> 00:06:46.320
the data can be collected and passed back
to the - the operator of the Pegasus

00:06:46.320 --> 00:06:52.320
software. That's just one example of -
from their own diagrams. Here in the

00:06:52.320 --> 00:06:57.360
circle below, you'll see a little bit of
what Pegasus claims to be able to monitor.

00:06:57.360 --> 00:07:00.400
And if you look at it, you can see it's
basically everything on the device. So

00:07:00.400 --> 00:07:03.520
it's talking about collecting email
addresses, collecting SMS messages,

00:07:04.160 --> 00:07:08.640
tracking location data, even reading the
calendar, turning on the microphone of the

00:07:08.640 --> 00:07:13.680
phone. And so bear in mind while this
diagram is quite old, it's like six or

00:07:13.680 --> 00:07:18.320
seven years old, you get an idea of what
kind of data the Pegasus software will try

00:07:18.320 --> 00:07:22.880
to collect from the phone. It's basically,
it collected every kind of data on the

00:07:22.880 --> 00:07:25.600
phone that might be of interest to
somebody who is carrying out the

00:07:25.600 --> 00:07:31.760
surveillance. One important thing to
remember is that the Pegasus spyware is

00:07:31.760 --> 00:07:36.800
able to get very kind of deep access to
the phone, so it's fundamentally able to

00:07:36.800 --> 00:07:41.680
access everything on the phone that the
user is able to access and more. So even

00:07:41.680 --> 00:07:45.280
if you're using a messaging app such as
Signal or Telegram, which may be

00:07:45.280 --> 00:07:50.400
encrypted, the Pegasus software is able to
access that data and those messages before

00:07:50.400 --> 00:07:54.320
they're encrypted on the device. So even
once their spyware running on the phone

00:07:54.320 --> 00:07:58.080
itself, none of these encrypted messaging
apps will help because it has such low

00:07:58.080 --> 00:08:05.280
level access to the device. So it's a
little bit about what exactly Pegasus

00:08:05.280 --> 00:08:09.920
tries to collect and what it - what it -
what people can do with it using the

00:08:09.920 --> 00:08:17.296
Pegasus software. So where exactly did the
investigations into Pegasus start? So we

00:08:17.296 --> 00:08:23.640
go back as far as 2016 was when Pegasus
was first kind of identified in the wild,

00:08:23.640 --> 00:08:28.837
being a being used to target an activist.
So in this case, in 2016, Pegasus was

00:08:28.837 --> 00:08:35.191
first found by Citizen Lab. Citizen lab
is a group of researchers based in the

00:08:35.191 --> 00:08:40.241
University of Toronto in Canada, who also
works on investigating spyware targeting

00:08:40.241 --> 00:08:47.034
civil society. So in this case, a UAE
based human rights defender named Ahmed

00:08:47.034 --> 00:08:51.541
Mansoor began to receive suspicious
messages over SMS. So you can see some

00:08:51.541 --> 00:08:56.136
screenshots of the messages on the right.
So Ahmed Mansoor was cautious about these

00:08:56.136 --> 00:09:00.126
because in the past he had previously been
targeted with other kinds of spyware

00:09:00.126 --> 00:09:03.934
tools, including - including Finfisher.
So when he began to receive these

00:09:03.934 --> 00:09:08.027
messages, he - he was cautious about them
and he shared them with Citizen Lab, who

00:09:08.027 --> 00:09:12.549
then began to investigate them. So what
Citizen Lab realized is that these looked

00:09:12.549 --> 00:09:17.103
to be an attack message, and they opened
these attack links on their own testing

00:09:17.103 --> 00:09:22.305
phone. When they did this they're able to
capture the exploit that was being

00:09:22.305 --> 00:09:27.885
delivered over these links and also
able to capture a copy of the Pegasus

00:09:27.885 --> 00:09:32.830
payload. So what happens when these links
are opened is that the link is opened in a

00:09:32.830 --> 00:09:38.392
web browser such as Safari. When the link
is opened, the Pegasus server would return

00:09:38.392 --> 00:09:44.108
to some JavaScript, some code that would
exploit an unknown flaw in the Safari web

00:09:44.108 --> 00:09:48.368
browser and by kind of manipulating the
Safari web browser and exploit this

00:09:48.368 --> 00:09:52.720
unknown flaw - they could then get their
own code to start running inside this web

00:09:52.720 --> 00:09:58.107
browser. And eventually, with the help of
some additional flaws, they could then get

00:09:58.107 --> 00:10:03.274
more privileged access on the iPhone and
eventually install the full Pegasus

00:10:03.274 --> 00:10:10.800
payload. So, yes, Citizen Lab first found
it in 2016, it was it was a very important

00:10:10.800 --> 00:10:17.360
discovery and it showed just how how
serious some of the threats facing civil

00:10:17.360 --> 00:10:20.320
society were. That there were people
willing to use these kinds of very

00:10:20.320 --> 00:10:23.680
expensive exploits to start targeting
human rights defenders who are just doing

00:10:23.680 --> 00:10:27.840
their human rights work. Unfortunately,
after this, Ahmed Mansoor continued to get

00:10:27.840 --> 00:10:32.800
harassed, and he was sentenced to prison,
and he's currently still in prison from

00:10:32.800 --> 00:10:41.604
since 2017. So for about four years now.
So when did we at Amnesty start

00:10:41.604 --> 00:10:44.171
investigating this. So our team has been
investigating these kinds of threats for a

00:10:44.171 --> 00:10:49.470
while, but really we started focusing on
NSO and investigating NSO in 2018 after an

00:10:49.470 --> 00:10:55.015
Amnesty colleague of ours started to
receive some suspicious messages. So this

00:10:55.015 --> 00:10:59.289
- this colleague received in May 2018
received this message you can see here on

00:10:59.289 --> 00:11:03.732
the left. The message is written in
Arabic. But it this it claims that there

00:11:03.732 --> 00:11:08.688
is going to be a protest happening shortly
outside the Saudi Arabian Embassy. And

00:11:08.688 --> 00:11:13.088
they asked the Amnesty staff member, to to
support the protest and then to click on

00:11:13.088 --> 00:11:18.880
this link for for more information. So
fortunately, our Amnesty colleague, when

00:11:18.880 --> 00:11:21.680
they received this message, they got quite
suspicious. They were like, this is just

00:11:21.680 --> 00:11:24.960
weird, I don't know this person. And so
they shared a screenshot of this message

00:11:24.960 --> 00:11:29.840
with us at the Amnesty Security Lab, and
we began to investigate. So quite quickly

00:11:29.840 --> 00:11:34.560
when we started looking at this domain
name and the server, and we agreed it

00:11:34.560 --> 00:11:38.880
looked kind of suspicious. And we also
managed to identify some additional

00:11:38.880 --> 00:11:45.200
domains and servers that were related to
this original akhbar-arabia domain. And

00:11:45.200 --> 00:11:49.040
quite quickly, it started to appear to us
that this was indeed something suspicious,

00:11:49.040 --> 00:11:52.000
and maybe it was some kind of an attack
message. So at the time, we didn't know it

00:11:52.000 --> 00:11:59.280
was necessarily NSO Group. By looking at
the original and initial servers here. We

00:11:59.280 --> 00:12:03.040
managed to create kind of a fingerprint,
so some way of identifying the particular

00:12:03.040 --> 00:12:08.400
configuration of the domain name and the
server sent inside of this message. With

00:12:08.400 --> 00:12:12.400
the aid of this fingerprint, we then began
to do what's called an internet scan. So

00:12:12.400 --> 00:12:17.120
we connect it to every single server on
the Internet, send a particular request

00:12:17.120 --> 00:12:20.240
and then find any other server on the
Internet that matched this particular

00:12:20.240 --> 00:12:24.800
fingerprint, this particular configuration
from this server. So by doing this

00:12:24.800 --> 00:12:30.080
internet scanning, what we found was 600
different domains all across the Internet

00:12:31.840 --> 00:12:34.640
that matched this fingerprint and that
appeared to be related to the same kinds

00:12:34.640 --> 00:12:40.560
of attacks. So what was really was really
key is that we found that these these

00:12:41.280 --> 00:12:45.360
domains were actually related to Pegasus
because NSO Group had made one kind of key

00:12:45.360 --> 00:12:49.188
mistake or key flow when they were setting
up this infrastructure. So what happened

00:12:49.188 --> 00:12:58.189
is that as described earlier Citizen Lab
had previously identified servers being

00:12:58.189 --> 00:13:02.776
used by NSO Group in 2016 after the
expose in 2016 NSO shut down all of

00:13:02.776 --> 00:13:07.034
these domains and infrastructure. And then
began to set up new kind of infrastructure

00:13:07.034 --> 00:13:11.262
that would not be related to NSO or not
linkable to NSO. Fortunately they made a

00:13:11.262 --> 00:13:15.019
mistake because they had reused one domain
name from the previous set of

00:13:15.019 --> 00:13:19.800
infrastructure and also being used in this
new infrastructure. So by finding this one

00:13:19.800 --> 00:13:24.666
domain out of 600 that had previously been
in - in use by NSO, we're able to show

00:13:24.666 --> 00:13:28.986
that these 600 domains were also related
to Pegasus. And so we're able to show that

00:13:28.986 --> 00:13:33.956
this message that was sent to our Amnesty
International colleague was indeed related

00:13:33.956 --> 00:13:40.105
to Pegasus and was an attempt to to
compromise their device. So we published

00:13:40.105 --> 00:13:46.116
these findings in August 2018, and at that
time we also identified that another set

00:13:46.116 --> 00:13:51.076
Saudi-Arabian activists had similarly been
targeted, with a Pegasus exploit message

00:13:51.076 --> 00:13:56.206
over WhatsApp. Following this, Amnesty
International also supported a legal

00:13:56.206 --> 00:14:01.640
action in Israel, which asked the Israeli
Ministry of Defense to revoke NSO's export

00:14:01.640 --> 00:14:06.979
licenses. To prevent this Pegasus software
being sold to countries that would abuse

00:14:06.979 --> 00:14:12.255
it to target Amnesty and also target other
human rights activists. Unfortunately

00:14:12.255 --> 00:14:18.291
later the Israeli court rejected the legal
complaint and said that the Israeli

00:14:18.291 --> 00:14:22.820
Ministry of Defense had adequate
safeguards in place to prevent NSO's

00:14:22.820 --> 00:14:29.965
exports being sold to countries who would
abuse it. Here in the bottom on the left,

00:14:29.965 --> 00:14:36.240
you can see that. You can see a chart
which shows the number of Pegasus servers

00:14:36.240 --> 00:14:41.411
online at the time. I mean, see here that
when we published this report NSO acted

00:14:41.411 --> 00:14:46.826
quite quickly to shut down all 500 or 600
servers that were being used to deliver

00:14:46.826 --> 00:14:50.875
Pegasus. So this just shows that, you
know, NSO is kind of reading these

00:14:50.875 --> 00:14:54.791
researches and paying attention to it. It
is trying to avoid getting their

00:14:54.791 --> 00:14:58.878
infrastructure and servers discovered by
by researchers who are investigating these

00:14:59.728 --> 00:15:16.240
kinds of abuses. So this is back in in
2018, so after discovering this attack

00:15:16.240 --> 00:15:21.612
against an Amnesty staff member we at
Amnesty continued trying to investigate

00:15:21.612 --> 00:15:28.010
Pegasus to try to find more cases of
abuse. We next found Pegasus targeting

00:15:28.010 --> 00:15:35.462
happening in Morocco in 2019. So you can
see here on the right. This time, we found

00:15:35.462 --> 00:15:40.812
that a Moroccan human rights defender
named Maati Monjib was being targeted

00:15:40.812 --> 00:15:46.596
repeatedly with Pegasus. When we checked
his phone, we found that he had some

00:15:46.596 --> 00:15:52.419
suspicious messages there, saying that the
messages claimed that there is some, some

00:15:52.419 --> 00:15:57.919
scandal or some news story, and they're
asking the target to click on these links

00:15:57.919 --> 00:16:02.423
to find out more information. So when we
looked at these these links, we knew

00:16:02.423 --> 00:16:06.696
immediately that they were Pegasus links,
because we had previously identified these

00:16:06.696 --> 00:16:12.013
domains as one of the 600 domains, that
were being used in 2018. So for example,

00:16:12.013 --> 00:16:16.825
you can see that in the second message on
the right, we see the domain

00:16:16.825 --> 00:16:22.077
videosdownload.co. We knew it was Pegasus
because we'd previously identified and

00:16:22.077 --> 00:16:30.080
published this domain in 2018. So this
time we knew Maati was being targeted with

00:16:30.080 --> 00:16:34.960
Pegasus, but we realized we needed to do
some more investigation to see if his

00:16:34.960 --> 00:16:38.880
phone was indeed compromised that we could
collect more information from his device.

00:16:39.680 --> 00:16:43.200
So when we did this, we actually found
something quite interesting on Maati's

00:16:43.200 --> 00:16:47.920
phone because we found what we believed
was evidence of a new type of a targeting

00:16:47.920 --> 00:16:53.600
on his phone. Instead of relying on the
target being tricked into clicking on a

00:16:53.600 --> 00:16:58.760
link which is maybe not reliable, or maybe
the target can - can see something is

00:16:58.760 --> 00:17:04.240
suspicious. We instead saw them using an
what's called a network injection attack.

00:17:04.240 --> 00:17:08.160
So how are network injection attack works
is like this: So network injection

00:17:08.160 --> 00:17:15.040
involves having some kind of equipment or
software running on the what access to the

00:17:15.040 --> 00:17:18.960
internet connection of the mobile device.
So this can either be at the mobile phone

00:17:18.960 --> 00:17:23.120
network or potentially having some - some
software or hardware running on the same

00:17:23.120 --> 00:17:28.480
Wi-Fi network as the target. And what it
does is when the target is browsing the

00:17:28.480 --> 00:17:33.760
web on their phone, eventually, the target
browses and clicks on link that goes to a

00:17:33.760 --> 00:17:39.440
regular http website. So without https. So
when this regular http request is made,

00:17:40.160 --> 00:17:43.440
the software that's running on the
upstream network can see this http

00:17:43.440 --> 00:17:47.520
request. And when the http request
happens, it can instead, instead of

00:17:47.520 --> 00:17:51.920
returning the correct response to correct
content, instead it returns a http

00:17:51.920 --> 00:17:57.040
redirect. And the http redirect will then
send the browser of the phone to a

00:17:57.040 --> 00:18:02.480
malicious exploit site, which can then
hack the phone. So in the case of Maati,

00:18:02.480 --> 00:18:06.160
we found that he had tried to go and check
his email and typed in Yahoo.fr on his

00:18:06.160 --> 00:18:10.960
browser when he typed in Yahoo.fr - the
software running on the on the upstream

00:18:10.960 --> 00:18:16.400
network saw this cleartext connection and
then redirected his phone to this exploit

00:18:16.400 --> 00:18:19.920
link we see above. So you see the domain
is quite suspicious:

00:18:19.920 --> 00:18:25.200
"get1tn0w.free247downloads.com". And
again, it has some random characters at

00:18:25.200 --> 00:18:29.244
the end, which looks like a kind of an
exploit link. So at the time, we suspected

00:18:29.244 --> 00:18:33.748
that this was was Pegasus, and it was a
new way of delivering Pegasus without

00:18:33.748 --> 00:18:36.715
tricking the user into clicking on a link.
But we weren't certain that it was

00:18:36.715 --> 00:18:44.021
Pegasus, potentially it was some other
kind of spyware. Fortunately for us NSO

00:18:44.021 --> 00:18:51.288
helped to confirm that this really was
Pegasus, because before we published this

00:18:51.288 --> 00:18:56.124
report, Amnesty wrote to NSO Group sharing
our findings and interestingly one day

00:18:56.124 --> 00:19:00.470
after we shared the findings with NSO this
spyware server got shut down and went

00:19:00.470 --> 00:19:05.609
offline. And this is already a week before
the report was made publicly available. So

00:19:05.609 --> 00:19:09.280
that kind of confirmed to us that NSO
really was controlling this infrastructure

00:19:09.280 --> 00:19:13.316
and were able to get it shutdown even when
we'd only privately shared this

00:19:13.316 --> 00:19:18.652
information with with NSO. A bit later, we
found some more information about how this

00:19:18.652 --> 00:19:23.854
attack may have been done - NSO at a trade
fair was demonstrating some new type of

00:19:23.854 --> 00:19:28.132
hardware they had developed, which you can
see here on the photo on the right. And we

00:19:28.132 --> 00:19:33.661
believe this this photo is of some kind of
IMSI catcher or fake base station, which

00:19:33.661 --> 00:19:39.827
can run a fake mobile phone network. And
then target's phone: so Maati could

00:19:39.827 --> 00:19:44.360
connect to this fake mobile phone base
station. And from that position, it could

00:19:44.360 --> 00:19:49.339
be possible for NSO to redirect the phone
to a malicious - a malicious exploit link.

00:19:49.339 --> 00:19:54.000
So we're not sure what happened in this
case if this was the device that was used.

00:19:54.000 --> 00:19:57.912
But we believe the NSO is demonstrating
or testing these kinds of what are called

00:19:57.912 --> 00:20:05.920
tactical infection methods. So this was
where our findings were in Morocco - we

00:20:05.920 --> 00:20:11.200
started to realize that actually relying
on checking for SMS messages, checking for

00:20:11.200 --> 00:20:17.280
links or relying on people coming to us
with something suspicious wasn't going to

00:20:17.280 --> 00:20:21.520
work anymore because we began to see what
were called zero-click attacks. And so all

00:20:21.520 --> 00:20:25.680
a Zero-click attack is is any way of
infecting a device that doesn't rely on

00:20:25.680 --> 00:20:31.200
some interaction from the user. Doesn't
rely on the user clicking on a link. So we

00:20:31.200 --> 00:20:33.760
can see here are some examples of other
zero-click attacks that have been

00:20:33.760 --> 00:20:37.440
discovered over the past couple of years.
I guess one of the first ones here was in

00:20:37.440 --> 00:20:43.840
2019, where NSO Group developed an exploit
for a for WhatsApp, and it was then used

00:20:43.840 --> 00:20:51.280
by their customers to target at least 1400
different people around the world. All of

00:20:51.280 --> 00:20:58.400
this - how it worked is that the - the
target was simply to receive a call over

00:20:58.400 --> 00:21:02.000
WhatsApp, even a missed call and the
exploit would be able to compromise their

00:21:02.000 --> 00:21:06.000
phone without the use of clicking
anything. As I described earlier, we saw

00:21:06.000 --> 00:21:09.840
these kinds of network injection attacks
happen, and then later in 2020, Citizen

00:21:09.840 --> 00:21:18.320
Lab also found an iMessage zero-day being
used to again compromise iPhone users

00:21:18.320 --> 00:21:23.680
without any interaction in 2020. So from
our own investigations, we have found that

00:21:23.680 --> 00:21:30.960
NSO has been using various zero-click
exploits since at least summer 2017 until

00:21:30.960 --> 00:21:35.480
July of this year. So we know it's not
something that's quite new for NSO

00:21:35.480 --> 00:21:38.720
but at least it's something we've
started only recently discovering in the

00:21:38.720 --> 00:21:42.320
past few years. And we've seen, NSO
putting a lot of focus into developing

00:21:42.320 --> 00:21:52.775
these kinds of complicated but very
powerful zero-click exploits. So now that

00:21:52.775 --> 00:21:56.720
we know that NSO and their customers are
using these kind of zero-click attacks, we

00:21:56.720 --> 00:22:02.000
realized we needed to do something kind of
more advanced to try and find these cases

00:22:02.000 --> 00:22:07.160
of cases of - of surveillance. The big
problem with mobile devices is a lack of

00:22:07.160 --> 00:22:11.196
visibility, whereas on desktop or laptop
computers, we have antivirus available or

00:22:11.196 --> 00:22:14.428
we have EDR systems available. There
really is nothing similar that was

00:22:14.428 --> 00:22:18.240
available for mobile devices. So these
kinds of attacks, especially zero-click

00:22:18.240 --> 00:22:26.000
attacks, are often going undetected. We
got to investigate this. We realized that

00:22:26.000 --> 00:22:29.600
it was difficult to perform forensics on
mobile devices. It's actually not

00:22:29.600 --> 00:22:34.080
impossible. We were somewhat surprised to
realize that iPhones actually allow a

00:22:34.080 --> 00:22:38.960
significant amount of relevant data to be
extracted from the phones themselves in

00:22:38.960 --> 00:22:43.680
the form of an iPhone backup. And so it's
actually quite - quite possible to start

00:22:43.680 --> 00:22:48.800
doing a forensic analysis on iPhones.
Unfortunately, Android devices we found

00:22:48.800 --> 00:22:52.880
were much more limited because of
restrictions on the Android operating

00:22:52.880 --> 00:22:58.160
system. It isn't possible to extract much
data in an Android backup, and so all

00:22:58.160 --> 00:23:02.000
we've really been able to do on Android is
to simply check the SMS messages and maybe

00:23:02.000 --> 00:23:06.880
the browser history for some traces of -
of targeting. But again, it's just it's

00:23:06.880 --> 00:23:11.760
much less data is available on Androids
compared to iPhones. The other big problem

00:23:11.760 --> 00:23:15.520
we realized is that there's there's a lack
of any kinds of public tools for

00:23:15.520 --> 00:23:19.120
consensual mobile forensics. All of the
forensic tools that are out there are

00:23:19.120 --> 00:23:24.800
designed for - for people to extract data
from phones that they don't want or their

00:23:24.800 --> 00:23:28.560
phones have been seized or phones that are
somehow otherwise obtained. There's no

00:23:28.560 --> 00:23:35.440
there's no tools available to really check
your own phone for signs of spyware. So

00:23:35.440 --> 00:23:40.560
this is where the Mobile Verification
Toolkit comes into play. So - MVT - it is

00:23:40.560 --> 00:23:43.920
a public tool developed by Amnesty
International and designed to simplify the

00:23:43.920 --> 00:23:48.720
process of analyzing mobile devices for
traces of spyware. And here it's available

00:23:48.720 --> 00:23:53.360
on GitHub, you can go check it out. And
just to highlight all of the

00:23:53.360 --> 00:23:57.520
cases of Pegasus targeting I've described
previously in all the cases and traces

00:23:57.520 --> 00:24:01.600
that are present for the rest of the
presentation, all of these have been found

00:24:01.600 --> 00:24:09.040
using MVT. So MVT really works to - to
detect advanced spyware, including spyware

00:24:09.040 --> 00:24:14.560
using zero-click, zero-day exploits and
really sophisticated stuff such as

00:24:14.560 --> 00:24:19.280
Pegasus. So while all of these different
spyware vendors try to say: "Our thing is

00:24:19.280 --> 00:24:22.640
undetectable": It is definitely advanced,
they definitely spent a lot of money in

00:24:22.640 --> 00:24:27.440
developing this stuff, but it's not magic.
And if you're careful and diligent about

00:24:27.440 --> 00:24:30.240
checking the traces, there's always
mistakes that are made. There's always

00:24:30.240 --> 00:24:35.472
ways of identifying potential suspicious
behavior on these devices. And MVT it is

00:24:35.472 --> 00:24:44.640
written in Python, it's a very easy to
install, and if you have PIP, you can just

00:24:44.640 --> 00:24:50.113
go a "pip3 install mvt" . And here's how
it's how it's used. Again, it's very

00:24:50.113 --> 00:24:54.906
straightforward. To check an iPhone, you
simply make a backup of the iPhone and you

00:24:54.906 --> 00:25:00.005
run this one command so it'll be "mvt-ios
check-backup" and then you provide the

00:25:00.005 --> 00:25:05.301
backup folder. In the command here we also
see what's called a stix-file. So a .stix

00:25:05.301 --> 00:25:09.959
file is simply a file containing
indicators. This maybe like domain names

00:25:09.959 --> 00:25:15.187
or IP addresses, or process names that are
known to be linked to a spyware tool. And

00:25:15.187 --> 00:25:19.648
so the MVT is a generic tool. It can be
used with Pegasus indicators, but it also

00:25:19.648 --> 00:25:26.134
can be used with indicators for other
spyware tools and could be used to detect

00:25:26.134 --> 00:25:31.889
other spyware. So MVT is a modular
framework, it has modules for parsing

00:25:31.889 --> 00:25:36.705
different kinds of databases such as SMS
messages or browser history or other kinds

00:25:36.705 --> 00:25:41.368
of files on the device. I'm going to go
through and explain a few of the modules

00:25:41.368 --> 00:25:46.297
that are available in MVT and show how
this can be used to - to find traces of

00:25:46.297 --> 00:25:53.640
Pegasus or other similar spyware tools. So
one module that is quite useful is the SMS

00:25:53.640 --> 00:25:58.766
module, which is quite straightforward, it
simply reads the SMS database in iPhone

00:25:58.766 --> 00:26:04.283
backup to extract all of the links from
the SMS messages and check if any of those

00:26:04.283 --> 00:26:10.656
SMS messages contain links to known
malicious domains. So in this case, we're

00:26:10.656 --> 00:26:14.707
checking a backup that is targeted with
Pegasus, and we see that - we see that

00:26:14.707 --> 00:26:18.844
there's multiple domains that are found
and are tied to Pegasus. We see this

00:26:18.844 --> 00:26:25.221
revolution-news.co, stopsms.biz and
from what we know of NSO we've seen these

00:26:25.221 --> 00:26:32.883
kinds of exploit SMS used primarily
between 2016 and 2018. We've also seen

00:26:32.883 --> 00:26:37.896
Pegasus links as far back as 2014, and as
recently as 2020. So this has been quite

00:26:37.896 --> 00:26:43.200
common and I - if these zero-click attacks
are not available, I think we'll still see

00:26:43.200 --> 00:26:51.348
these kinds of exploit links being sent in
SMS. So another data source that's quite

00:26:51.348 --> 00:26:56.600
useful and quite helpful for finding
traces of targeting is the Safari browser

00:26:56.600 --> 00:27:03.595
history. So what we've seen is we've seen
some as we identify traces of exploit

00:27:03.595 --> 00:27:09.464
being recorded in Safari browser history,
especially after a network injection

00:27:09.464 --> 00:27:14.294
attack. So in this case, while there's no
link in SMS when a network injection

00:27:14.294 --> 00:27:18.800
attack happens the exploit server domain
will be recorded in the browser history.

00:27:18.800 --> 00:27:22.506
And so by checking the browser history, we
may be able to find evidence that this

00:27:22.506 --> 00:27:31.120
attack happened. So on the right here you
can see a screenshot and this screenshot

00:27:31.120 --> 00:27:38.400
was actually taken by Moroccan journalist
Omar Radi when he was being targeted with

00:27:38.400 --> 00:27:43.600
one of these network injection attacks in
Morocco. So when he was browsing the web

00:27:43.600 --> 00:27:46.720
he clicked the link and then instantly
redirected into this web page. And when

00:27:46.720 --> 00:27:49.920
this screenshot was taken, it was actually
running the JavaScript trying to exploit

00:27:49.920 --> 00:27:55.440
his phone. So unfortunately, following the
publication of this research Omar Radi was

00:27:55.440 --> 00:27:59.920
repeatedly harassed by the Moroccan
authorities and then he was eventually

00:27:59.920 --> 00:28:04.556
jailed after an unfair trial, and he's
currently - currently in jail.

00:28:06.806 --> 00:28:13.199
So another file quite useful in our
investigations is something called the ID

00:28:13.199 --> 00:28:18.462
status cache file. So the ID status cache
file is a file on iPhones, and it can

00:28:18.462 --> 00:28:23.671
track traces of any iCloud accounts
which interacted with the device. This can

00:28:23.671 --> 00:28:27.408
be interacting with the device over a
bunch of different Apple services,

00:28:27.408 --> 00:28:32.266
including iMessage, AirDrop, Apple Photos.
And so what is really useful about this

00:28:32.266 --> 00:28:39.282
file, because it showed us which malicious
accounts, which kind of Pegasus related

00:28:39.282 --> 00:28:46.080
accounts had been targeting a particular
device. So what we know about Pegasus - we

00:28:46.080 --> 00:28:51.920
believe that these malicious accounts are
- have been set up and have been used by

00:28:51.920 --> 00:28:58.240
one individual Pegasus customer. So you
can see here in the first row, we see this

00:28:58.240 --> 00:29:04.480
email address linakeller and we saw this -
this account being used to deliver a

00:29:04.480 --> 00:29:08.400
iMessage zero-day to quite a number of
different activists. So we've seen it

00:29:08.400 --> 00:29:16.240
used to deliver exploits to two different
Moroccan activists and a couple of French

00:29:16.240 --> 00:29:21.040
political figures. So by - by looking at
which individuals have been targeted by

00:29:21.040 --> 00:29:24.720
the same, the same account, by the same
customer we were able to kind of get a

00:29:24.720 --> 00:29:28.400
better idea of who that customer might be
and have some idea about the attribution

00:29:28.400 --> 00:29:33.840
for that attack. The same in these other -
in these other cases, for example we see

00:29:33.840 --> 00:29:39.200
the jessicadavies1345 email. This was
found on the phone of two different

00:29:39.200 --> 00:29:44.160
Hungarian journalists. Same for the
emmadavies' address and again for this

00:29:44.160 --> 00:29:49.120
final address here: williams enny. We
found this on the phone of two different

00:29:50.560 --> 00:29:58.320
Hungarian individuals, hungarian
activists. So this is really useful for us

00:29:58.320 --> 00:30:01.450
in our investigation because it really
helped us get a better idea of who might

00:30:01.450 --> 00:30:10.480
be behind some of the attacks that we were
seeing. So the previous logs

00:30:10.480 --> 00:30:15.840
I showed about SMS, data and browser
history. These show kind of traces of

00:30:15.840 --> 00:30:19.280
targeting. They showed some of these had
been sent a malicious link, but they don't

00:30:19.280 --> 00:30:23.920
necessarily prove that a phone has been
successfully compromised. So what I will

00:30:23.920 --> 00:30:28.700
show now is some of the logs we can use to
show that a device was indeed compromised.

00:30:28.800 --> 00:30:32.580
One of these files that was very useful
for us in our investigations was the so-

00:30:32.580 --> 00:30:39.600
called data usage file. So the data usage
file in an iPhone is a file that records

00:30:39.600 --> 00:30:43.920
information about how much mobile data
traffic each process on the phone has

00:30:43.920 --> 00:30:49.120
used. So this may be used to, like help
the iPhone keep track of, you know, which

00:30:49.120 --> 00:30:52.720
apps on your phone are using the most of
your mobile data. But what is really

00:30:52.720 --> 00:30:56.640
helpful for this is that it actually
recorded the names of some of the Pegasus

00:30:56.640 --> 00:31:01.162
processes and how much data each of these
pegasus processes were using. So for all

00:31:01.162 --> 00:31:08.160
we know about NSO's Pegasus, we believe
that when Pegasus is installed on a phone,

00:31:08.160 --> 00:31:13.666
it will kind of pick a random name that it
uses to kind of hide itself in running on

00:31:13.666 --> 00:31:18.000
the system. Throughout our investigation
we found about 50 different process names

00:31:18.000 --> 00:31:21.956
that the Pegasus process was using to try
and hide itself. And once we identified

00:31:21.956 --> 00:31:26.087
these process names, then we could go and
look for these Pegasus known Pegasus

00:31:26.087 --> 00:31:31.599
process names on devices of potential
targets. What's happened, this database

00:31:31.599 --> 00:31:36.141
also shows a timestamp of when this
process name was first kind of started on

00:31:36.141 --> 00:31:40.381
the device, when it was last seen on the
device. And also it gives you some kind of

00:31:40.381 --> 00:31:44.570
information about how much data this
process transferred. In some cases, this

00:31:44.570 --> 00:31:48.174
has been gigabytes of data which shows
that really the Pegasus spyware was

00:31:48.174 --> 00:31:53.494
extracting a lot of data from the device.
And again, this is all automated in MVT

00:31:53.494 --> 00:31:58.851
so if you check a phone using MVT with the
Pegasus indicators, it'll show quite

00:31:58.851 --> 00:32:04.799
clearly if any of these processes have
been found on the device. Another feature

00:32:04.799 --> 00:32:11.440
that's been very helpful for us and in our
analysis is the timeline feature of MVT.

00:32:11.440 --> 00:32:17.291
So how the Timeline feature works is it
takes all of the different indicators and

00:32:17.291 --> 00:32:21.285
modules on the phone, so it checks the -
the SMS messages, it check the - the file

00:32:21.285 --> 00:32:27.119
system and every - every event, like every
SMS message, every web browser lookup will

00:32:27.119 --> 00:32:33.228
all be recorded in a single file with the
date that it happened. So by looking at

00:32:33.228 --> 00:32:38.557
this timeline, we can often see what
different events happened around the same

00:32:38.557 --> 00:32:43.013
time as each other, and this can give us
some idea - some idea about how attacks

00:32:43.013 --> 00:32:48.172
were actually delivered on this device. So
I want to give you just one example of -

00:32:48.172 --> 00:32:52.405
of how this timeline can be used. Just so
you know how to use this timeline in your

00:32:52.405 --> 00:32:59.885
own investigations. So this is actually a
demonstration of the phone of a Rwandan

00:32:59.885 --> 00:33:06.284
activist who was targeted in June 2021
using the forcedentry, iMessage zero-day.

00:33:06.284 --> 00:33:13.898
So we can see here on the timeline that on
8:00 p.m. 8:45, we see the phone began to

00:33:13.898 --> 00:33:18.428
receive some push notifications over
iMessage. So it seems it receives like 46

00:33:18.428 --> 00:33:24.940
push notifications. And then what we saw
was that SMS attachments began to be

00:33:24.940 --> 00:33:29.821
written to the phone. So in the final line
here, we see that a file is written -

00:33:29.821 --> 00:33:33.642
written to the SMS attachments directory.
And if you look at the end of the line, we

00:33:33.642 --> 00:33:38.873
see that the - the file being written to
disk actually had a .GIF attachment. So at

00:33:38.873 --> 00:33:44.406
the time we thought this was something to
do with the exploit somehow. NSO was

00:33:44.406 --> 00:33:50.465
delivering their exploit in that GIF file.
If we look a little bit later in the

00:33:50.465 --> 00:33:56.054
timeline, we see that about 10 minutes
later, on the same day, a Pegasus process

00:33:56.054 --> 00:34:02.095
starts running on the phone. This otpgrefd
process. Shortly afterwards, some

00:34:02.095 --> 00:34:06.789
additional files are written on disk and
some more Pegasus processes start. So by

00:34:06.789 --> 00:34:12.059
looking at this timeline together, we can
see quite clearly that the phone began to

00:34:12.059 --> 00:34:15.544
receive iMessage messages. These GIF
attachments start to be written on the

00:34:15.544 --> 00:34:21.040
disk and then about 10 minutes later, the
phone was compromised with the Pegasus. So

00:34:21.040 --> 00:34:23.360
remember here like - there was no
interaction from the user - they didn't

00:34:23.360 --> 00:34:26.320
click on any link. As far as we are aware
they I didn't even notice anything

00:34:26.320 --> 00:34:29.120
happening on the device. This simply
silently these messages were being

00:34:29.120 --> 00:34:35.280
delivered and after 10 or 20 minutes,
Pegasus began to gain access to the

00:34:35.280 --> 00:34:39.600
device. So we've shared some of these
findings with Apple, and then later in

00:34:39.600 --> 00:34:46.640
September 2021, Apple - Citizen Lab
identified a copy of this exploit on

00:34:46.640 --> 00:34:49.840
another - phone of an another activist and
they shared it with Apple and Apple

00:34:49.840 --> 00:35:01.499
patched this vulnerability in September
2021. So that's a little bit of how MVT

00:35:01.499 --> 00:35:06.840
works and how some of this methodology
works to identify Pegasus on a

00:35:06.840 --> 00:35:12.674
device. So since we published our forensic
methodology and our tools, many other

00:35:12.674 --> 00:35:18.770
groups and organisations have been using
these tools and methodology to check other

00:35:18.770 --> 00:35:24.469
devices for signs of Pegasus and found
quite a number of new cases. Here on the

00:35:24.469 --> 00:35:28.796
top right you're going to see an example
of another NGO "Frontline Defenders", who

00:35:28.796 --> 00:35:33.262
identified six Palestinian human rights
defenders who had their devices hacked

00:35:33.274 --> 00:35:39.154
using Pegasus. And other case we see
that the Belgian military intelligence

00:35:39.154 --> 00:35:43.985
services use a similar methodology to
check the phones of journalists in

00:35:43.985 --> 00:35:48.670
Belgium, and they found that a journalist,
Belgian journalist, Peter Verlinden, had

00:35:48.670 --> 00:35:53.809
his iPhone hacked who they suspected by
Rwanda. Again, we see another case where

00:35:53.809 --> 00:35:58.620
French intelligence services confirmed
that a number of French journalists had

00:35:58.620 --> 00:36:05.952
their phones hacked using using Pegasus
again using a similar methodology. So what

00:36:05.952 --> 00:36:11.187
I'd like to highlight is MVT can really be
useful in identifying traces of Pegasus, but also

00:36:11.187 --> 00:36:17.827
MVT is designed as a kind of generic
mobile forensic tool. So when used with

00:36:17.827 --> 00:36:21.100
Pegasus indicators it will find Pegasus,
but it also can be used to go and

00:36:21.100 --> 00:36:25.058
proactively search for new kinds of
spyware. So I really recommend that if

00:36:25.058 --> 00:36:29.427
you're suspicious that phones may be
targeted with this kind of spyware, you

00:36:29.427 --> 00:36:34.442
can use MVT to extract some data and then
dig into it. If the person is a member of

00:36:34.442 --> 00:36:38.111
civil society or an activist then Amnesty
and other organisations will be happy to

00:36:38.111 --> 00:36:44.270
help support these investigations. And
also, MVT is an open source tool. It's

00:36:44.270 --> 00:36:49.067
based on different modules, and so we're
always open to ideas for - for new modules

00:36:49.067 --> 00:36:54.368
and new detection ideas to help make this
tool better and better able to detect new

00:36:54.368 --> 00:37:03.620
kinds of threats. One thing to remember
about MVT it is - it's designed to detect

00:37:03.620 --> 00:37:06.738
some kind of spyware. Unfortunately, the
people who develop these spyware, they're

00:37:06.738 --> 00:37:10.123
- they're smart people and they read these
reports and they watch these kind of

00:37:10.123 --> 00:37:14.819
presentations. And every time we publish
information about how to detect these

00:37:14.819 --> 00:37:20.352
kinds of spyware targeting civil society,
the different spyware vendors and actors

00:37:20.352 --> 00:37:24.540
will try to improve their tools to avoid
them being detected. They'll try to kind

00:37:24.540 --> 00:37:29.689
of upgrade their infrastructure to hide it
again or to the better obscure their

00:37:29.689 --> 00:37:35.017
activities. So just to give an example,
here's some of the development of NSO's

00:37:35.017 --> 00:37:38.960
own infrastructure over time. We see that
after we published - Amnesty published the

00:37:38.960 --> 00:37:44.577
report in 2018 NSO infrastructure was shut
down and then later over the next two

00:37:44.577 --> 00:37:49.966
years, it began to run more
infrastructure, which was again shut down

00:37:49.966 --> 00:37:57.702
after discovery in - in 2021. So it's a
constant arms race. And so while - while

00:37:57.702 --> 00:38:00.620
this - these tools are useful to detect
Pegasus now, it's not always going to be

00:38:00.620 --> 00:38:04.827
just automatic, and it's important to do
further research to try and identify new

00:38:04.827 --> 00:38:12.277
traces of new kinds of attacks. So what is
the future for mobile spyware? So one

00:38:12.277 --> 00:38:16.628
thing I'd like to reiterate is that while
we focus a lot on NSO Group and Pegasus in

00:38:16.628 --> 00:38:20.298
this research and in this
talk and also there's been a lot of focus

00:38:20.298 --> 00:38:24.064
on NSO Group. It's not the only mobile
spyware out there, and there's definitely

00:38:24.064 --> 00:38:28.680
many other players who are trying to get
into the space and trying to also develop

00:38:28.680 --> 00:38:34.750
similar kinds of spyware tools, which are
then sold to - to different customers.

00:38:34.750 --> 00:38:41.735
We've seen that from this investigation.
We found at least 180 journalists who are

00:38:41.735 --> 00:38:45.280
potential targets of Pegasus and many
other human rights activists and

00:38:45.280 --> 00:38:50.157
opposition politicians who have been
targeted with these tools over the last number

00:38:50.157 --> 00:38:55.907
of years. So far, these threat actors and
these - these state agencies are able to

00:38:55.907 --> 00:39:00.992
target activists and civil society with
impunity due to a lack of visibility and

00:39:00.992 --> 00:39:05.222
telemetry on mobile platforms. They've
just been getting away with it because

00:39:05.222 --> 00:39:08.668
they haven't been detected. So tools such
as MVT can help expose some of these

00:39:08.668 --> 00:39:13.489
threats, but they need to be used more
widely and need to be used with more civil

00:39:13.489 --> 00:39:18.781
society to really understand the full
scope of these kinds of threats. And it's

00:39:18.781 --> 00:39:23.505
also important that industry, the tech
industry and the security industry work

00:39:23.505 --> 00:39:27.296
closely with civil society to help detect
and expose these threats because

00:39:27.296 --> 00:39:32.478
unfortunately, the people most at risk
from these kinds of really serious attacks

00:39:32.478 --> 00:39:36.204
are some of the people who are the least
equipped, both financially and technically

00:39:36.204 --> 00:39:43.120
to defend against them. So to conclude,
I think we're going to continue to see

00:39:43.120 --> 00:39:49.440
attackers focusing on mobile. Mobile is
where all the data is. No other place

00:39:49.440 --> 00:39:52.080
gives you as much insight into somebody's
life and all their most innermost

00:39:52.080 --> 00:39:56.400
thoughts. Even just having a microphone in
everybody's pocket in someone's pocket is

00:39:56.400 --> 00:40:01.680
such a powerful position to be in that we
think companies and states will continue

00:40:01.680 --> 00:40:07.120
trying to develop these kinds of tools. We
know - I think that zero-click exploits

00:40:07.120 --> 00:40:11.520
are going to be highly, highly desirable.
So while Apple and others have done a

00:40:11.520 --> 00:40:15.920
great job in making attacks against
iMessages more difficult, it's almost

00:40:15.920 --> 00:40:19.920
certain that these kinds of cyber
surveillance companies will continue

00:40:19.920 --> 00:40:24.480
trying to develop zero-click exploits. If
not for iMessage then maybe for other chat

00:40:24.480 --> 00:40:30.080
platforms. I don't know like Signal or
Telegram or WhatsApp, they're going to try

00:40:30.080 --> 00:40:37.166
and attack other applications that
activists are using. Unfortunately it's

00:40:37.166 --> 00:40:42.101
not possible for activists and civil
society to protect themselves from these

00:40:42.101 --> 00:40:47.034
kinds of zero-day attacks from a technical
sense. So we definitely need more active

00:40:47.034 --> 00:40:51.577
collaboration between civil society and
key platform vendors to help identify and

00:40:51.577 --> 00:40:56.189
defend against these threats. And also, we
urgently need better regulation to prevent

00:40:56.189 --> 00:41:00.790
these kinds of really sophisticated
spyware tools being sold to states and

00:41:00.790 --> 00:41:07.217
agencies which have a long history of
abusing them to target civil society and

00:41:07.217 --> 00:41:12.978
opposition. So thank you all for
listening, and I'm happy to answer some

00:41:12.978 --> 00:41:17.750
questions now. If you have some questions
or if you're concerned about, you are a

00:41:17.750 --> 00:41:20.680
member of civil society or an activist 
or are concerned about surveillance please

00:41:20.680 --> 00:41:24.868
feel free to contact us at share@amnesty.tech 
Thank you.

00:41:24.868 --> 00:41:30.602
Herald: Thank you Donncha. Thank you from
C-Base. We have already taken some

00:41:30.602 --> 00:41:37.033
overtime this early hacker morning. There
have been popping up some small questions

00:41:37.033 --> 00:41:42.736
on our internal here from our tiny
audience at C-Base. We don't have that

00:41:42.736 --> 00:41:47.686
much time left. Just can you give us an
indication: What is the pace of this

00:41:47.686 --> 00:41:53.558
ongoing war? Do you feel that NSO group is
actively fighting MVT and your tool

00:41:53.558 --> 00:41:57.533
development or did - didn't you get this
honor yet?

00:41:57.533 --> 00:42:04.998
D: Definitely. We've seen, even in the
past year, we saw NSO starting to be more

00:42:04.998 --> 00:42:11.084
careful about cleaning up their forensic
traces, and since 2020, they've begun to

00:42:11.084 --> 00:42:14.915
already clean some of the traces that
we've been using. And it's clear they've

00:42:14.915 --> 00:42:17.781
realized that people are investigating
that there is a risk of people discovering

00:42:17.781 --> 00:42:20.990
this stuff, and I feel like after the
revelations of this summer, they're going

00:42:20.990 --> 00:42:25.781
to have a much more proactively trying to
to clean up some of these traces. But as I

00:42:25.781 --> 00:42:30.800
said, NSO is one company out there,
there's also many other companies trying

00:42:30.800 --> 00:42:35.120
to compete in the same space. So even if
NSO gets better than, you know, other

00:42:35.120 --> 00:42:38.825
companies are still out there and can
still be caught using MVT and

00:42:38.825 --> 00:42:44.324
fundamentally, even if they - they clean
up some traces for any kind of failed

00:42:44.324 --> 00:42:48.065
attacks, these traces are still going to
be left around because it won't be

00:42:48.065 --> 00:42:51.440
possible to for the spyware to clean up
their traces.

00:42:51.440 --> 00:42:57.437
H: Uhm-Hmm. So one could still after an
attack eventually, eventually on an old

00:42:57.437 --> 00:43:03.465
device years later discover that there had
been some spyware activity, which may be

00:43:03.465 --> 00:43:09.870
in the long run interesting information
about dark campaigns and things. So NSO is

00:43:09.870 --> 00:43:15.360
not the only actor, there will be more. Do
you feel that there are just copycats in

00:43:15.360 --> 00:43:20.690
the market or do you think there will be
completely new threats in the future?

00:43:20.690 --> 00:43:24.811
D: So I guess there's always there's lots
of smart people who work for these

00:43:24.811 --> 00:43:29.580
companies who are trying to develop these
tools. Just last - earlier this month,

00:43:29.580 --> 00:43:34.180
Citizen Lab published a report about
another cyber surveillance vendor called

00:43:34.180 --> 00:43:40.759
Cytrox based in North Macedonia, and they
were selling similar spyware, which is

00:43:40.759 --> 00:43:45.002
using kind of one-click attacks using
links to help compromise iPhones and

00:43:45.002 --> 00:43:50.256
Android phones. So that's one company
that's competing in this space. There's

00:43:50.256 --> 00:43:54.869
other companies doing doing similar kinds
of targeting, but we believe, you know,

00:43:54.869 --> 00:43:58.766
NSO was definitely the biggest company in
this space, and they had a lot of money to

00:43:58.766 --> 00:44:04.575
invest in, especially in these kind of
zero-click attacks. So for now, we don't

00:44:04.575 --> 00:44:07.579
know if they're a company that's as big or
sophisticated as NSO, but I think many

00:44:07.579 --> 00:44:11.769
others will be trying to take their place
if NSO becomes less popular.

00:44:11.769 --> 00:44:19.466
H: I see. I see. OK, thank you very much.
We have to go over to the - RC3 morning

00:44:19.466 --> 00:44:26.754
show in a few seconds. Thank you very much
for this interesting talk this morning.

00:44:26.754 --> 00:44:33.970
Again, share@amnesty.tech is the address
to go to. And this is probably one of the

00:44:33.970 --> 00:44:38.931
talks you want to watch again on
media.ccc.de in a few days when it has

00:44:38.931 --> 00:44:45.760
been published. So greetings to Ireland.
Thank you very much and we will meet and

00:44:45.760 --> 00:44:51.280
see again in real, I hope. Thank you.
D: Thank you very much. Have a good day.

00:44:54.720 --> 00:45:03.000
Everything is licensed under CC by 4.0.
And it is all for the community, to download

00:45:03.000 --> 00:45:03.570
Subtitles created by c3subtitles.de
in the year 2022. Join, and help us!

00:45:03.571 --> 00:45:03.841
[Translated by {Iikka}{Yli-Kuivila} (ITKST56 course assignment at JYU.FI)]