-
[Translated by {Iikka}{Yli-Kuivila}
(ITKST56 course assignment at JYU.FI)]
-
Herald: Good morning from C-Base, the
space station beyond or under Berlin,
-
welcomes you to day 2 of the RC3
streaming, we are starting in a few
-
seconds with the "Catching the NSO Group's
Pegasus spyware". This is something that
-
has caught attention among the security
and hacker communities over the world in
-
the last, I would guess, two years or so.
There have been some spectacular cases of
-
murder, kidnappings, journalists being
threatened, other things. The infamous
-
software doing this is called Pegasus,
it's marketed by a company known by the
-
three-letter acronym NSO, whatever this
stands for. And actually, Amnesty
-
International and its I.T. department, so
to say, has invested quite some effort
-
into detecting whether a device has been
infected by Pegasus or not. NSO marketed
-
this, among other things, as so-called
"undetectable", well undetectable as in
-
software on a device, as we will see, and
our speaker today, Donncha, Donncha O'Cearbhaill
-
from Ireland and from Amnesty
International, will be presenting how they
-
developed detection tools for this nasty
piece of spyware that has become so
-
popular among secret actors, state actors
and others around the world. OK, enough
-
for the introduction, Donncha, the scene
and the stream is yours. Good morning
-
Donncha: Good morning, and thank you for
that introduction. So as the intro said,
-
today I'd like to talk to you about NSO
group's Pegasus spyware, in particular I'd
-
like to explain a little bit about how we
at Amnesty have investigated Pegasus over
-
the past few years and I'll also explain and
demonstrate some of the tools we have
-
developed and published, that others also
investigate and detect Pegasus spyware
-
potentially on their devices and the
devices of other people in civil society.
-
So my name is Donncha O'Cearbhaill and I
am a technologist based at the Amnesty
-
International Security Lab in Berlin with
a small team who focuses on investigating
-
targeted digital threats such as spyware,
phishing and other kinds of surveillance
-
that's directed against civil society and
human rights defenders around the world.
-
So as the intro said, Pegasus has got a
lot of attention in the past few months.
-
So you may have seen the Pegasus Project
revelations that were published in July
-
during the summer. The Pegasus Project was
a global investigation into abuses linked
-
to NSO group's Pegasus spyware. This
investigation was based on a leaked
-
dataset of 50,000 potential Pegasus
targets, which Amnesty International and
-
Forbidden Stories had access to, and so
this global media investigation was
-
coordinated by Forbidden Stories, with the
participation of about 80 journalists from
-
17 different media organisations around
the world. During the Pegasus Project,
-
Amnesty International took the role of a
technical partner, and the focus for
-
Amnesty International was to perform
detailed innovative forensic analysis on
-
the devices of potential targets, and
through this kind of forensic analysis and
-
this technical work we were able to
identify traces of Pegasus, either
-
targeting or infecting online devices. So
over a multi-month project Amnesty
-
Security Lab analyzed about 67 devices,
and from these 67 devices of potential
-
targets at least 37 showed clear traces of
Pegasus targeting or infection. So this is
-
really quite quite a high number of
infected devices, and these devices
-
included journalists, activists,
opposition political figures, all kinds of
-
people who were being unlawfully
surveilled using Pegasus. Overall, of the
-
phones we have checked, which were iPhones
and which hadn't been replaced, which took
-
data of the targeting, more than 80
percent of the phones that were on this
-
list of potential targets showed traces of
Pegasus. So in July these stories came out
-
and they highlighted cases of of civil
society being targeted, such as
-
journalists in Hungary, activists in
Morocco, activist Saudi Arabian
-
dissidents, also family members of Jamal
Khashoggi, which the investigation showed
-
had been targeted with Pegasus spyware
both before and after his his brutal
-
murder. So, yeah, you can. You can go and
read many of these stories online. Today
-
I'd like to focus on and get to how we got
there, how we developed these, these
-
tools, how we developed this methodology
for finding Pegasus. And also to explain
-
about how you can also go and do this kind
of searching for - for Pegasus and for
-
other mobile spyware. So let's take a step
back for a second and ask, so what exactly
-
is Pegasus? Its name is well known, but
what exactly is the software and how does
-
it work? OK, so first thing to remember is
that actually, while Pegasus have been
-
gotten more well known in the last two
years, it's not actually a new - a new
-
tool or a new product. So we know Pegasus
has been around and then developed by NSO
-
Group since at least 2010. And on the left
hand side here, the diagram, you can see a
-
Pegasus brochure from 2010 where it
describes how Pegasus can be installed on
-
a BlackBerry devices. And we believe the
original version of Pegasus was focused on
-
BlackBerry because back in 2010,
smartphones were less prevalent than they
-
are now. BlackBerry is kind of a key
target for some of the - the security
-
agencies who may want to buy this kind of
spyware. So it developed over time here on
-
the right hand side, we can see some
diagrams that were from a leaked Pegasus
-
brochure that was published in 2014. In
the first diagram, here it talks about how
-
Pegasus is installed on a phone. In this
example, it's showing how a Pegasus kind
-
of infection link can be sent over SMS to
the target device. And then if opened how
-
the data can be collected and passed back
to the - the operator of the Pegasus
-
software. That's just one example of -
from their own diagrams. Here in the
-
circle below, you'll see a little bit of
what Pegasus claims to be able to monitor.
-
And if you look at it, you can see it's
basically everything on the device. So
-
it's talking about collecting email
addresses, collecting SMS messages,
-
tracking location data, even reading the
calendar, turning on the microphone of the
-
phone. And so bear in mind while this
diagram is quite old, it's like six or
-
seven years old, you get an idea of what
kind of data the Pegasus software will try
-
to collect from the phone. It's basically,
it collected every kind of data on the
-
phone that might be of interest to
somebody who is carrying out the
-
surveillance. One important thing to
remember is that the Pegasus spyware is
-
able to get very kind of deep access to
the phone, so it's fundamentally able to
-
access everything on the phone that the
user is able to access and more. So even
-
if you're using a messaging app such as
Signal or Telegram, which may be
-
encrypted, the Pegasus software is able to
access that data and those messages before
-
they're encrypted on the device. So even
once their spyware running on the phone
-
itself, none of these encrypted messaging
apps will help because it has such low
-
level access to the device. So it's a
little bit about what exactly Pegasus
-
tries to collect and what it - what it -
what people can do with it using the
-
Pegasus software. So where exactly did the
investigations into Pegasus start? So we
-
go back as far as 2016 was when Pegasus
was first kind of identified in the wild,
-
being a being used to target an activist.
So in this case, in 2016, Pegasus was
-
first found by Citizen Lab. Citizen lab
is a group of researchers based in the
-
University of Toronto in Canada, who also
works on investigating spyware targeting
-
civil society. So in this case, a UAE
based human rights defender named Ahmed
-
Mansoor began to receive suspicious
messages over SMS. So you can see some
-
screenshots of the messages on the right.
So Ahmed Mansoor was cautious about these
-
because in the past he had previously been
targeted with other kinds of spyware
-
tools, including - including Finfisher.
So when he began to receive these
-
messages, he - he was cautious about them
and he shared them with Citizen Lab, who
-
then began to investigate them. So what
Citizen Lab realized is that these looked
-
to be an attack message, and they opened
these attack links on their own testing
-
phone. When they did this they're able to
capture the exploit that was being
-
delivered over these links and also
able to capture a copy of the Pegasus
-
payload. So what happens when these links
are opened is that the link is opened in a
-
web browser such as Safari. When the link
is opened, the Pegasus server would return
-
to some JavaScript, some code that would
exploit an unknown flaw in the Safari web
-
browser and by kind of manipulating the
Safari web browser and exploit this
-
unknown flaw - they could then get their
own code to start running inside this web
-
browser. And eventually, with the help of
some additional flaws, they could then get
-
more privileged access on the iPhone and
eventually install the full Pegasus
-
payload. So, yes, Citizen Lab first found
it in 2016, it was it was a very important
-
discovery and it showed just how how
serious some of the threats facing civil
-
society were. That there were people
willing to use these kinds of very
-
expensive exploits to start targeting
human rights defenders who are just doing
-
their human rights work. Unfortunately,
after this, Ahmed Mansoor continued to get
-
harassed, and he was sentenced to prison,
and he's currently still in prison from
-
since 2017. So for about four years now.
So when did we at Amnesty start
-
investigating this. So our team has been
investigating these kinds of threats for a
-
while, but really we started focusing on
NSO and investigating NSO in 2018 after an
-
Amnesty colleague of ours started to
receive some suspicious messages. So this
-
- this colleague received in May 2018
received this message you can see here on
-
the left. The message is written in
Arabic. But it this it claims that there
-
is going to be a protest happening shortly
outside the Saudi Arabian Embassy. And
-
they asked the Amnesty staff member, to to
support the protest and then to click on
-
this link for for more information. So
fortunately, our Amnesty colleague, when
-
they received this message, they got quite
suspicious. They were like, this is just
-
weird, I don't know this person. And so
they shared a screenshot of this message
-
with us at the Amnesty Security Lab, and
we began to investigate. So quite quickly
-
when we started looking at this domain
name and the server, and we agreed it
-
looked kind of suspicious. And we also
managed to identify some additional
-
domains and servers that were related to
this original akhbar-arabia domain. And
-
quite quickly, it started to appear to us
that this was indeed something suspicious,
-
and maybe it was some kind of an attack
message. So at the time, we didn't know it
-
was necessarily NSO Group. By looking at
the original and initial servers here. We
-
managed to create kind of a fingerprint,
so some way of identifying the particular
-
configuration of the domain name and the
server sent inside of this message. With
-
the aid of this fingerprint, we then began
to do what's called an internet scan. So
-
we connect it to every single server on
the Internet, send a particular request
-
and then find any other server on the
Internet that matched this particular
-
fingerprint, this particular configuration
from this server. So by doing this
-
internet scanning, what we found was 600
different domains all across the Internet
-
that matched this fingerprint and that
appeared to be related to the same kinds
-
of attacks. So what was really was really
key is that we found that these these
-
domains were actually related to Pegasus
because NSO Group had made one kind of key
-
mistake or key flow when they were setting
up this infrastructure. So what happened
-
is that as described earlier Citizen Lab
had previously identified servers being
-
used by NSO Group in 2016 after the
expose in 2016 NSO shut down all of
-
these domains and infrastructure. And then
began to set up new kind of infrastructure
-
that would not be related to NSO or not
linkable to NSO. Fortunately they made a
-
mistake because they had reused one domain
name from the previous set of
-
infrastructure and also being used in this
new infrastructure. So by finding this one
-
domain out of 600 that had previously been
in - in use by NSO, we're able to show
-
that these 600 domains were also related
to Pegasus. And so we're able to show that
-
this message that was sent to our Amnesty
International colleague was indeed related
-
to Pegasus and was an attempt to to
compromise their device. So we published
-
these findings in August 2018, and at that
time we also identified that another set
-
Saudi-Arabian activists had similarly been
targeted, with a Pegasus exploit message
-
over WhatsApp. Following this, Amnesty
International also supported a legal
-
action in Israel, which asked the Israeli
Ministry of Defense to revoke NSO's export
-
licenses. To prevent this Pegasus software
being sold to countries that would abuse
-
it to target Amnesty and also target other
human rights activists. Unfortunately
-
later the Israeli court rejected the legal
complaint and said that the Israeli
-
Ministry of Defense had adequate
safeguards in place to prevent NSO's
-
exports being sold to countries who would
abuse it. Here in the bottom on the left,
-
you can see that. You can see a chart
which shows the number of Pegasus servers
-
online at the time. I mean, see here that
when we published this report NSO acted
-
quite quickly to shut down all 500 or 600
servers that were being used to deliver
-
Pegasus. So this just shows that, you
know, NSO is kind of reading these
-
researches and paying attention to it. It
is trying to avoid getting their
-
infrastructure and servers discovered by
by researchers who are investigating these
-
kinds of abuses. So this is back in in
2018, so after discovering this attack
-
against an Amnesty staff member we at
Amnesty continued trying to investigate
-
Pegasus to try to find more cases of
abuse. We next found Pegasus targeting
-
happening in Morocco in 2019. So you can
see here on the right. This time, we found
-
that a Moroccan human rights defender
named Maati Monjib was being targeted
-
repeatedly with Pegasus. When we checked
his phone, we found that he had some
-
suspicious messages there, saying that the
messages claimed that there is some, some
-
scandal or some news story, and they're
asking the target to click on these links
-
to find out more information. So when we
looked at these these links, we knew
-
immediately that they were Pegasus links,
because we had previously identified these
-
domains as one of the 600 domains, that
were being used in 2018. So for example,
-
you can see that in the second message on
the right, we see the domain
-
videosdownload.co. We knew it was Pegasus
because we'd previously identified and
-
published this domain in 2018. So this
time we knew Maati was being targeted with
-
Pegasus, but we realized we needed to do
some more investigation to see if his
-
phone was indeed compromised that we could
collect more information from his device.
-
So when we did this, we actually found
something quite interesting on Maati's
-
phone because we found what we believed
was evidence of a new type of a targeting
-
on his phone. Instead of relying on the
target being tricked into clicking on a
-
link which is maybe not reliable, or maybe
the target can - can see something is
-
suspicious. We instead saw them using an
what's called a network injection attack.
-
So how are network injection attack works
is like this: So network injection
-
involves having some kind of equipment or
software running on the what access to the
-
internet connection of the mobile device.
So this can either be at the mobile phone
-
network or potentially having some - some
software or hardware running on the same
-
Wi-Fi network as the target. And what it
does is when the target is browsing the
-
web on their phone, eventually, the target
browses and clicks on link that goes to a
-
regular http website. So without https. So
when this regular http request is made,
-
the software that's running on the
upstream network can see this http
-
request. And when the http request
happens, it can instead, instead of
-
returning the correct response to correct
content, instead it returns a http
-
redirect. And the http redirect will then
send the browser of the phone to a
-
malicious exploit site, which can then
hack the phone. So in the case of Maati,
-
we found that he had tried to go and check
his email and typed in Yahoo.fr on his
-
browser when he typed in Yahoo.fr - the
software running on the on the upstream
-
network saw this cleartext connection and
then redirected his phone to this exploit
-
link we see above. So you see the domain
is quite suspicious:
-
"get1tn0w.free247downloads.com". And
again, it has some random characters at
-
the end, which looks like a kind of an
exploit link. So at the time, we suspected
-
that this was was Pegasus, and it was a
new way of delivering Pegasus without
-
tricking the user into clicking on a link.
But we weren't certain that it was
-
Pegasus, potentially it was some other
kind of spyware. Fortunately for us NSO
-
helped to confirm that this really was
Pegasus, because before we published this
-
report, Amnesty wrote to NSO Group sharing
our findings and interestingly one day
-
after we shared the findings with NSO this
spyware server got shut down and went
-
offline. And this is already a week before
the report was made publicly available. So
-
that kind of confirmed to us that NSO
really was controlling this infrastructure
-
and were able to get it shutdown even when
we'd only privately shared this
-
information with with NSO. A bit later, we
found some more information about how this
-
attack may have been done - NSO at a trade
fair was demonstrating some new type of
-
hardware they had developed, which you can
see here on the photo on the right. And we
-
believe this this photo is of some kind of
IMSI catcher or fake base station, which
-
can run a fake mobile phone network. And
then target's phone: so Maati could
-
connect to this fake mobile phone base
station. And from that position, it could
-
be possible for NSO to redirect the phone
to a malicious - a malicious exploit link.
-
So we're not sure what happened in this
case if this was the device that was used.
-
But we believe the NSO is demonstrating
or testing these kinds of what are called
-
tactical infection methods. So this was
where our findings were in Morocco - we
-
started to realize that actually relying
on checking for SMS messages, checking for
-
links or relying on people coming to us
with something suspicious wasn't going to
-
work anymore because we began to see what
were called zero-click attacks. And so all
-
a Zero-click attack is is any way of
infecting a device that doesn't rely on
-
some interaction from the user. Doesn't
rely on the user clicking on a link. So we
-
can see here are some examples of other
zero-click attacks that have been
-
discovered over the past couple of years.
I guess one of the first ones here was in
-
2019, where NSO Group developed an exploit
for a for WhatsApp, and it was then used
-
by their customers to target at least 1400
different people around the world. All of
-
this - how it worked is that the - the
target was simply to receive a call over
-
WhatsApp, even a missed call and the
exploit would be able to compromise their
-
phone without the use of clicking
anything. As I described earlier, we saw
-
these kinds of network injection attacks
happen, and then later in 2020, Citizen
-
Lab also found an iMessage zero-day being
used to again compromise iPhone users
-
without any interaction in 2020. So from
our own investigations, we have found that
-
NSO has been using various zero-click
exploits since at least summer 2017 until
-
July of this year. So we know it's not
something that's quite new for NSO
-
but at least it's something we've
started only recently discovering in the
-
past few years. And we've seen, NSO
putting a lot of focus into developing
-
these kinds of complicated but very
powerful zero-click exploits. So now that
-
we know that NSO and their customers are
using these kind of zero-click attacks, we
-
realized we needed to do something kind of
more advanced to try and find these cases
-
of cases of - of surveillance. The big
problem with mobile devices is a lack of
-
visibility, whereas on desktop or laptop
computers, we have antivirus available or
-
we have EDR systems available. There
really is nothing similar that was
-
available for mobile devices. So these
kinds of attacks, especially zero-click
-
attacks, are often going undetected. We
got to investigate this. We realized that
-
it was difficult to perform forensics on
mobile devices. It's actually not
-
impossible. We were somewhat surprised to
realize that iPhones actually allow a
-
significant amount of relevant data to be
extracted from the phones themselves in
-
the form of an iPhone backup. And so it's
actually quite - quite possible to start
-
doing a forensic analysis on iPhones.
Unfortunately, Android devices we found
-
were much more limited because of
restrictions on the Android operating
-
system. It isn't possible to extract much
data in an Android backup, and so all
-
we've really been able to do on Android is
to simply check the SMS messages and maybe
-
the browser history for some traces of -
of targeting. But again, it's just it's
-
much less data is available on Androids
compared to iPhones. The other big problem
-
we realized is that there's there's a lack
of any kinds of public tools for
-
consensual mobile forensics. All of the
forensic tools that are out there are
-
designed for - for people to extract data
from phones that they don't want or their
-
phones have been seized or phones that are
somehow otherwise obtained. There's no
-
there's no tools available to really check
your own phone for signs of spyware. So
-
this is where the Mobile Verification
Toolkit comes into play. So - MVT - it is
-
a public tool developed by Amnesty
International and designed to simplify the
-
process of analyzing mobile devices for
traces of spyware. And here it's available
-
on GitHub, you can go check it out. And
just to highlight all of the
-
cases of Pegasus targeting I've described
previously in all the cases and traces
-
that are present for the rest of the
presentation, all of these have been found
-
using MVT. So MVT really works to - to
detect advanced spyware, including spyware
-
using zero-click, zero-day exploits and
really sophisticated stuff such as
-
Pegasus. So while all of these different
spyware vendors try to say: "Our thing is
-
undetectable": It is definitely advanced,
they definitely spent a lot of money in
-
developing this stuff, but it's not magic.
And if you're careful and diligent about
-
checking the traces, there's always
mistakes that are made. There's always
-
ways of identifying potential suspicious
behavior on these devices. And MVT it is
-
written in Python, it's a very easy to
install, and if you have PIP, you can just
-
go a "pip3 install mvt" . And here's how
it's how it's used. Again, it's very
-
straightforward. To check an iPhone, you
simply make a backup of the iPhone and you
-
run this one command so it'll be "mvt-ios
check-backup" and then you provide the
-
backup folder. In the command here we also
see what's called a stix-file. So a .stix
-
file is simply a file containing
indicators. This maybe like domain names
-
or IP addresses, or process names that are
known to be linked to a spyware tool. And
-
so the MVT is a generic tool. It can be
used with Pegasus indicators, but it also
-
can be used with indicators for other
spyware tools and could be used to detect
-
other spyware. So MVT is a modular
framework, it has modules for parsing
-
different kinds of databases such as SMS
messages or browser history or other kinds
-
of files on the device. I'm going to go
through and explain a few of the modules
-
that are available in MVT and show how
this can be used to - to find traces of
-
Pegasus or other similar spyware tools. So
one module that is quite useful is the SMS
-
module, which is quite straightforward, it
simply reads the SMS database in iPhone
-
backup to extract all of the links from
the SMS messages and check if any of those
-
SMS messages contain links to known
malicious domains. So in this case, we're
-
checking a backup that is targeted with
Pegasus, and we see that - we see that
-
there's multiple domains that are found
and are tied to Pegasus. We see this
-
revolution-news.co, stopsms.biz and
from what we know of NSO we've seen these
-
kinds of exploit SMS used primarily
between 2016 and 2018. We've also seen
-
Pegasus links as far back as 2014, and as
recently as 2020. So this has been quite
-
common and I - if these zero-click attacks
are not available, I think we'll still see
-
these kinds of exploit links being sent in
SMS. So another data source that's quite
-
useful and quite helpful for finding
traces of targeting is the Safari browser
-
history. So what we've seen is we've seen
some as we identify traces of exploit
-
being recorded in Safari browser history,
especially after a network injection
-
attack. So in this case, while there's no
link in SMS when a network injection
-
attack happens the exploit server domain
will be recorded in the browser history.
-
And so by checking the browser history, we
may be able to find evidence that this
-
attack happened. So on the right here you
can see a screenshot and this screenshot
-
was actually taken by Moroccan journalist
Omar Radi when he was being targeted with
-
one of these network injection attacks in
Morocco. So when he was browsing the web
-
he clicked the link and then instantly
redirected into this web page. And when
-
this screenshot was taken, it was actually
running the JavaScript trying to exploit
-
his phone. So unfortunately, following the
publication of this research Omar Radi was
-
repeatedly harassed by the Moroccan
authorities and then he was eventually
-
jailed after an unfair trial, and he's
currently - currently in jail.
-
So another file quite useful in our
investigations is something called the ID
-
status cache file. So the ID status cache
file is a file on iPhones, and it can
-
track traces of any iCloud accounts
which interacted with the device. This can
-
be interacting with the device over a
bunch of different Apple services,
-
including iMessage, AirDrop, Apple Photos.
And so what is really useful about this
-
file, because it showed us which malicious
accounts, which kind of Pegasus related
-
accounts had been targeting a particular
device. So what we know about Pegasus - we
-
believe that these malicious accounts are
- have been set up and have been used by
-
one individual Pegasus customer. So you
can see here in the first row, we see this
-
email address linakeller and we saw this -
this account being used to deliver a
-
iMessage zero-day to quite a number of
different activists. So we've seen it
-
used to deliver exploits to two different
Moroccan activists and a couple of French
-
political figures. So by - by looking at
which individuals have been targeted by
-
the same, the same account, by the same
customer we were able to kind of get a
-
better idea of who that customer might be
and have some idea about the attribution
-
for that attack. The same in these other -
in these other cases, for example we see
-
the jessicadavies1345 email. This was
found on the phone of two different
-
Hungarian journalists. Same for the
emmadavies' address and again for this
-
final address here: williams enny. We
found this on the phone of two different
-
Hungarian individuals, hungarian
activists. So this is really useful for us
-
in our investigation because it really
helped us get a better idea of who might
-
be behind some of the attacks that we were
seeing. So the previous logs
-
I showed about SMS, data and browser
history. These show kind of traces of
-
targeting. They showed some of these had
been sent a malicious link, but they don't
-
necessarily prove that a phone has been
successfully compromised. So what I will
-
show now is some of the logs we can use to
show that a device was indeed compromised.
-
One of these files that was very useful
for us in our investigations was the so-
-
called data usage file. So the data usage
file in an iPhone is a file that records
-
information about how much mobile data
traffic each process on the phone has
-
used. So this may be used to, like help
the iPhone keep track of, you know, which
-
apps on your phone are using the most of
your mobile data. But what is really
-
helpful for this is that it actually
recorded the names of some of the Pegasus
-
processes and how much data each of these
pegasus processes were using. So for all
-
we know about NSO's Pegasus, we believe
that when Pegasus is installed on a phone,
-
it will kind of pick a random name that it
uses to kind of hide itself in running on
-
the system. Throughout our investigation
we found about 50 different process names
-
that the Pegasus process was using to try
and hide itself. And once we identified
-
these process names, then we could go and
look for these Pegasus known Pegasus
-
process names on devices of potential
targets. What's happened, this database
-
also shows a timestamp of when this
process name was first kind of started on
-
the device, when it was last seen on the
device. And also it gives you some kind of
-
information about how much data this
process transferred. In some cases, this
-
has been gigabytes of data which shows
that really the Pegasus spyware was
-
extracting a lot of data from the device.
And again, this is all automated in MVT
-
so if you check a phone using MVT with the
Pegasus indicators, it'll show quite
-
clearly if any of these processes have
been found on the device. Another feature
-
that's been very helpful for us and in our
analysis is the timeline feature of MVT.
-
So how the Timeline feature works is it
takes all of the different indicators and
-
modules on the phone, so it checks the -
the SMS messages, it check the - the file
-
system and every - every event, like every
SMS message, every web browser lookup will
-
all be recorded in a single file with the
date that it happened. So by looking at
-
this timeline, we can often see what
different events happened around the same
-
time as each other, and this can give us
some idea - some idea about how attacks
-
were actually delivered on this device. So
I want to give you just one example of -
-
of how this timeline can be used. Just so
you know how to use this timeline in your
-
own investigations. So this is actually a
demonstration of the phone of a Rwandan
-
activist who was targeted in June 2021
using the forcedentry, iMessage zero-day.
-
So we can see here on the timeline that on
8:00 p.m. 8:45, we see the phone began to
-
receive some push notifications over
iMessage. So it seems it receives like 46
-
push notifications. And then what we saw
was that SMS attachments began to be
-
written to the phone. So in the final line
here, we see that a file is written -
-
written to the SMS attachments directory.
And if you look at the end of the line, we
-
see that the - the file being written to
disk actually had a .GIF attachment. So at
-
the time we thought this was something to
do with the exploit somehow. NSO was
-
delivering their exploit in that GIF file.
If we look a little bit later in the
-
timeline, we see that about 10 minutes
later, on the same day, a Pegasus process
-
starts running on the phone. This otpgrefd
process. Shortly afterwards, some
-
additional files are written on disk and
some more Pegasus processes start. So by
-
looking at this timeline together, we can
see quite clearly that the phone began to
-
receive iMessage messages. These GIF
attachments start to be written on the
-
disk and then about 10 minutes later, the
phone was compromised with the Pegasus. So
-
remember here like - there was no
interaction from the user - they didn't
-
click on any link. As far as we are aware
they I didn't even notice anything
-
happening on the device. This simply
silently these messages were being
-
delivered and after 10 or 20 minutes,
Pegasus began to gain access to the
-
device. So we've shared some of these
findings with Apple, and then later in
-
September 2021, Apple - Citizen Lab
identified a copy of this exploit on
-
another - phone of an another activist and
they shared it with Apple and Apple
-
patched this vulnerability in September
2021. So that's a little bit of how MVT
-
works and how some of this methodology
works to identify Pegasus on a
-
device. So since we published our forensic
methodology and our tools, many other
-
groups and organisations have been using
these tools and methodology to check other
-
devices for signs of Pegasus and found
quite a number of new cases. Here on the
-
top right you're going to see an example
of another NGO "Frontline Defenders", who
-
identified six Palestinian human rights
defenders who had their devices hacked
-
using Pegasus. And other case we see
that the Belgian military intelligence
-
services use a similar methodology to
check the phones of journalists in
-
Belgium, and they found that a journalist,
Belgian journalist, Peter Verlinden, had
-
his iPhone hacked who they suspected by
Rwanda. Again, we see another case where
-
French intelligence services confirmed
that a number of French journalists had
-
their phones hacked using using Pegasus
again using a similar methodology. So what
-
I'd like to highlight is MVT can really be
useful in identifying traces of Pegasus, but also
-
MVT is designed as a kind of generic
mobile forensic tool. So when used with
-
Pegasus indicators it will find Pegasus,
but it also can be used to go and
-
proactively search for new kinds of
spyware. So I really recommend that if
-
you're suspicious that phones may be
targeted with this kind of spyware, you
-
can use MVT to extract some data and then
dig into it. If the person is a member of
-
civil society or an activist then Amnesty
and other organisations will be happy to
-
help support these investigations. And
also, MVT is an open source tool. It's
-
based on different modules, and so we're
always open to ideas for - for new modules
-
and new detection ideas to help make this
tool better and better able to detect new
-
kinds of threats. One thing to remember
about MVT it is - it's designed to detect
-
some kind of spyware. Unfortunately, the
people who develop these spyware, they're
-
- they're smart people and they read these
reports and they watch these kind of
-
presentations. And every time we publish
information about how to detect these
-
kinds of spyware targeting civil society,
the different spyware vendors and actors
-
will try to improve their tools to avoid
them being detected. They'll try to kind
-
of upgrade their infrastructure to hide it
again or to the better obscure their
-
activities. So just to give an example,
here's some of the development of NSO's
-
own infrastructure over time. We see that
after we published - Amnesty published the
-
report in 2018 NSO infrastructure was shut
down and then later over the next two
-
years, it began to run more
infrastructure, which was again shut down
-
after discovery in - in 2021. So it's a
constant arms race. And so while - while
-
this - these tools are useful to detect
Pegasus now, it's not always going to be
-
just automatic, and it's important to do
further research to try and identify new
-
traces of new kinds of attacks. So what is
the future for mobile spyware? So one
-
thing I'd like to reiterate is that while
we focus a lot on NSO Group and Pegasus in
-
this research and in this
talk and also there's been a lot of focus
-
on NSO Group. It's not the only mobile
spyware out there, and there's definitely
-
many other players who are trying to get
into the space and trying to also develop
-
similar kinds of spyware tools, which are
then sold to - to different customers.
-
We've seen that from this investigation.
We found at least 180 journalists who are
-
potential targets of Pegasus and many
other human rights activists and
-
opposition politicians who have been
targeted with these tools over the last number
-
of years. So far, these threat actors and
these - these state agencies are able to
-
target activists and civil society with
impunity due to a lack of visibility and
-
telemetry on mobile platforms. They've
just been getting away with it because
-
they haven't been detected. So tools such
as MVT can help expose some of these
-
threats, but they need to be used more
widely and need to be used with more civil
-
society to really understand the full
scope of these kinds of threats. And it's
-
also important that industry, the tech
industry and the security industry work
-
closely with civil society to help detect
and expose these threats because
-
unfortunately, the people most at risk
from these kinds of really serious attacks
-
are some of the people who are the least
equipped, both financially and technically
-
to defend against them. So to conclude,
I think we're going to continue to see
-
attackers focusing on mobile. Mobile is
where all the data is. No other place
-
gives you as much insight into somebody's
life and all their most innermost
-
thoughts. Even just having a microphone in
everybody's pocket in someone's pocket is
-
such a powerful position to be in that we
think companies and states will continue
-
trying to develop these kinds of tools. We
know - I think that zero-click exploits
-
are going to be highly, highly desirable.
So while Apple and others have done a
-
great job in making attacks against
iMessages more difficult, it's almost
-
certain that these kinds of cyber
surveillance companies will continue
-
trying to develop zero-click exploits. If
not for iMessage then maybe for other chat
-
platforms. I don't know like Signal or
Telegram or WhatsApp, they're going to try
-
and attack other applications that
activists are using. Unfortunately it's
-
not possible for activists and civil
society to protect themselves from these
-
kinds of zero-day attacks from a technical
sense. So we definitely need more active
-
collaboration between civil society and
key platform vendors to help identify and
-
defend against these threats. And also, we
urgently need better regulation to prevent
-
these kinds of really sophisticated
spyware tools being sold to states and
-
agencies which have a long history of
abusing them to target civil society and
-
opposition. So thank you all for
listening, and I'm happy to answer some
-
questions now. If you have some questions
or if you're concerned about, you are a
-
member of civil society or an activist
or are concerned about surveillance please
-
feel free to contact us at share@amnesty.tech
Thank you.
-
Herald: Thank you Donncha. Thank you from
C-Base. We have already taken some
-
overtime this early hacker morning. There
have been popping up some small questions
-
on our internal here from our tiny
audience at C-Base. We don't have that
-
much time left. Just can you give us an
indication: What is the pace of this
-
ongoing war? Do you feel that NSO group is
actively fighting MVT and your tool
-
development or did - didn't you get this
honor yet?
-
D: Definitely. We've seen, even in the
past year, we saw NSO starting to be more
-
careful about cleaning up their forensic
traces, and since 2020, they've begun to
-
already clean some of the traces that
we've been using. And it's clear they've
-
realized that people are investigating
that there is a risk of people discovering
-
this stuff, and I feel like after the
revelations of this summer, they're going
-
to have a much more proactively trying to
to clean up some of these traces. But as I
-
said, NSO is one company out there,
there's also many other companies trying
-
to compete in the same space. So even if
NSO gets better than, you know, other
-
companies are still out there and can
still be caught using MVT and
-
fundamentally, even if they - they clean
up some traces for any kind of failed
-
attacks, these traces are still going to
be left around because it won't be
-
possible to for the spyware to clean up
their traces.
-
H: Uhm-Hmm. So one could still after an
attack eventually, eventually on an old
-
device years later discover that there had
been some spyware activity, which may be
-
in the long run interesting information
about dark campaigns and things. So NSO is
-
not the only actor, there will be more. Do
you feel that there are just copycats in
-
the market or do you think there will be
completely new threats in the future?
-
D: So I guess there's always there's lots
of smart people who work for these
-
companies who are trying to develop these
tools. Just last - earlier this month,
-
Citizen Lab published a report about
another cyber surveillance vendor called
-
Cytrox based in North Macedonia, and they
were selling similar spyware, which is
-
using kind of one-click attacks using
links to help compromise iPhones and
-
Android phones. So that's one company
that's competing in this space. There's
-
other companies doing doing similar kinds
of targeting, but we believe, you know,
-
NSO was definitely the biggest company in
this space, and they had a lot of money to
-
invest in, especially in these kind of
zero-click attacks. So for now, we don't
-
know if they're a company that's as big or
sophisticated as NSO, but I think many
-
others will be trying to take their place
if NSO becomes less popular.
-
H: I see. I see. OK, thank you very much.
We have to go over to the - RC3 morning
-
show in a few seconds. Thank you very much
for this interesting talk this morning.
-
Again, share@amnesty.tech is the address
to go to. And this is probably one of the
-
talks you want to watch again on
media.ccc.de in a few days when it has
-
been published. So greetings to Ireland.
Thank you very much and we will meet and
-
see again in real, I hope. Thank you.
D: Thank you very much. Have a good day.
-
Everything is licensed under CC by 4.0.
And it is all for the community, to download
-
Subtitles created by c3subtitles.de
in the year 2022. Join, and help us!
-
[Translated by {Iikka}{Yli-Kuivila} (ITKST56 course assignment at JYU.FI)]
