Return to Video

What you need to know about stalkerware

  • 0:01 - 0:06
    I want you to travel back in time with me,
  • 0:06 - 0:09
    to the before time, to 2017.
  • 0:09 - 0:11
    I don't know if you can remember it,
  • 0:11 - 0:13
    dinosaurs were roaming the earth.
  • 0:13 - 0:15
    I was a security researcher,
  • 0:15 - 0:17
    I had spent about five or six years
  • 0:17 - 0:20
    doing research on the ways in which APTs,
  • 0:20 - 0:25
    which is short for advanced
    persistent threats,
  • 0:25 - 0:29
    which stands for nation-state actors,
  • 0:29 - 0:33
    spy on journalists and activists
  • 0:33 - 0:35
    and lawyers and scientists
  • 0:35 - 0:39
    and just generally people
    who speak truth to power.
  • 0:39 - 0:41
    And I'd been doing this for a while
  • 0:41 - 0:45
    when I discovered
    that one of my fellow researchers,
  • 0:45 - 0:48
    with whom I had been
    doing this all this time,
  • 0:48 - 0:53
    was allegedly a serial rapist.
  • 0:55 - 0:57
    So the first thing that I did
  • 0:57 - 1:00
    was I read a bunch of articles about this.
  • 1:00 - 1:03
    And in January of 2018,
  • 1:03 - 1:08
    I read an article
    with some of his alleged victims.
  • 1:08 - 1:12
    And one of the things
    that really struck me about this article
  • 1:12 - 1:14
    is how scared they were.
  • 1:14 - 1:16
    They were really frightened,
  • 1:16 - 1:21
    they had, you know,
    tape over the cameras on their phones
  • 1:21 - 1:22
    and on their laptops,
  • 1:22 - 1:25
    and what they were worried about
    was that he was a hacker
  • 1:25 - 1:27
    and he was going to hack into their stuff
  • 1:27 - 1:29
    and he was going to ruin their lives.
  • 1:29 - 1:32
    And this had kept them silent
    for a really long time.
  • 1:32 - 1:36
    So, I was furious.
  • 1:37 - 1:41
    And I didn't want anyone
    to ever feel that way again.
  • 1:41 - 1:44
    So I did what I usually do when I'm angry:
  • 1:44 - 1:45
    I tweeted.
  • 1:45 - 1:47
    (Laughter)
  • 1:47 - 1:49
    And the thing that I tweeted
  • 1:49 - 1:53
    was that if you are a woman
    who has been sexually abused by a hacker
  • 1:53 - 1:56
    and that hacker has threatened
    to break into your devices,
  • 1:56 - 1:58
    that you could contact me
  • 1:58 - 2:00
    and I would try to make sure
  • 2:00 - 2:05
    that your device got a full,
    sort of, forensic look over.
  • 2:05 - 2:07
    And then I went to lunch.
  • 2:07 - 2:09
    (Laughter)
  • 2:10 - 2:12
    Ten thousand retweets later,
  • 2:12 - 2:13
    (Laughter)
  • 2:13 - 2:17
    I had accidentally started a project.
  • 2:18 - 2:23
    So every morning,
    I woke up and my mailbox was full.
  • 2:23 - 2:28
    It was full of the stories
    of men and women
  • 2:28 - 2:33
    telling me the worst thing
    that had ever happened to them.
  • 2:33 - 2:38
    I was contacted by women
    who were being spied on by men,
  • 2:38 - 2:40
    by men who were being spied on by men,
  • 2:40 - 2:42
    by women who were being spied on by women,
  • 2:42 - 2:45
    but the vast majority
    of the people contacting me
  • 2:45 - 2:49
    were women who had been
    sexually abused by men
  • 2:49 - 2:51
    who were now spying on them.
  • 2:51 - 2:53
    The one particularly interesting case
  • 2:53 - 2:55
    involved a man who came to me,
  • 2:55 - 3:00
    because his boyfriend had outed him as gay
  • 3:00 - 3:04
    to his extremely
    conservative Korean family.
  • 3:04 - 3:09
    So this is not just
    men-spying-on-women issue.
  • 3:10 - 3:13
    And I'm here to share
  • 3:13 - 3:16
    what I learned from this experience.
  • 3:17 - 3:20
    What I learned is that data leaks.
  • 3:20 - 3:22
    It's like water.
  • 3:22 - 3:24
    It gets in places you don't want it.
  • 3:24 - 3:25
    Human leaks.
  • 3:25 - 3:27
    Your friends give away
    information about you.
  • 3:27 - 3:30
    Your family gives away
    information about you.
  • 3:30 - 3:32
    You go to a party,
  • 3:32 - 3:35
    somebody tags you as having been there.
  • 3:35 - 3:36
    And this is one of the ways
  • 3:36 - 3:38
    in which abusers pick up
    information about you
  • 3:38 - 3:41
    that you don't otherwise
    want them to know.
  • 3:41 - 3:46
    It is not uncommon for abusers
    to go to friends and family
  • 3:46 - 3:49
    and ask for information
    about their victims
  • 3:49 - 3:52
    under the guise of being concerned
    about their "mental health."
  • 3:53 - 3:56
    A form of leak that I saw
  • 3:56 - 4:00
    was actually what we call
    account compromise.
  • 4:00 - 4:03
    So your Gmail account,
  • 4:03 - 4:06
    your Twitter account,
  • 4:06 - 4:08
    your Instagram account,
  • 4:08 - 4:10
    your iCloud,
  • 4:10 - 4:12
    your Apple ID,
  • 4:12 - 4:13
    your Netflix, your TikTok --
  • 4:13 - 4:15
    I had to figure out what a TikTok was.
  • 4:16 - 4:18
    If it had a login,
  • 4:18 - 4:21
    I saw it compromised.
  • 4:21 - 4:26
    And the reason for that is because
    your abuser is not always your abuser.
  • 4:26 - 4:30
    It is really common for people
    in relationships to share passwords.
  • 4:30 - 4:33
    Furthermore, people who are intimate,
  • 4:33 - 4:34
    who know a lot about each other,
  • 4:34 - 4:36
    can guess each other's security questions.
  • 4:36 - 4:39
    Or they can look over
    each other's shoulders
  • 4:39 - 4:42
    to see what code they're using
    in order to lock their phones.
  • 4:42 - 4:44
    They frequently have
    physical access to the phone,
  • 4:44 - 4:47
    or they have physical access
    to the laptop.
  • 4:47 - 4:51
    And this gives them a lot of opportunity
  • 4:51 - 4:54
    to do things to people's accounts,
  • 4:54 - 4:56
    which is very dangerous.
  • 4:56 - 4:59
    The good news is that we have advice
  • 4:59 - 5:01
    for people to lock down their accounts.
  • 5:01 - 5:05
    This advice already exists,
    and it comes down to this:
  • 5:05 - 5:10
    Use strong, unique passwords
    for all of your accounts.
  • 5:12 - 5:15
    Use more strong, unique passwords
  • 5:15 - 5:18
    as the answers to your security questions,
  • 5:18 - 5:22
    so that somebody who knows
    the name of your childhood pet
  • 5:22 - 5:24
    can't reset your password.
  • 5:25 - 5:29
    And finally, turn on the highest level
    of two-factor authentication
  • 5:29 - 5:31
    that you're comfortable using.
  • 5:31 - 5:35
    So that even if an abuser
    manages to steal your password,
  • 5:35 - 5:37
    because they don't have the second factor,
  • 5:37 - 5:40
    they will not be able
    to log into your account.
  • 5:40 - 5:42
    The other thing that you should do
  • 5:42 - 5:48
    is you should take a look
    at the security and privacy tabs
  • 5:48 - 5:49
    for most of your accounts.
  • 5:49 - 5:51
    Most accounts have
    a security or privacy tab
  • 5:51 - 5:55
    that tells you
    what devices are logging in,
  • 5:55 - 5:58
    and it tells you where
    they're logging in from.
  • 5:58 - 6:00
    For example, here I am,
  • 6:00 - 6:02
    logging in to Facebook from the La Quinta,
  • 6:02 - 6:03
    where we are having this meeting,
  • 6:03 - 6:05
    and if for example,
  • 6:05 - 6:08
    I took a look at my Facebook logins
  • 6:08 - 6:10
    and I saw somebody logging in from Dubai,
  • 6:10 - 6:12
    I would find that suspicious,
  • 6:12 - 6:15
    because I have not been
    to Dubai in some time.
  • 6:16 - 6:19
    But sometimes, it really is a RAT.
  • 6:19 - 6:22
    If by RAT you mean remote access tool.
  • 6:22 - 6:25
    And remote access tool
  • 6:25 - 6:30
    is essentially what we mean
    when we say stalkerware.
  • 6:30 - 6:34
    So one of the reasons why
    getting full access to your device
  • 6:34 - 6:36
    is really tempting for governments
  • 6:36 - 6:39
    is the same reason why
    getting full access to your device
  • 6:39 - 6:44
    is tempting for abusive partners
    and former partners.
  • 6:45 - 6:49
    We carry tracking devices
    around in our pockets all day long.
  • 6:49 - 6:53
    We carry devices
    that contain all of our passwords,
  • 6:53 - 6:55
    all of our communications,
  • 6:55 - 6:58
    including our end-to-end
    encrypted communications.
  • 6:58 - 7:01
    All of our emails, all of our contacts,
  • 7:01 - 7:05
    all of our selfies are all in one place,
  • 7:05 - 7:08
    often our financial information
    is also in this place.
  • 7:08 - 7:11
    And so, full access to a person’s phone
  • 7:11 - 7:16
    is the next best thing
    to full access to a person's mind.
  • 7:16 - 7:22
    And what stalkerware does
    is it gives you this access.
  • 7:22 - 7:26
    So, you may ask, how does it work?
  • 7:26 - 7:27
    The way stalkerware works
  • 7:27 - 7:31
    is that it's a commercially
    available program,
  • 7:31 - 7:34
    which an abuser purchases,
  • 7:34 - 7:37
    installs on the device
    that they want to spy on,
  • 7:38 - 7:39
    usually because they have physical access
  • 7:40 - 7:45
    or they can trick their target
    into installing it themselves,
  • 7:45 - 7:46
    by saying, you know,
  • 7:46 - 7:50
    "This is a very important program
    you should install on your device."
  • 7:50 - 7:54
    And then they pay the stalkerware company
  • 7:54 - 7:57
    for access to a portal,
  • 7:57 - 8:00
    which gives them all
    of the information from that device.
  • 8:00 - 8:04
    And you're usually paying
    something like 40 bucks a month.
  • 8:04 - 8:07
    So this kind of spying
    is remarkably cheap.
  • 8:10 - 8:11
    Do these companies know
  • 8:12 - 8:16
    that their tools
  • 8:16 - 8:19
    are being used as tools of abuse?
  • 8:19 - 8:20
    Absolutely.
  • 8:20 - 8:23
    If you take a look
    at the marketing copy for Cocospy,
  • 8:23 - 8:24
    which is one of these products,
  • 8:24 - 8:28
    it says right there on the website
  • 8:28 - 8:31
    that Cocospy allows you
    to spy on your wife with ease,
  • 8:31 - 8:34
    "You do not have to worry
    about where she goes,
  • 8:34 - 8:37
    who she talks to
    or what websites she visits."
  • 8:37 - 8:38
    So that's creepy.
  • 8:39 - 8:42
    HelloSpy, which is another such product,
  • 8:42 - 8:47
    had a marketing page
    in which they spent most of their copy
  • 8:47 - 8:49
    talking about the prevalence of cheating
  • 8:49 - 8:52
    and how important it is
    to catch your partner cheating,
  • 8:52 - 8:55
    including this fine picture of a man
  • 8:55 - 8:57
    who has clearly just caught
    his partner cheating
  • 8:57 - 8:58
    and has beaten her.
  • 8:58 - 9:01
    She has a black eye,
    there is blood on her face.
  • 9:01 - 9:05
    And I don't think that there is
    really a lot of question
  • 9:05 - 9:10
    about whose side HelloSpy is on
    in this particular case.
  • 9:10 - 9:12
    And who they're trying to sell
    their product to.
  • 9:15 - 9:21
    It turns out that if you have stalkerware
    on your computer or on your phone,
  • 9:21 - 9:25
    it can be really difficult to know
    whether or not it's there.
  • 9:25 - 9:26
    And one of the reasons for that
  • 9:26 - 9:29
    is because antivirus companies
  • 9:29 - 9:35
    often don't recognize
    stalkerware as malicious.
  • 9:36 - 9:38
    They don't recognize it as a Trojan
  • 9:38 - 9:41
    or as any of the other stuff
    that you would normally find
  • 9:41 - 9:42
    that they would warn you about.
  • 9:42 - 9:46
    These are some results
    from earlier this year from VirusTotal.
  • 9:46 - 9:49
    I think that for one sample
    that I looked at
  • 9:49 - 9:54
    I had something like
    a result of seven out of 60
  • 9:54 - 9:57
    of the platforms recognized
    the stalkerware that I was testing.
  • 9:57 - 10:01
    And here is another one
    where I managed to get 10,
  • 10:01 - 10:02
    10 out of 61.
  • 10:02 - 10:06
    So this is still some very bad results.
  • 10:08 - 10:11
    I have managed to convince
    a couple of antivirus companies
  • 10:11 - 10:15
    to start marking stalkerware as malicious.
  • 10:15 - 10:16
    So that all you have to do
  • 10:16 - 10:19
    if you're worried about having
    this stuff on your computer
  • 10:19 - 10:22
    is you download the program,
  • 10:22 - 10:24
    you run a scan and it tells you
  • 10:24 - 10:28
    "Hey, there's some potentially
    unwanted program on your device."
  • 10:28 - 10:30
    It gives you the option of removing it,
  • 10:30 - 10:32
    but it does not remove it automatically.
  • 10:32 - 10:34
    And one of the reasons for that
  • 10:34 - 10:36
    is because of the way that abuse works.
  • 10:36 - 10:39
    Frequently, victims of abuse aren't sure
  • 10:39 - 10:41
    whether or not they want
    to tip off their abuser
  • 10:41 - 10:43
    by cutting off their access.
  • 10:43 - 10:49
    Or they're worried that their abuser
    is going to escalate to violence
  • 10:49 - 10:52
    or perhaps even greater violence
  • 10:52 - 10:54
    than they've already been engaging in.
  • 10:56 - 10:58
    Kaspersky was one
    of the very first companies
  • 10:58 - 11:01
    that said that they were going to start
    taking this seriously.
  • 11:01 - 11:05
    And in November of this year,
  • 11:05 - 11:07
    they issued a report in which they said
  • 11:07 - 11:11
    that since they started tracking
    stalkerware among their users
  • 11:11 - 11:16
    that they had seen
    an increase of 35 percent.
  • 11:18 - 11:21
    Likewise, Lookout came out
    with a statement
  • 11:21 - 11:24
    saying that they were going to take this
    much more seriously.
  • 11:24 - 11:29
    And finally, a company called Malwarebytes
    also put out such a statement
  • 11:29 - 11:33
    and said that they had found
    2,500 programs
  • 11:33 - 11:35
    in the time that they had been looking,
  • 11:35 - 11:38
    which could be classified as stalkerware.
  • 11:39 - 11:45
    Finally, in November
    I helped to launch a coalition
  • 11:45 - 11:48
    called the Coalition Against Stalkerware,
  • 11:48 - 11:52
    made up of academics,
  • 11:52 - 11:55
    people who are doing
    this sort of thing on the ground --
  • 11:55 - 12:02
    the practitioners of helping people to
    escape from intimate partner violence --
  • 12:02 - 12:04
    and antivirus companies.
  • 12:04 - 12:10
    And our goal is both to educate people
    about these programs,
  • 12:10 - 12:13
    but also to convince
    the antivirus companies
  • 12:13 - 12:15
    to change the norm
  • 12:15 - 12:20
    in how they act around
    this very scary software,
  • 12:20 - 12:23
    so that soon, if I get up in front of you
  • 12:23 - 12:25
    and I talk to you about this next year,
  • 12:25 - 12:28
    I could tell you that the problem
    has been solved,
  • 12:28 - 12:31
    and all you have to do
    is download any antivirus
  • 12:31 - 12:35
    and it is considered normal
    for it to detect stalkerware.
  • 12:35 - 12:37
    That is my hope.
  • 12:37 - 12:38
    Thank you very much.
  • 12:38 - 12:43
    (Applause)
Title:
What you need to know about stalkerware
Speaker:
Eva Galperin
Description:

"Full access to a person's phone is the next best thing to full access to a person's mind," says cybersecurity expert Eva Galperin. In an urgent talk, she describes the emerging danger of stalkerware -- software designed to spy on someone by gaining access to their devices without their knowledge -- and calls on antivirus companies to recognize these programs as malicious in order to discourage abusers and protect victims.
more » « less
Video Language:
English
Team:
closed TED
Project:
TEDTalks
Duration:
12:56

English subtitles

Revisions Compare revisions

Our website uses cookies for analysis purposes.