The Spies Hacking our Phones are Going Dark, and We're All in Trouble

Nation-states are increasingly abusing powerful commercial hacking and spyware tools to covertly surveil and invisibly sabotage entities they deem political threats, such as investigative journalists, human rights activists, and lawyers. Tools from companies such as EU-based FinFisher and Hacking Team, an Israel-based Cyberbit and NSO Group, allow their government clients to break into targets' computers and phones, access private files and passwords and even spy on activity in the vicinity of the device through its webcam and microphone. In 2018, we discovered likely attempts by the Mexican Government to spy on the phones of the wife and colleagues of a slain journalist, as well as a Saudi-linked surveillance operation that infected the phone of one of Jamal Khashoggi's close associates in the weeks leading up to his assassination.

Our identification of spyware targets is often a laborious process, driven by close work with targeted communities, and the establishment of delicate trust relationships which can take months or years to crystallize. We instruct targets to forward us suspicious links or attachments (common spyware vectors) for our analysis, and in some cases, we perform programmatic scanning of targets' email messages and devices. After we analyze spyware samples, we can perform global Internet scanning and DNS cache probing to map out the global extent of the activity. Though our work has uncovered dozens of cases of commercial spyware abuse around the world, it also suggests that the scale of the problem is significantly broader.

Compounding the difficulty of identifying targets is a trend towards the use of unavoidable zero-day zero-click attacks which leave little or no footprint that a target can notice and flag to us for analysis. Even in cases where a target is suspicious of compromise, legal and technical hurdles may preclude us from obtaining corroborating data from device forensics or cloud platforms. Two reported cases of these zero-click attacks have been recently documented through careful journalistic work with knowledgeable sources, including a hack of BBC and Al Jazeera journalists using an iMessage vulnerability, and a hack of a human rights lawyer using a WhatsApp vulnerability. These attacks cannot be prevented by a target's scrupulous security behaviors, such as screening suspicious messages or installing updates.

In this talk, we will illustrate the Citizen Lab methodology for identifying commercial spyware abuses, using cases from our most recent research, and highlight how developers, platforms, and fellow researchers can all help in addressing the problem of spies "going dark." It is clear that business as usual in the commercial spyware sector threatens our freedoms of thought and action, and perhaps democracy itself. Academic research, especially that which identifies specific cases of abuse can be an effective means to create accountability in the industry, and ultimately put an end to the misuse of these powerful espionage tools for political gain.