Monday, November 29, 2021

Joel Trenaman: The Canadian lab that exposed a critical flaw that left Apple devices vulnerable

Citizen Lab identified a flaw that left Apple devices vulnerable to a 'zero-click' hack


Author of the article: Joel Trenaman, Special to National Post
Publishing date: Nov 28, 2021
PHOTO BY JACK GUEZ/AFP/GETTY IMAGES

On Nov. 23, Apple announced it is suing a global software developer following a security breach that left its operating systems vulnerable to surveillance. In September, Apple scrambled to issue a protective patch for a reported 1.65 billion devices that were vulnerable to the NSO Group’s notorious Pegasus spyware. How did Apple find out that it had been hacked? Canada’s Citizen Lab sounded the alarm.

NSO Group has licensed Pegasus to militaries, as well as intelligence and law enforcement agencies worldwide. Citizen Lab identified a flaw that left Apple devices vulnerable to a “zero-click” hack, in which malicious code can be planted on a device without any action by the user, that Pegasus had been exploiting.


Citizen Lab is an interdisciplinary human rights, security and technology research group founded in 2001. Part of the University of Toronto’s Munk School of Global Affairs and Public Policy, examples of the lab’s focus areas include digital espionage, online freedom of expression, app privacy and security, and uses of personal data and surveillance tools.


The U of T group is not alone among Canadian academic and private institutional research groups, such as the Cyber Security Evaluation and Assurance Research Lab at Carleton University , which is exploring ways to protect Canada’s critical infrastructure from cyberattacks. The SecDev Foundation, the Waterloo Cybersecurity and Privacy Institute, Canadian Institute for Cybersecurity at University of New Brunswick and others also operate in this space.

What makes Citizen Lab stand out is how action-oriented it is at the confluence of public policy, rights, liberties and cybersecurity. One reason for this diverse approach is the background and skill set of its director and founder, Ron Deibert , who was first trained as a professor of political science, not a programmer or tech wizard.

The lab has a long track record of uncovering digital threats like the Apple attack. In recent months, it has also made headlines for exposing the use of Pegasus against New York Times bureau chief Ben Hubbard, and for a report analyzing how health data was used in the fight against COVID-19.

In today’s polarized world, another asset for Citizen Lab is that it’s difficult to detect any overt ideological or political biases. For example, its researchers thoroughly investigated both the hacking of Palestinian activists’ cellphones earlier this month (also via Pegasus), and what, in 2019, it dubbed “ Endless Mayfly ” — “an Iran-aligned network of inauthentic personas and social media accounts that spreads falsehoods and amplifies narratives critical of Saudi Arabia, the United States and Israel.”

Here at home, Citizen Lab has shown itself to be unafraid to apply the same even-handed approach and detailed critiques to Canadian public policy. For example, it has railed against the many forms of Chinese censorship, but went against the grain with a general conclusion on 5G that “Canada does not have a ‘Huawei problem’ per se.”

In September, in response to the federal Liberal government’s proposed online harms legislation (Bill C-36, which was at least temporarily scuttled by the election), Citizen Lab wrote a scathing submission to the Heritage Ministry, in which it called out what it saw as a “inadequate” consultation process, and an approach that will lead to “disproportionate levels of user censorship.”

It went on to call the draft regulation “an aggressive, algorithmic and punitive regime for content removal … without any substantive equality considerations or clear safeguards against abuse of process.” The authors also point to powers that would “explicitly deputize technology companies in the surveillance and policing of their users on behalf of Canadian law enforcement and intelligence agencies.”

This is the type of intelligent policy-making input that’s desperately needed in the current vacuum at the federal level. Governments everywhere are struggling to meaningfully protect privacy and curtail disinformation, without limiting speech, over-reaching on surveillance or curbing reasonable business interests. Yet governments simply don’t have the cutting-edge technological expertise found commercially or in the private sector and civil society. This is where an organization like Citizen Lab can play a major, forward-looking role.

Deibert told the Globe and Mail back in 2019 that the aforementioned Mayfly operation “may be a sign of things to come in an era when unsuspecting readers are increasingly preyed upon by far-flung factions out to manipulate the public discourse with disinformation spread by social media.”

Sound familiar here in 2021? There’s no end in sight to social media manipulation, state espionage, ransomware attacks and the like, and ideas like an international cyber arms control treaty seem laughable against the power of non-state actors. Now more than ever, we need independent, expert NGOs like Citizen Lab to identify and expose threats in the digital world.

National Post

Notorious Pegasus spyware faces its day of reckoning


The infamous hacking tool is now at the centre of international lawsuits thanks to a courageous research lab


Evidence suggests NSO’s Pegasus spyware has been used against human rights activists and journalists. 
Photograph: Amir Levy/Getty Images

Sat 27 Nov 2021 

If you were compiling a list of the most toxic tech companies, Facebook – strangely – would not come out on top. First place belongs to NSO, an outfit of which most people have probably never heard. Wikipedia tells us that “NSO Group is an Israeli technology firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click surveillance of smartphones”.

Pause for a moment on that phrase: “remote zero-click surveillance of smartphones”. Most smartphone users assume that the ability of a hacker to penetrate their device relies upon the user doing something careless or naive – clicking on a weblink, or opening an attachment. And in most cases they would be right in that assumption. But Pegasus can get in without the user doing anything untoward. And once in, it turns everything on the device into an open book for whoever deployed the malware.

That makes it remarkable enough. But the other noteworthy thing about it is that it can infect Apple iPhones. This is significant because, traditionally, iPhones have been relatively secure devices and they are overwhelmingly the smartphone of choice for politicians, investigative journalists, human rights campaigners and dissidents in authoritarian countries.

Pegasus is so powerful it is classed as a munition and, as such, requires the permission of the Israeli government before it can be sold to foreign customers. And those customers, apparently, have to be governments. It’s not available as a consumer product. (The company insists it is only intended for use against criminals and terrorists.)
In a farcical turn, French government officials were allegedly in the final stages of contract negotiations to purchase Pegasus

And it doesn’t come cheap. We don’t know what the current price is, but in 2016 NSO was apparently charging government agencies $650,000 for the capacity to spy on 10 iPhone users, along with a $500,000 setup fee. Government agencies in the United Arab Emirates and Mexico are believed to have been among NSO’s early customers, but my guess is that by now there isn’t an authoritarian or despotic state anywhere in the world that’s not on the company’s books, despite NSO’s claim that it vets its customers’ human rights record before selling to them. And those governments – it can be assumed – make predictably heinous uses of it. Evidence suggests Pegasus has been used in targeted attacks against human rights activists and journalists in various countries, was used in state espionage against Pakistan and, most grisly of all, may have been used by Saudi Arabia to spy on contacts of murdered dissident Jamal Khashoggi.
Advertisement

In a slightly farcical turn, at the same time that Emmanuel Macron’s iPhone was on a leaked list of potential targets for NSO spyware, it transpires that French government officials were allegedly in the final stages of contract negotiations to purchase Pegasus! The French have, needless to say, denied this, which only goes to support the old foreign correspondent’s adage that “you can never believe anything until it has been denied three times by the Élysée palace”.

Until quite recently, NSO was riding high. All that began to change at the beginning of this month when the Biden administration added NSO Group to its “Entity List” for acting “contrary to the national security or foreign policy interests of the US” and effectively banned the sale of hardware and software to the company. And last week Apple filed a lawsuit against NSO to hold it accountable for the surveillance and targeting of Apple users. The company is also seeking a permanent injunction to ban NSO from using any Apple software, services or devices. Needless to say, the Israeli government is up in arms about this, possibly because of revelations that phones of Palestinian human rights defenders have been “Pegasused”.

What’s mostly missing from coverage of these developments is that none of this would be happening had it not been for the skill, dedication and persistence of an extraordinary group of academic researchers at the Munk School of Global Affairs and Public Policy at the University of Toronto. The school’s Citizen Lab was set up in 2001 by Ronald Deibert, a political scientist who realised that the world would need a way of digging beneath the surface of our global communications networks to uncover the ways that power is covertly exercised in its subterranean depths.

Over the past 20 years, Deibert has built a formidable team that functions, in a way, as a kind of National Security Agency for civil society. For years, it was the only place where one could get an informed picture of what NSO was up to and without the lab’s work – and the personal courage of some of its researchers – I doubt that the US would have moved against the company. But even if NSO now slides into insolvency, Pegasus will not disappear, because there are plenty of non-democratic customers for its capabilities. What the Citizen Lab has shown is that the price of liberty is tech-savvy vigilance.

'Amoral 21st-century mercenaries’: problems mount for NSO Group

Israeli spyware firm’s problems go from bad to worse as scathing Apple lawsuit follows US blacklisting


A woman uses her iPhone in front of an NSO Group building in Herzliya, near Tel Aviv. Photograph: Jack Guez/AFP/Getty Images

Stephanie Kirchgaessner in Washington DC
THE GUARDIAN
Fri 26 Nov 2021 

Shalev Hulio, the co-founder of Israel’s NSO Group, was in Washington DC on a mission to try to resuscitate the surveillance company’s battered reputation on Capitol Hill shortly before the news broke that he had probably arrived too late to make a difference.

With little advance warning to its allies in Israel, the Biden administration announced on 3 November that it was putting the spyware maker – one of the most sophisticated cyber-weapons companies in the world – on a US blacklist, citing use of the company’s software by regimes around the world for “transnational repression”.

“That’s how little they knew. Then, boom, this came out,” said one person familiar with the matter.

Since then, the news has gone from bad to worse for the company, which has long defended itself against critics by claiming that its principal surveillance tool – the Pegasus software that can penetrate phones and intercept encrypted calls and messages – is used by governments around the world to silently hack into the phones of criminals and suspected terrorists, and save lives.

This week Apple, the world’s largest technology company, became the latest to challenge that narrative when it accused NSO in a scathing lawsuit filed in California of being “amoral 21st-century mercenaries” whose tools had invited “routine and flagrant abuse”.

“For their own commercial gain, they enable their customers to abuse [Apple] products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even US citizens,” Apple said in its lawsuit. While NSO was busy “hiding behind their unnamed customers”, it was committing “multiple violations of federal and state law” as it developed and used – “or assisted others in using” – tools that had harmed Apple’s users, the lawsuit alleged.
The NSO Group chief executive, Shalev Hulio (seen in Tel Aviv), visited Washington DC to try to mend relations with the Biden administration. 
Photograph: Ammar Awad/Reuters

Hours after the lawsuit was filed, activists said Apple began sending threat notification alerts to alleged victims of state-sponsored hackers in Thailand, El Salvador and Uganda. Reuters reported at least six Thai activists and researchers who have been critical of the government received the notification.

At the same time, the credit rating agency Moody’s warned NSO was at risk of defaulting on about $500m (£375m) in debt, which would force the group into insolvency.

For Alaa Mahajna, a lawyer who for years has waged a lonely – and difficult – legal battle against NSO, the company’s barrage of bad news has been vindicating.

“NSO spent years dismissing any criticism and dodging accountability for human rights violations. It is very encouraging that most major tech companies and the US government now see the pernicious effect of NSO’s technology,” he said.

Mahajna represents Omar Abdulaziz, a Saudi dissident living in exile in Canada who experts at the Citizen Lab at the University of Toronto have claimed was hacked in 2018, months before Abdulaziz’s friend, the journalist Jamal Khashoggi, was murdered in the Saudi embassy in Istanbul.

“As the first lawyer to bring legal proceedings against them, I am happy to see that these major actors are seeing what we saw four years ago. The atmosphere is definitely changing. It was and still is hard work for everyone involved, and some of us paid a price, but it is gratifying to see the tide turning,” Mahajna said.

There are other complications on the horizon. One person familiar with the matter said at least one bank working for NSO and related entities had voiced concern about its listing on the US commerce department’s entity list. A person close to NSO said its banking relationships were intact.

While placement on the list does not prohibit the provision of banking services, Kevin Wolf, a partner at law firm Akin Gump, said the listing did prohibit the transfer of any technology or software to the company from the US, a fact that generally made banks and other financial institutions who work for companies on the entity list nervous about the possibility that they could inadvertently fall foul of the rules over the normal course of business and provoke a response from the US government.

Another person familiar with the matter said Berkeley Research Group (BRG), a US-based consulting group appointed in August 2021 to manage the financial fund that owns a majority stake in NSO on behalf of its investors, consulted legal experts at the law firm McDermott Will & Emery to ensure its own work managing the fund did not inadvertently violate the entity list rules. It took those steps, a person said, as a matter of normal business practice and it is understood it received legal advice that the Biden administration’s actions did not prevent BRG from managing the fund’s NSO investment.

The main investors in the financial fund are US pension funds. A person familiar with BRG said it still had limited information about NSO’s decision-making.

Multiple media reports have suggested NSO is focused on trying to convince the Biden administration to remove the company from the entity list.

In response to the Guardian’s questions about its viability in the face of the developments, an NSO spokesperson said: “NSO Group remains strong, proud, and confident, and we will continue to provide technologies to help law enforcements catch paedophiles, terrorists and criminals.”

One person who spoke to the Guardian on condition of anonymity said the administration had been moved to act at least in part because of the number of US citizens who had been targeted using Pegasus in the past – including Americans living and working abroad.

NSO has denied its surveillance tools are used against US-based mobile phones.

The Pegasus project, a major investigation into NSO by the Guardian and other media outlets, which was coordinated by the French media group Forbidden Stories, reported in July that Carine Kanimba, the American daughter of Paul Rusesabagina, the imprisoned Rwandan activist who inspired the film Hotel Rwanda, had been the victim of a near-constant surveillance campaign by a government client using Pegasus in the first half of 2021. Forensic analysis of Kanimba’s phone, conducted by Amnesty International’s security lab, found it had been hacked multiple times while Kanimba, who is also Belgian and was living in Europe, was campaigning and lobbying for her father’s release.

In response to questions about Apple’s lawsuit this week, an NSO spokesperson said in a statement: “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers. Paedophiles and terrorists can freely operate in technological safe havens, and we provide governments the lawful tools to fight it. NSO Group will continue to advocate for the truth.”

No comments: