The Citizen Lab research team at the University of Toronto performs some of the most important and sensitive work on targeted threats, surveillance, and attacks on civil society. Dennis Fisher spoke with Ron Deibert, director of Citizen Lab, for a recent podcast about the team's investigation into the exploitation of a vulnerability in WhatsApp to target journalists and activists. This is a partial, edited transcript of the podcast.
Dennis Fisher: I wanted to dig a little bit into your work in the WhatsApp-NSO research, which is the most recent stuff you guys have been been involved in. This all came back to light a couple of weeks ago when WhatsApp/Facebook decided to file a suit against NSO group, which is a maker of surveillance software that is very well known/infamous in the security industry. A lot of this goes back to research that you did earlier this year. Give us a little bit of background on the vulnerability that was being exploited and how you guys got involved in assisting in that investigation.
Ron Deibert: I would actually say this is part of a trajectory that even goes back to GhostNet and so we started looking at cyber espionage against civil society and those early reports, GhostNet and others like them were mostly focused on state actors. Looking at the techniques they used to undertake cyber espionage. And, beginning around 2011, 2012, we started noticing that there was this new industry developing the market for commercial spyware. I can clearly remember when I first came across this, that what it looked like to me were companies that were packaging malware and branding it as a product and a service. And very quickly this market proliferated, especially around the time of the Snowden disclosures, which I think ironically acted as a bit of a blueprint, a kind of catalog for states in terms of what they could be doing in cyberspace.
So we started looking more carefully at the industry, examining espionage campaigns against human rights defenders and journalists that involved spyware from different companies like Hacking Team, FinFisher and others. And naturally we were led to NSO Group because beginning around 2015, 2016, I think they really started to emerge as a significant player. And we have been tracking some of their infrastructure. As we were looking at a campaign emanating from the United Arab Emirates, which turned out to be a company called Dark Matter. We didn't know it at the time, but we published a report called Stealth Falcon. And in that report as we were doing the research, we came across some of the infrastructure of NSO Group. It wasn't until August of 2016 that we encountered their spyware called Pegasus.
And this came as a result of a human rights defender in the UAE who was receiving text messages that contain links to NSO Group’s infrastructure. He shared those with us and we loaded them onto an iPhone in a laboratory setting, effectively infected our own device and got a copy of the Pegasus spyware. So from August 2016, right up to present time, we have been monitoring NSO’s infrastructure, looking at attacks as we come across them from various targeted individuals. I guess the biggest of them was around both the Mexican case where we saw more than two dozen targets and a widespread abuse of NSO product offerings. After those reports came out in 2017, 2018 targets initiated legal action against NSO. And in the spring of 2019, A lawyer representing some of those targets in those litigation cases reported to us that his phone was evincing some disturbing, questionable characteristics. He would be receiving dropped phone calls from odd phone numbers. We had heard rumors in the security community that NSO had developed a very sophisticated iteration of their attack technology. And so we got in touch with WhatsApp security team. They were already on the case investigating this and discovered that this exploit involved no click targeting. In other words, all the operators had to do was simply ring up a phone number and the malware would take advantage of a flaw in the handshake for the initiation of the phone call over WhatsApp to effectively install the next phase of the malware and take over the device. So in May, as I said, we got in touch with the WhatsApp security team. They issued a patch and from may until October Citizen Lab volunteered to do research on the dataset that they'd provided to us.
Dennis Fisher: That whole series of events is kind of incredible when you think about the sophistication and capabilities that that kind of spyware has. You know, as you mentioned no, not just a no click, but all you would see as a missed call on your, on your device. You didn't have to answer the call. There was no user interaction required. That's all that it took. And you're, your device is infected with this spyware that the victim would clearly have almost no way of discovering.
Ron Deibert: Exactly. It as I described it at the time when we first encountered it, to me it was like the nuclear option of spyware. There really is no meaningful defense for such an exploit.
Dennis Fisher: The targets of these kind of operations are as you mentioned earlier, almost always people in at risk groups, civil rights defenders, political activists, sometimes journalists in countries with repressive regimes where they don't have a lot of defense mechanisms available to them.
Ron Deibert: Yeah. Well it was interesting for us because we had a great opportunity here and again, it's important to understand we're academics, right? And so looking at this was an important dataset for us. Very unique window, a snapshot into a set of targets that NSO clients would be going after. And it offered a rare opportunity for us to essentially test our claims about abuse. So, you know, we can't see everything that all of the clients of NSO are doing with NSO technology. We see victims here and there. We see infections checking in. We don't always know who the targets are when it comes to the network scanning that we do. And when we find targets, we don't know whether these are exhausting all of the targets in a particular country. So we have a kind of limited window from different angles into NSO operations and how clients use this.
We had a two week a set of data covering targeting for two weeks. And all we had from WhatsApp that they agreed to share with us were phone numbers. So with the phone numbers in hand, we then did essentially kind of open source contextual research to associate names with the phone numbers and occupations with the names and, and try to get a better sense of who precisely is being targeted as WhatsApp has acknowledged in their public statements. In total during that two week period, there were around 1400 targets in more than 20 countries of which we were able to determine more than a hundred were clearly abuse cases. In other words NSO and other companies like it market their spy ware publicly as a way to assist government in fighting crime or terrorism, right? Yes, there are going to be a number of clients that will use it in that narrow way. But unfortunately, the world being what it is, there are numerous governments that lack accountability or oversight. There's widespread corruption and human rights problems that would lead them to abuse how the spyware is being deployed. And this case certainly bore that out. So we saw more than a hundred targets and across 20 countries that by any reasonable person's definition are not criminals or terrorists. These are journalists, these are lawyers, women who are facing extortion.
"Maybe with the Facebook suit, it will create some momentum around doing something about the harms that were documented."
Dennis Fisher: And that's part of the issue with this kind of powerful surveillance software is that once it's out out of the can, there's very little that the manufacturers, no matter how scrupulous they may be, can do to control what the customers are doing with it.
Ron Deibert: That's exactly right. It's a structural problem, if you will. So you have this marketplace and companies like NSO Group, and I don't believe that NSO is being authentic when they make claims about controlling how their products are used. Because frankly, I've seen so many cases of widespread abuse that have come even after we've reported them. So I just don't believe that they have the capability or the will to properly control how their technology is being deployed. There may be other companies out there I'm sure that are more professional, that have more integrity or whatever, but it really doesn't matter because the issue is structural. There is no legal constraint at an international level on how these technologies are deployed. Some people say, well, can't there be export controls? Well, the fact of the matter is the government of Israel controls the export of NSO’s technology. All of NSO sales have to be licensed through the Israeli Ministry of Defense. And it may be the case that they're gaining some benefit by having NSO export to certain countries, a kind of value added when it comes to their own visibility into geopolitical issues. That comes as a byproduct of having an Israeli company service the security services of these states. So in the absence of any safeguards, naturally you're going to see widespread abuse. And that's what we're doing in terms of the research is raising awareness that this is a critical issue.
Dennis Fisher: It was really interesting to me to see the step that Facebook and WhatsApp took to file an actual lawsuit over this. In the absence of meaningful controls or regulation, I wonder if you anticipate other organizations that are somehow involved taking that same step.
Ron Deibert: Well, I hope so. That would be encouraging. I do think it is a very significant step that Facebook has taken here. You know, given the absence of any international controls and the unlikely prospect of governments doing anything to change that, it really leaves only some kind of litigation or maybe some kind of class action lawsuit or efforts like this. So, you know, when NSO is undertaking its service offering, it's actually piggybacking off of a lot of infrastructure and enabling governments to and, and operators that use our technology to effectively violate local laws. And what we need to do is actually encourage various stakeholders to prevent that from happening or to punish the offenders when it does happen. So I hope that this serves as an important lesson or model for other companies to follow. I do think that the companies have a service to their users to protect them from this sort of abuse. And maybe with the Facebook suit, it will create some momentum around doing something about the harms that were documented.
Dennis Fisher: I wonder how much of an issue the kind of duality between law enforcement agencies and intelligence agencies using this kind of software and us expecting law enforcement agencies to possibly prosecute misuses of the software. You know, that it's kind of a conundrum in some cases.
Ron Deibert: Well I think you're definitely correct that law enforcement is one of the client sectors that companies like NSO are actively targeting. Yeah. And there might be a kind of contradiction there. I think when it comes to the use of technology like NSO by signals intelligence agencies, that may be one of the reasons why some governments are reluctant to get into this area in terms of controlling it because it opens up a Pandora's box that they'd rather keep closed. You don't want to, you know, initiate a public discussion about particular uses of spyware. It might lead down a path that opens up other things that you don't want being publicly discussed. So I understand where the political constraints come from. However, I think that there are a lot of people in my experience, people working for the Department of Justice in the United States or other law enforcement agencies in other countries. They take their mission very seriously and want to make sure that they pursue criminal offenses when they can and certainly we're seeing criminal offenses emanating from the use of this technology. So I'm optimistic that we can, along with others, encourage more of this to happen.