 Good morning from sea base the space station beyond or under Berlin Welcomes you to day two of the RC three streaming. We are starting in a few seconds with Catching the NSO groups Pegasus spyware. This is something that has caught attention Among the security and hacker communities over the world in the last I would guess two years or so There had been some spectacular cases of murder kidnappings Journalists being threatened other things The infamous software doing this is called Pegasus. It's marketed by a company Known by the three letter acronym NSO whatever this stands for and Actually Amnesty International and its IT department so to say has invested quite some effort into detecting Whether a device has been infected by Pegasus or not NSO Marketed this among other things as so-called undetectable Undetectable as in software on a device as we see and our speaker today Donica, Donica O'Call from Ireland and from Amnesty International will be presenting How they developed detection tools for this nasty piece of spyware that's had has become so popular among secret Secret actors state actors and others around the world Okay, enough for the introduction. Donica the scene and the stream is yours. Good morning Good morning, thank you for that introduction So as the intro said today, I'd like to talk to you about NSO groups Pegasus spyware I'm pretty sure I'd like to explain a little bit about how we at Amnesty has been investigated Pegasus over the past few years and now also Explained and demonstrate some of the tools we have developed and published that others also Investigate and detect Pegasus spyware potentially on their devices on the devices of other people in civil society So my name is Derick O'Call and I'm a technologist based at the Amnesty International Security Lab in Berlin with a small team who focuses on investigating Target digital threats such as spyware Fishing and other kinds of surveillance that's directed against civil society and human rights offenders around the world So as the intro said Pegasus got a lot of attention in the past in the past few months So you may have seen this a Pegasus project revelations that were published in July during the summer So the Pegasus project was a global investigation into abuses linked to nxco groups Pegasus spyware This investigation was based on a leaked leak data set of 50,000 potential Pegasus targets Which Amnesty International and forbidden stories had access to and so this global media investigation was coordinated by forbidden stories With the participation of about 80 journalists from 17 different meters organizations around the world During the Pegasus project Amnesty International Was the rotator rule of a technical partner and the focus from international was to perform detailed innovative forensic analysis on the devices of potential targets and Through this kind of forensic analysis and this technical work. We're able to identify traces of Pegasus Either targeting on affecting affecting targeting or infection on my devices So over the multi-model project Amnesty Security Lab analyzed about 67 Devices and from these 67 devices of potential targets At least 37 should clear traces of Pegasus targeting or infection So this is really quite a quite a high number of infected devices and these devices included journalists activists opposition political figures All kinds of people who are being unlawfully surveilled using Pegasus Overall of the phones we have checked which were iPhones and which hadn't been replaced, you know Which took 10 data of the targeting more than 80% of the phones That were on of this list of potential targets showed traces of Pegasus So in July these stories came out and they highlighted cases of of civil society being targeted such as journalists in in Hungary activists in Morocco activists Saudi Arabian dissidents Also family members of Jamal Khashoggi Which investigation showed had been targeted with Pegasus spyware both before and after his his brutal murder So yeah, you can you can go and read many of these stories online Today, I'd like to focus on again how we get how we got there how we developed these these tools how we develop this methodology for profiling Pegasus And also she explained about how you can also go and do this kind of searching for for Pegasus and for other mobile spyware So let's take a step back for a second and ask so what exactly is Pegasus? This name is well-known, but what exactly is the software and how does it work? So a first thing to remember is that actually what Pegasus has been got more well known in the last two years It's not actually a new a new tool or a new product So we know Pegasus has been around and been developed by NSO group since at least 2010 On the left hand side here of the diagram you can see a Pegasus brochure from 2010 where it describes how Pegasus can be Installed on Blackberry devices and we believe the original version of Pegasus was focused on Blackberry because back in 2010 Smartphones were less prevalent than they are now and so Blackberry is kind of a key target for some of the This security agencies you may want to buy this kind of spyware So it developed over time here on the on the right hand side We can see some diagrams that were from a leaked Pegasus brochure that was published in 2014 In the first diagram here it talks about how Pegasus is installed on a phone in this example it's showing how a Pegasus Kind of infection link can be sent over SMS to the target device And then it opened how the data that can be collected and passed back to the the operator of Pegasus software So that's just one example of from from their own diagrams And here in the circle below you'll see a little bit of what Pegasus claims to be able to monitor And if you look at you can see it's it's basically everything on the device So it's talking about collecting email addresses collecting SMS messages tracking location data Even reading the calendar, um turning on the microphone of the phone And so bear in mind while this this diagram is quite old It's like six or seven years old you get an idea of what kind of data the Pegasus software will try to collect from the phone It's basically it can access every kind of data on the phone that might be of you of interest to somebody who's carrying out this surveillance um one important thing to remember is that The Pegasus Bioware is able to get a very kind of deep access to the phone So it's fundamentally able to access Every day on the phone that the user is able to access and more So even if you're using a messaging app such as signal or telegram, which may be encrypted At the Pegasus software is able to access that data and those messages before they are encrypted on the device So even once their spy were running on the phone itself, none of these encrypted messaging apps Will help because it has such low level access to the device So it's a little bit about what exactly Pegasus tries to collect and what it uh Yeah, what it what people can do with using the Pegasus software So where exactly did the investigations in the Pegasus start? So if we go back as far as 2016 was when Pegasus was first kind of identified in the wild being being used to target an activist So in this case in 2016 Pegasus was first found by Citizen Lab And Citizen Lab is a group of researchers Based in the University of Toronto in Canada who who also works on investigating a spyware targeting civil society So in this case A UE based human rights defender named admin and sewer Began to receive suspicious messages over SMS. So you can see some screenshots of the messages on the right Um, so i'm a sewer with his cautious abilities because in the past he had previously been targeted with other kinds of spyware jewels Including including finfisher. So when he began to receive these messages He he was cautious about them and he shared them with Citizen Lab who then began to investigate them So what Citizen Lab realized is that um, these look to be an attack message And they opened these attack links on their own testing phone. Uh when they did this They're able to capture um The exploit that was being delivered over these these links and also able to capture a copy of the Pegasus payload So what happens when these links are opened is that the link is open in a in a web browser such as safari When the link is opened, uh The Pegasus server would return some javascript some code that would exploit um an unknown flow in the safari web browser And by kind of manipulating the safari web browser and exploiting this unknown flow They could then get their own code to start running inside this very web browser and eventually what's the help of some additional Uh flaws they could then get more privileged access on the iphone and eventually install the full Pegasus payload So, yeah, Citizen Lab first found in 2016. It was it was a very important discovery and it showed just how how serious some of the threats, uh facing um Civil society were that there were people willing to use these kinds of very expensive exploits to start targeting, uh human rights offenders Who are just doing their human rights work Uh, fortunately after this i'm the minister continued to get harassed And he was sentenced to prison and he's currently still in prison Uh from since 2017 sort of for about Uh four years now So where did we to honestly start investigating this? So our team has been investigating these kinds of threats for a while Uh, but really we started focusing on on nso and investigating nso Uh in 2018, um after an amnesty colleague of ours started to receive some suspicious messages So this recall this colleague received in may 2018 received this message. You can see here on the left uh, the message is written in arabic, but it um This claims that there is going to be a protest uh happening shortly outside the Saudi Arabian embassy And they asked the embassy staff member to to support the the protest and then to click on this link for for more information So fortunately our embassy colleague when they received this message, they got quite suspicious They were like, this is this is weird. I don't know this person And so they shared a screenshot of this message with uh us at the embassy's screen lab and we began to investigate So quite quickly when we started looking at this uh the main name and the server Um, we we agreed to look kind of suspicious Um, we also managed to identify some additional domains and servers that were related to this original akbar arabia domain And quite quickly it started to appear to us that um, this was indeed something suspicious And maybe it was some kind of attack message. So at the time we didn't know it was necessarily nso group Um by by looking at the original initial servers here, we managed to create kind of a fingerprint So some way of identifying the particular configuration Of the domain name and the server uh sent inside of this message Uh with the aid of this fingerprint, we then began to Do what's called an internet scan. So we connected to every single server in the internet Uh, send a particular request and then find any other server in the internet that matched this particular fingerprint This particular configuration from the server So by doing this internet scanning, what we found was 600 different domains all across the internet That matches fingerprint and that appeared to be related to the same kinds of attacks So what was really was really key is that we found that uh these these um domains were actually related to pegasus because nso group had made one kind of Key mistake or key flow when they were setting up this infrastructure. So what happened is um As as described earlier a system lab had previously identified Uh servers being used by nso group in 2016 after they were exposed in 2016 And so shut down all of these domains and infrastructure and then began to set up new kind of infrastructure That would be not uh related to nso or not linkable to nso unfortunately made a mistake because they had reused One domain name from the previous set of infrastructure And also being used this new set of infrastructure So uh by finding this one domain out of 600 that had previously been been uh used by nso We're able to show that these 600 domains were also related to pegasus And so we're able to show that this uh message that was sent to our amnesty international colleague uh was indeed uh Related to pegasus and it was an attempt to to compromise their device So we published this these our findings in uh august 2018 And at the time we also identified that another Settler had been activist had similarly been targeted With a pegasus exploit message uh over whatsapp Following this amnesty international also supported a legal action in israel Which asked the israeli ministry of defense To revoke nso's export licenses to prevent this pegasus software being sold to countries that would abuse it to target amnesty and also target other human rights activists Unfortunately later the israeli court um rejected The the legal complaint um and said that the Israeli ministry of defense had adequate safeguards in place to prevent um nso's exports um being sold to countries who would abuse it Um here on here on the bottom on the left you can see that um You can see a chart which shows the number of pegasus servers um online at the time I can see here that when we published this report and it so acted quite quickly to shut down Whole 500 or 600 servers that were being used to deliver pegasus So this just shows that you know nso Is kind of reading this research is paying attention what it is trying to Avoid getting their infrastructure and servers discovered by by researchers who are investigating these kinds of abuses So this was back in uh in 2018 so um after just after discovering this attack against the amnesty staff member We'd amnesty continue trying to investigate pegasus continue trying to find more cases of abuse and we next found um As pegasus targeting happening in in morocco in 2019 So you can see here on the right um This time we found that a moroccan uh human rights defender named mati manjib Was being retargeted repeatedly with pegasus When we checked his phone, uh, we found that he had some uh suspicious messages They're saying that the messages claimed that there is some some scandal or there's some news story and they're asking Uh the target to to click on these links to find out more information So when we looked at these these links, we knew immediately that there were pegasus links Uh because we had previously identified these domains as one of the 600 domains that Were being used in 2018 So for example, you can see the in the second message here on the right We see the the main videos download.co We need those pegasus because we had previously identified uh and and published this domain in 2018 So this time we knew mati was being in the entire pegasus But we we realized we needed to do some more investigation to see if his phone was indeed compromised or if we could collect More information from his device So when we did this we actually found um something quite interesting on mati's phone because we found what we believed was evidence of a new type of Of targeting on his phone instead of um relying on the target Being tricked into clicking on a link, which is maybe not reliable or maybe The target can can see something suspicious. We instead saw them using what's called a network injection attack So how a network injection attack works is like this. So a network injection involves um Having some kind of equipment or software running on the Uh with access to the internet connection of the the mobile device So this can either be at the mobile phone network or potentially having some Some software or hardware running on the same Wi-Fi network as the target And what it does is when the target is is browsing the web on their phone Uh, eventually the target um Browses and clicks on a link that goes to a regular htp website. So without htps And so when this regular htp request is made The software that's running on the upstream network can see this htp request Uh, and when the htp request happens you can instead instead of returning the correct response or the correct content instead returns a htp redirect Uh, and the htp redirect will then send the browser of the phone to a malicious exploit site where which can then hack the phone So in the case of mati, we found that he tried to go and check his email He typed in yahoo.f4 on his browser when he typed in yahoo.f4 The software running on the on the upstream network Um, saw this a clear text connection and then redirected this phone to this exploit link we see above So you see the domain is quite suspicious get it now the free 247downloads.com Uh, and again, it has um some random characters at the end which looks like a kind of export link So at the time we suspected this was was pegasus And it was a new way of delivering pegasus without tricking the user and clicking our link But we weren't certain that it was pegasus potentially with some other kinds of um uh of spyware Unfortunately for us, um nso helped uh to confirm that this really was pegasus because before we published this report Um, i missed the road to nso group sharing our findings And interestingly one day after we shared the findings with nso this um spyware server got shut down and went offline And this is almost already a week before the report was publicly available So I kind of confirmed to us that nso really was controlling this infrastructure and we're able to get it shut down Even when we only privately shared this information with with nso A bit later we found some more information about how this attack may have been done um nso um At a trade fair was demonstrating some new type of hardware they had developed which you can see here on the photo on the right and we believe this this photo is of um some kind of mz capture or fake base station Which can run a fake mobile phone network And then uh target's phone So just not that you could connect to this uh fake mobile phone base station and from that position It could be possible for nso to redirect the phone to a malicious uh A malicious exploit link So we're not sure what happened what happened in this case if it was the advice that this was used but We we believe the nso is demonstrating or testing these kinds of are called tactical interaction methods So this is this is what our findings were in morocco. We started to realize that Actually relying on checking for sms semesters checking for links or relying on people coming to us um With some suspicious wasn't going to work anymore because we began to see what we're called zero click attacks And so all the zero click attack is is any way of infecting a device That doesn't rely on some interaction from the user doesn't rely on the user clicking on a link So we can see here some examples of other um zero click attacks that have been discovered over the past A couple of years I guess one of the first ones here was in 2019 Where uh nso group developed an exploit for for whatsapp And it was then used by their their customers to target at least uh 1400 uh different people around the world um all of this How this worked was that the The target would simply need to receive a call over whatsapp even a missed call And the exploit would be able to kind of compromise their phone without the user clicking anything As i described earlier, we saw these kinds of network rejection attacks happen and then later in 2020 since lab also found um An i message zero that being used uh to again compromise uh iPhone users without any interaction in in 2020 So from our own investigations, we have found that nso has been using uh various zero click exploits Since at least summer 2017 until uh july of this year um So we know it's not something that's quite new for nso But at least something we've started uh money recently discovering in the past few years and we've seen Yeah, nso putting a lot of focus into developing these kinds of complicated But very powerful as your click exploits So now that we know that nso is is uh and their customers are using these kind of zero click attacks We realized we needed to do something kind of more advanced to try and uh find these cases cases of surveillance um The big problem with mobile devices is a lack of visibility Whereas on that's our laptop computers. We have antivirus available or we have edor systems available There's really nothing similar that was available from mobile devices So these kinds of attacks, especially zero click attacks are often going undetected Um when we began to investigate this we realized that it was difficult to perform forensics on mobile devices It's actually not impossible We were somewhat surprised to realize that iphone's actually allow a significant amount of Relevant data to be extracted from the phones themselves In the form of an iphone backup And so it's actually quite um quite possible to start doing our forensic analysis on iphone's Unfortunately android devices we found were much more limited And because of restrictions on the android operating system It isn't possible to extract much data in an android backup And so all we've really been able to do on android is to simply check the sms messages and maybe the browser history For some traces of of targeting but again, it's just it's just much less data is available on androids compared to iphone's The other big problem we realized is that there's There's a lack of any kinds of public tools for consensual mobile forensics All of the forensic tools that are out there are designed for for people to Extract data from phones that they don't want whatever phones that have been seized or phones that have been somehow otherwise obtained There's no there's no tools available to really check your own phone for signs of spyware So this is where the mobile verification toolkit comes into play So mbt is a public tool developed by Amazon international that's designed to simplify the process of analyzing mobile devices for traces of spyware And here it's available on github. You can go check it out And just to highlight all of the all of the cases of pegasus targeting that i've described previously and all of the cases And traces that i'll just i'll present for the rest of the presentation All of these have been found using mbt so mbt really works to Detect advanced spyware including spyware using zero click zero day exploits And really sophisticated stuff such as pegasus So while all of these different spyware vendors try to say how to think it's un-detectable It is definitely advanced. They definitely spend a lot of money in developing this stuff, but it's not magic and if you're Careful and diligent about checking for traces. There's always mistakes that are made. There's always ways of Identifying potential suspicious behavior on these devices So mbt is is written in python. It's a very easy to install if you have pip you can just go pip tree install mbt And here's how it's how it's used again. It's it's very straightforward To check an iphone you simply make a backup of the iphone and you run this one command. So it'll be mbt ios check backup And you provide the backup folder Um in the command here, we also see what's called a sticks file. So sticks file is simply a file containing indicators There's maybe like the main names or ip addresses or process names that are known to be linked to a spyware tool and so mbt is a generic tool it can be used with Pegasus indicators, but also can be used with indicators for other spyware tools and can be used to detect other spyware So mbt is a modular framework. It has modules for parsing different kinds of databases such as sms messages or browser history or other kinds of files in the device I'm going to go through explain a few of the modules that are available mbt and show how this can be used to To find traces of Pegasus or other similar spyware tools So one module that is is quite useful Is the sms module, which is quite straightforward. It simply reads the sms database in iphone backup It will extract all of the links from those sms messages Then check out any of those sms messages and then links to known malicious domains So in this case, we're checking a backup that isn't targeted with Pegasus and we see that We see that there's multiple domains that are Found there related to Pegasus. We see this one revolution news.com to co stop sms.biz From what we know about nso, we've seen these kinds of exploit sms messages used primarily between 2016 and 2018 We've also seen Pegasus links as far back as 2014 and as recently as 2020 So this has been quite common and I and if zero click attacks are not available, I think we'll still see these kinds of exploit links being sent in sms So another data source that's quite useful and quite helpful for finding traces of targeting is the safari browser history Um, so what we've seen is we've seen uh, sometimes we identify traces of exploit being Recorded in safari browser history, especially after a network injection attack So in this case while there's no link in sms when the network injection hub attack happens The exploit server domain will be recorded in the browser history and so by checking the browser history. We may be able to find Uh evidence that this attack had happened So on the on the right here, you can see a screenshot and this screenshot was actually taken By uh, moroccan, uh, journalist umar adi when he was being targeted with one of these network injection attacks in morocco So when he uh, yeah was browsing the web he clicked the link and then soundly redirected into this webpage And when the screenshot was taken it was actually running the javascript trying to exploit his phone So unfortunately, uh following the publication of this research Umar adi was uh repeatedly harassed by the moroccan authorities and then he was Uh, eventually jailed after an unfair trial and he's currently currently in jail So another another file that was quite useful. Um in our investigations is something called the id status cache file So, uh, the id status cache file is a file on iphone's and it can track contains traces of any iCloud accounts Which interacted with a device? This can be interacting with a device over a bunch of different apple services including iMessage airdrop apple photos Um, and so what was really useful about this file is it showed us Uh, which malicious accounts? Which like kind of taxes related? accounts had been Tagging a particular device So what we know about pegasus, uh, we believe that Uh, these malicious accounts are have been set up And have been used by one individual, uh pegasus customer So you can see here in the in the first row we see this email address luna keller um, and we saw this um This account being used to deliver iMessage zero day to quite a number of the different activists So we seem to be being used to deliver exploits to two different Two different Moroccan activists, uh A couple of french political figures So by by looking at, uh, which individuals have been targeted by the same The same account or by the same customer We're able to kind of get a better idea of who that customer might be and have some idea about the attribution for that attack Um, the same in these other in these other cases For example, we see that jessica davies 1345 email. Uh, this was found on the phone of two different, uh, hungarian journalists Uh, same for the emit davies address Again for the this final address here Williams any, um We found this on the phone of two different, uh hungarian hungarian Individuals and our hungarian activist So this was really useful for us in our investigation because it really helped us get a better idea of who might be behind Some of the attacks that we were we were seeing So the previous logs I showed about sms data and browser history These, um, show kind of traces of targeting. They showed somebody's been sent a malicious link But they don't necessarily prove that a phone has been successfully compromised So what I'll show now is some of the logs we can use to show that a device was indeed compromised One of these files that was very useful for us in our investigations was the so-called a data usage file So the data usage file on our iphone is a file that records information about how much, uh, mobile data traffic Each process on the phone is used This may be used to like help the iphone keep track of you know, which apps on your phone are using the most of your mobile data But what was really helpful for this is that it actually recorded Uh, the names of some of the pegasus processes Um, and how much data each of these pegasus processes are reusing So for what we know about nso pegasus, we believe that when pegasus is installed on a phone It will kind of pick a Random name that it uses to kind of hide itself when running on the system uh, to our investigation we found about 50 different process names that the pegasus process was was using to try and hide itself And once we'd identified these process names, then we could go and look for these pegasus known pegasus process names on uh devices of potential targets What's up in this database is it also shows um A timestamp of when this process name was first kind of started on the device when it was last seen on the device And also it gives you some kind of information about how much data, um, this process transferred And in some cases this has been gigabytes of data which shows that really the the pegasus spyware is extracting a lot of data from the device Uh, and again, this is all automated mbt. So if you check, uh, a phone using mbt with the pegasus indicators It'll show um quite clearly if any of these um processes have been found on the device Uh, another feature that's been uh very helpful for us in in our analysis is the timeline feature of mbt So how the timeline feature works is it takes all of the different, uh Indicators and modules on the phone. So if you look up it checks the sms messages It checks the the file system and every every event like every sms message every Web browser lookup will all be recorded in a single file With the date that it happened So by looking at this timeline, we can often see what different events happened Uh around the same time as each other and this can give us some of the uh, be some idea about how attacks were actually delivered on the device So I want to just give you just one example of of how this timeline can be used Uh, just so you know how to use this timeline in in your own investigations So this is actually um a demonstration of a phone um of a rowan than activist who was uh targeted in june uh 2021 using uh the force entry i message uh zero day So we can see here on the timeline that on At 8 p.m. 8 45, uh, we see the phone began to receive some push notifications or i message So it seems it receives like 46 push notifications and then what we saw was that um sms attachments began to be written to the the phone So in the final line here, we see that our file is written into the sms attachments directory And if you look at the end of the line, we see that the The file being read to disc actually had a dot gif attachment So at the time we we thought this was something to do with the the exploit and somehow, uh nso was delivering their exploit in uh that that gif file If we look a little bit later in the timeline, we see that about 10 minutes later on the same day Uh pegasus process starts running on the phone is otp grfd process Uh shortly afterwards, it's some additional files are on disc and and some more pegasus processes start So by looking at this timeline together, we can see quite clearly that The phone's gonna receive i message messages these key attachments start to be written on disc and then about 10 minutes later Um the phone was was compromised with the pegasus So remember here like there was no interaction from the user that didn't click any link Uh as far as our word, they didn't even notice anything happening on the device It's simply suddenly these messages were being delivered and after 10 or 20 minutes, um pegasus began to uh gain access to the device So we'd shared some of these findings with apple and then later in september 2021, uh apple citizen lab uh identified a copy of this um Exploit on another uh phone of another activist and I shared it with apple and apple punched this uh vulnerability in september 2021 So that's a little bit of how mvt works and how some of this methodology works. Um to identify Uh treasure pegasus on a device So since we published our our forensic methodology and our tools many other groups and organizations have been using uh these tools and methodology to check Other devices for signs of pegasus and I've found quite a number of new cases Are you here at the top right? We can see an example of uh another ngo front line defenders Who identified uh six palestinian human rights defenders who had their devices hacked using pegasus And instead of cases, we see um that the belgian milgian territory and salvage services I'd use this similar methodology To check the phones of journalists in belgium and they found that uh A journalist belgianist uh peter vernlinden had his iphone hacked who they suspected by orwanda Again, we see another case where french intelligent services I confirmed that a number of french journalists Had their phones hacked using using pegasus again using a similar methodology So what they'd like to highlight is like mvt can really uh be useful in In identifying traces of pegasus, but also mvt is designed as a kind of a generic mobile forensic tool So when you use a pegasus indicator, it'll find pegasus But it also can be used to go and proactively search for new kinds of spyware So I really recommend that if you're suspicious that phones May be targeted with this kind of spyware You can use mvt to extract some data and then dig into it. Um if the person is a Remember civil society or an activist then Amnesty and other organization would be happy to help support some of these investigations Uh, also mvt is an open source tool. Um, it's based on different modules And so we're always open to ideas for for new modules and new detection ideas to help Make this tool better and better able to detect new kinds of threats one thing to remember that mvt is it's It's designed to detect certain kind of spyware Unfortunately, the people who develop these spyware they're They're smart people and they read these reports and they watch these kinds of presentations And every time we publish some information about how to detect Uh, these kinds of spyware targeting civil society Um The different spyware vendors and actors will try to improve their tools to avoid them being detected We'll try to kind of upgrade their infrastructure to to hide it again to the better obscure their activities So just to give an example. Here's some of the developments of, uh, NSO's, uh, own infrastructure over time. We see that after we published Amnesty publisher report in 2018 which infrastructure was shut down And then later over the next two years it began to run instead of more infrastructure. Um, Which was again shut down after discovery in in 2021 So it's a constant arms race and so um While while these tools are useful to tech packages now it's not always going to be just automatic And it's important to do further research to try and identify new traces and new kinds of attacks So what is the future for mobile spyware? So one thing I'd like to reiterate is that while we focus a lot on NSO group and Pegasus In this in this in this research in this talk and also there's been a lot of folks at NSO group It's not the only mobile spyware out there. And there's definitely many other players Who are trying to get into the space and trying to also develop similar kinds of spyware tools Um, which are then sold to Two different customers We've seen that from this investigation we we found at least 180 journalists who are potential targets of Pegasus And many other human rights activists and opposition politicians who have been targeted with these tools over the last number of years so far these threat actors and these These state agencies have been able to target activists in civil society with impunity Due to a lack of visibility and telemetry on mobile platforms They've simply just been getting away with it because they haven't been detected So tools such as mbt can help expose some of these threats But they need to be used more widely and need to be used with more civil society to It's really understand the full scope of these kinds of threats Um, I think it's also important that industry The tech industry and security industry work closely with civil society To help detect and expose these threats because unfortunately the people most at risk From these kinds of really serious attacks Are also some of the people who are least equipped both financially and technically to to defend against them So to conclude, I think we're going to continue to see attackers focusing on mobile And mobile is where all the data is no other Place gives you as much insight into somebody's life into all their most innermost thoughts Even just having a microphone in everybody's pocket in someone's pocket is such a powerful Uh, but this isn't a be-in that we think um companies and states will be thinking you're trying to develop these kinds of tools Uh, we know that I think zero click exploits are going to be highly desirable So while uh, apple and others have done a great job in making attacks against iMessage more difficult um, it's almost certain that These kinds of uh cyber surveillance companies will continue trying to develop zero click exploits And if not for iMessage and maybe for other chat platforms, I don't know like Signal or telegram or whatsapp They're going to try and attack um other applications that activists are using um, unfortunately it's not possible um for activists and civil society to Protect themselves from these kinds of zero day attacks from a technical sense. So we definitely need um more to take collaboration between civil society and key platform vendors to help identify and defend against these threats and also we urgently need um better regulation to prevent These kinds of really sophisticated spyware tools being sold To states and agencies, which have a long history of abusing them To target civil society and the global opposition So thank you all for listening. I'm happy to answer some questions though. If you have some questions or if you're concerned about You're a member of civil society or an activist and concerned about civilians. Please feel free to contact us at shareanamnesty.tech Thank you Thank you, donica. Thank you from sea base We have already taken some overtime this early hacker morning There have been popping up some small questions on our internal pet here from our tiny audience at sea base We don't have that much time left Just can you give us an indication? What is the pace of this ongoing war? Do you feel that nso group is actively fighting mvt and your tool development or did didn't you get this honor yet? um Definitely we've seen even in the past year. We saw nso starting to be more careful about Cleaning up their forensic traces And since you know 2020 they began to already clean some of the traces that we've been using And and it's clearly realized that people are investigating that there is a risk of people discovering this stuff And I feel like after the revelations this summer they're going to have a much more practically trying to to clean up some of these traces But as I said nso is one company out there. There's also many other companies trying to compete in the same space um So even if nso gets better then you know other companies are still out there and can still be be caught using mvt And fundamentally even if they they clean up some traces um for any kind of failed attacks These traces are still going to be left around because it won't be possible to For the spyware to clean up the traces mm-hmm so one could still After an attack eventually eventually on an old device years later discovered that there had been some spyware activity Which may be in the long one interesting information about dark campaigns and things so nso is not the only actor there there will be more Do you feel that there are just copycats in the market or do you think there will be completely new uh threats in the future? So I guess there's always uh, there's lots of smart people or companies who are trying to develop these tools um, just uh last uh earlier this month, uh citizen lab published a report about another um cyber surveillance fender called sidetracks, uh based in north mcdonald's north macedonia And they were selling similar spyware Which is using kind of one click attacks using links, um to help compromise iphone's android phones Um, so that's that's one company that's competing the space. Um, there's other companies doing doing similar Kind of targeting what we believe You know nso was definitely the biggest company in the space And they had a lot of money to invest and especially invest in these kind of zero click attacks so for now, um We don't know if another company that's as big or sophisticated as nso But I think many others will be trying to take their place if nso Uh becomes less popular I see I see Okay, thank you very much. We uh have to go over to the c3 morning show in a few seconds Thank you very much, uh for this interesting talk this morning Again share at msd.tech is the address to go to and this is Probably one of the talks you want to watch again on media dot ccc dot de in a few days when this has been published So greetings to island. Thank you very much and uh We will meet and see again Uh in real I hope thank you. Thank you very much. Have a good day Everything is licensed under cc by 4.0 and it is all for the community