 way from Argentine to Prague to Leipzig. These two young researchers, security researchers, the lady and the gentlemen, Veronica and Sebastian, are here to tell us something about emergency VPNs, virtual private networks, analyzing mobile network traffic to detect digital threats. And I'm quite convinced you're gonna have a good time. You're welcome. Let's have a big hand for Veronica and Sebastian. Thank you. Okay. Thank you everyone for coming here. My name is Veronica Valeros. I'm a researcher at the Czech Technical University in Prague. Currently I'm the project leader of the Civil Sphere project. I'm Sebastian Garcia, the director of the Civil Sphere project in the Czech Technical University in Prague. The Civil Sphere project is a is part of the stratosphere laboratory in the university and the main purpose is to provide free services and tools to help the civil society protect them and help them identify targeted digital attacks. So Mati Monjib, he's a Moroccan historian. He's the co-founder of the Moroccan Association of Independent Journalism. He was denouncing some misbehavior of his government and because of that he was targeted with spyware around 2015. Alberto Nisman was a lawyer in Argentina. He died. He was until the moment of his death the lead investigator in the terrorist attack of 1994 that happened in Buenos Aires. It was a sad incident that may have been covered up by the government and after he's dead he researchers found traces of a spyware in his mobile phone allegedly installed by the government to spy on him. A commandman saw, he's an activist from the UAA. He is also a human's right defendant and he also denounced misbehaviors of his government and because of that his government targeted him repeatedly with different type of spyware from different places. Right now he's in jail. He's been there for almost two years and he barely survived the for more than 40 days hunger strike. He did to complain about the prison conditions. Simon Barquera, maybe you can check the slides. They are not. Simon Barquera is a researcher and food scientist from Mexico. He is a weird case because it's not very clear why he was targeted. The Mexican government targeted him and his colleagues with also spyware. Carla Salas, she's a lawyer from Mexico as well. She is representing and investigating the murder of a group of human right defendants that were murdered in Mexico and she and her colleagues were targeted by the Mexican government with the NCO Pegasus spyware. Grisella Triana, she's a widow. Her husband was a journalist from Mexico covering drug cartel activities and organized crime in Sinaloa, Culecan, Mexico. She was targeted by the Mexican government with spyware a few days after her husband's death and we don't understand exactly why. Her husband's computer and laptop were taken away when he was murdered so there was no reason why she was targeted. Emilio Aristegui, he's the son of a lawyer, a minor and he was targeted, his phone was targeted by the Mexican government with spyware to spy on his mother that she was a lawyer investigating some cases. So these are only few cases of the dozens of hundreds of cases where government use surveillance technology to spy on people but not only civil society the defendants but also civilians like this kid. And the common case among all these is that their mobile phones were targeted and there is a simple explanation for that. We take our mobile phones with us everywhere. We use them. We don't take computers anymore. When we are in the front line in Syria covering war we record the videos with our phones. We send messages that we are still alive with our phones. We cannot when we are working on this field we cannot not use the mobile phones. So they have photos, they have documents, they have location, they have everything. This is perfect for spying on someone. So it is a fact that government are using spyware as a surveillance technology not only to surveil but also to abuse, to imprison, to sometimes to kill people. And we know that they are governments because the technology that they are using like for example the Pegasus software by the Israeli company NCO, they can only be purchased by governments. So we know they are doing this. So these tools are also cheap, easy to use, cheap for them, right? Easy to use. They can be used multiple times, all the times they want. And sometimes they cannot be traced back to their sources. It's not that easy. So you find an infection and it's hard to know who is behind it. So for them it's a perfect tool. So what can we do if we think our mobile is compromised? There are several things we can do. For instance, we can do a forensic analysis. It's costly because it takes a lot of time. We need to go on the phone to check the files, to try to see if there is any sign of infections. And sometimes this also involves like sending our phone to somewhere, somewhere to analyze. And in the meantime, what are we going to use? It's not very clear. We can factory reset our phone. It might work. Sometimes, sometimes not. And it's costly. Sometimes we might lose data. We can change phones. It's a simple solution. We just drop it to trash. We pick another one. But how many of us can afford to do this like maybe three, four times a year? It's very extensive. But we can also do traffic analysis. That means work on the assumption that the malware that is infecting our phones will try to steal information from our phones and send it somewhere. And this sending of data will happen over the Internet because that's cheap. So that communication we can see and hopefully we can identify it. So how can we know? How can we know if our phone right now is at risk? Imagine that you're crossing a border. Someone from the police takes your phone, then gives it back to you. Everything is fine. How can you know it's not compromised? So this is where in civil sphere we start thinking, which is the simplest way we can go there and help these people. Which is the simplest way we can go and check those phones in the field while this is happening. And we came up with emergency BPM. So the emergency BPM is the service that we are providing using open BPM. This free tool that you know that you're installing your phone. And from this, we are sending the traffic from your phones to the university server. So the servers are in our office and then to the Internet and back. So you have normal Internet and we are capturing all your traffic we store in there. What we're doing with this, well, we have our security analysts looking at this traffic, finding infections, finding the attacks, using our tools, using our expertise, threat intelligence, threat hunting, whatever we can and seeing everything in there and then reporting back to you saying, hey, you're safe, it's okay, or hey, there is something going on with your phone and installing applications or actually change phones. We are from time to time suggesting stop using that phone right now. I don't know what you're doing, but this is something you should stop. So we are having experts looking at this traffic. Also, we have the tools and everything we do in there is free software because we need this to be open for the community. So how does it work? This is an schema of the emergency BPM. You have your phone and in the situation, like Veronica was saying, you are at risk and say, right now, I'm crossing a border, I'm going to a country that I don't know, I suspect I might be target. In that moment, you send an email to a special email address. That address is not here because we cannot afford right now everyone using the emergency BPM because we have humans checking the traffic. So we will give you later the address if you need it, but using an email, say, hey, help. Automatically, we check this email, we create an open BPM profile for you, we open this for you, and we send by email the profile. So you click on the profile, you have the open BPM installed, or you can install the original one, and from that moment, your phone is sending all your traffic to the university, to the internet. Maximum three days, we stop in there automatically, and then we create the pick up file where the analysts are going there and checking what's going on with your traffic. After this, we create a report that is being sent to you back by email. So this is the core operation, like 90% automatic of the emergency BPM. So advantages of this approach. Well, the first one is that this is giving you an immediate analysis of the traffic of your phone wherever you are. This is in the moment you need it, and then you can see what your phone is doing or not doing, right? Second in here is that we have the technology, we have the expertise, our threat hunter, threat intelligent people, we have tools, we are doing machine learning also in the university. So we have methods for analyzing the behavior of encrypted traffic. We do not open the traffic, but we can analyze this also. So we took all the tools we can to help the civil society. Then we have the anonymity. We want this to be as anonymous as possible, which means we only know one email address, the one you use to send us an email, and that's it. It doesn't have to be even your real email address. We don't care, right? Moreover, this email address is only known to the manager of the project. The people analyzing the traffic do not have this information. After that, they send the report back to the email address, and that's it. We delete the pickup, and that's all we know. Of course, if your phone is leaking data, which probably is, we see this information because this is all the whole purpose of the system, right? Then we have our continuous research. We are a university project, like almost 30 people here. So we are doing new research, new methods, new tools, open source, we are applying, checking, researching, publishing, right? So it's continually moving. And last, this is the best way to have a report back to you in your phone saying if you are infected or not, okay? So some insights from the Merchant DPPN. The first one is this active since mid-2018. We analyze 111 cases roughly, maybe a little bit more. 60% are Android devices in here. We can talk about that, but it's well known that a lot of people at risk cannot afford very expensive phones, which is also impacting their security. 82 gigabytes of traffic, 3200 hours of humans analyzing this, which is huge. And most importantly, 95% of whatever we found there, it's because of normal applications, like the applications you have right now in your phone in this moment. And this is a huge issue. The most common issues, right, that we found. And we cannot say this enough. Geolocation, it's an issue. Like, only three phones ever were not leaking geolocations out. The rest of the phones are leaking, like whether they are in applications, like dating applications, to buy stuff, transport applications, like a lot of applications are leaking this. Most are leaking this in encrypted form. A lot of them are leaking this unencrypted, which means that not only we can see that, but the people in your Wi-Fi, your government, the police, whoever has access to this traffic can see your position almost in real time. Which means that if the government wants to know where you are, they do not need to infect you. It's much easier. They go to a telco provider, they look at your traffic, and that's it. You are leaking your location all over the place. We know that this is because of advertising and marketing. The people selling this information a lot. Be very careful with which applications you have. And this is the third point. Insecure applications are a real hazard for you. Maybe you need two phones, like your professional phones and your everyday live phone. We don't know. But the problem usually comes from the application that you're installing just because. These applications are leaking so much data, like your mail, your name, your phone number, credit cards, user behavior, your preferences, if you are dating or not, if you are buying and where you're buying, which transports you are taking, which seat you are taking in the bus. So a lot of information. Really, believe us here. And last, the email and the emcee that these two identifiers of the phone are usually leaked by the applications. We don't know why. And this is very dangerous because it identifies your phone uniquely. Okay? From the point of view of the important cases, there are two things that we want to say. The first one is that we found trojans in here that are infecting your phones. But none of these trojans were actually targeted trojans. Like, trojans for you. They were, like, let's call normal trojans. So this is a thing. And the second one is malicious files. A lot of phones are doing this peer-to-peer file sharing thingy, even if you don't know. Some applications I'm not going to give names, but they are doing this peer-to-peer file sharing, even if you don't know. And they were malicious files going over the wire there. However, why is it that after a year or something of analysis, after 111 cases analyzed, we did not found any targeted attack? Why this is the case? The answer is simple. No? Yes? The answer is simple. The emergency VPN works for three days, right? Maximum. So it's not about reaching the right people, but reaching the right people at the right time. Like, if we check three days before the incident, we might not see it. If we check three days later, we might not see it. So right now, we need your help. Reaching the right population is very important because we need people to know that this service exists. And it's, we know it's tricky. If we tell you, hey, connect here, we are going to see all your traffic, it's like, are you insane? What would I do that? However, remember that the other options are not very cheap or easy or even feasible if you are traveling, for example. And again, as Sebastian said, like, everything that goes encrypted is cool. We don't see it. We are not doing money in the middle. If we see anything, we, it's because it's not encrypted. So if you believe that you are a people, a person that is at risk because of the work you do or because of the type of information or people that you help, please contact us. We are willing to answer all the questions that you might have about data retention, how we handle the data, how we store it, how we delete it after, how long, et cetera. And if you know people that might be at risk because of the work they do, because the people they protect, the people they represent, the type of investigation they do, please tell them about this service. We can contact us via email. As we say, the information how specifically to use this is not publicly available because we cannot handle hundreds of cases at the same time. However, if you think you are a person at risk, we will send it to you right away. This is the contact phone number. We are in telegram, wire, signal, WhatsApp, anything that you need to reach out. And we will answer any questions. So we need to reach these people, okay? Yes. So thank you very much. And we will be around for the rest of the Congress. If you want to stop us, ask questions. Tell us something if you need. Tell us about these two other people in the field that they need it. Trust is very important here. And let us know, okay? Yes. Thank you. Thank you. Okay. And as usual, we will take questions from the public. There are two lit microphones. Yes, go ahead, talk into the mic. One sentence, please. Just a question. Thanks for your excellent service. My question is how can you be sure that all the traffic of a compromised phone is run through your VPN? So of course we cannot. We can say that in our experience, we never found or saw any malware that is trying to avoid the VPN in the phone. So we relay in that no, no malware or APT ever that we saw or known about is actually trying to avoid the VPN service. In some phones, I'm not sure if you can avoid it. Maybe yes. I don't know. In our experiments and trials with different phones and tablets and everything, all the traffic is going through the VPN service, right? Because it's like a proxy in your phone. Yes. So if you know of any case, we would love to know. We run a malware laboratory and we run malware on phones and computers to try to understand them and we haven't encountered such a case. SMS, for example, we are not seeing, right? Yes. One more question, please. Yeah. So you're running the net. You're running the data through your network at the university. Do you have like a lot of exit IP numbers? Because a malware app could maybe identify this routing through you and then decide not to act? Yeah. So that's a good question. Actually, in the university, we have a complete B class public network. We have, of course, agreements with the university to use part of these IPs. So this is part of the question in there, right? Like, anyway, we are taking precautions, but so far, we did not find anyone blocking or checking our IPs. So we will see. But it's true, right? Yeah. We would say that if that happens, we would consider our project very successful. We haven't heard of such a case yet. Thank you. Okay. Let's have a big hand final for Veronica and Sebastian. Thank you very much.