<div dir="ltr">sorry for cross posting, but great report!<div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Ronald Deibert</b> <span dir="ltr"><<a href="mailto:r.deibert@utoronto.ca">r.deibert@utoronto.ca</a>></span><br>Date: Thu, Aug 25, 2016 at 1:09 PM<br><br><div style="word-wrap:break-word"><div style="margin:0px;line-height:normal;min-height:14px"><br></div><div style="margin:0px;line-height:normal">I am pleased to announce a new Citizen Lab <a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" target="_blank">report</a>: “The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender,” authored by senior researchers Bill Marczak and John Scott Railton.</div><div style="margin:0px;line-height:normal;min-height:14px"><br></div><div style="margin:0px;line-height:normal">If you are one of hundreds of millions of people that own an iPhone, today you will receive a critical security patch. While updating your software, you should pause for a moment to thank human rights activist, Ahmed Mansoor.</div><div style="margin:0px;line-height:normal;min-height:14px"><br></div><div style="margin:0px;line-height:normal">Mansoor is a citizen of the United Arab Emirates, and because he’s a human rights activist in an autocratic country his government views him as a menace. For security researchers at the Citizen Lab, on the other hand, Mansoor’s unfortunate experiences are the gift that won’t stop giving.</div><div style="margin:0px;line-height:normal;min-height:14px"><br></div><div style="margin:0px;line-height:normal"><span>Mansoor is an outspoken defendant of human rights, civil liberties, and free expression in a country that routinely flouts them all. While he has been praised internationally for his efforts — in 2015, Mansoor was given the prestigious <a href="https://www.amnesty.org/en/latest/news/2015/10/ahmed-mansoor-selected-as-the-2015-laureate-martin-ennals-award-for-human-rights-defenders/" target="_blank">Martin Ennals Award for Human Rights Defenders</a> — his government has responded with imprisonment, beatings, harassment, a travel ban…and persistent attempts to surreptitiously spy on his digital communications.</span></div><div style="margin:0px;line-height:normal;min-height:14px"><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>For example, in 2011 Mansoor was sent a PDF attachment that was loaded with a sophisticated spyware manufactured by the British / German company, Gamma Group. </span><span>Fortunately, he decided not to open it.</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>In 2012, he was targeted with more spyware, this time manufactured by an Italian company, Hacking Team. His decision to share that sample with Citizen Lab researchers led to one of our first detailed <a href="https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/" target="_blank"><span style="line-height:normal">reports</span></a> on the commercial spyware trade.</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>And so earlier this month, when Mansoor received two unsolicited SMS messages on his iPhone 6 containing links about “secrets” concerning detainees in UAE prisons, he thought twice about clicking on them. Instead, he forwarded them to us for analysis. It was a wise move. </span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>Citizen Lab researchers, working in collaboration with the security company Lookout, found that lurking behind those SMS messages was a series of “<a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" target="_blank"><span style="line-height:normal">zero day</span></a>” exploits (which we call “The Trident”) designed to take advantage of unpatched vulnerabilities in Mansoor’s iPhone. </span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>To say these exploits are rare is truly an understatement. Apple is widely renown for its security — <a href="https://www.wired.com/2016/03/fbi-drops-case-apple-finding-way-iphone/" target="_blank"><span style="line-height:normal">just ask the FBI</span></a>. Exploits of its operating system run on the order of hundreds of thousands of dollars each. One company that resells zero days <a href="https://www.zerodium.com/ios9.html" target="_blank"><span style="line-height:normal">paid</span></a> $1 million dollars for the purchase of a single iOS exploit, while the FBI <a href="http://arstechnica.com/tech-policy/2016/04/fbi-paid-at-least-1-3m-for-zero-day-to-get-into-san-bernardino-iphone/" target="_blank"><span style="line-height:normal">reportedly</span></a> paid at least $1.3 million for the exploit used to get inside the San Bernadino device. The attack on Mansoor employed not one but <i>three separate</i> zero day exploits.</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>Had he followed those links, Mansoor’s iPhone would have been turned into a sophisticated bugging device controlled by UAE security agencies. They would have been able to turn on his iPhone’s camera and microphone to record Mansoor and anything nearby, without him being wise about it. They would have been able to log his emails and calls — even those that are encrypted end-to-end. And, of course, they would have been able to track his precise whereabouts.</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>Through careful, detailed network analysis, our team (led by Bill Marczak and John Scott Railton) was able to positively link the exploit infrastructure behind these exploits to an obscure company called “NSO Group”. </span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>Don’t look for them online; NSO Group doesn’t have a website. They are an Israeli-based “cyber war” company owned by an American venture capital firm, Francisco Partners Management, and founded by alumni of the infamous Israeli signals intelligence agency, <a href="http://www.ft.com/cms/s/2/69f150da-25b8-11e5-bd83-71cb60e8f08c.html" target="_blank"><span style="line-height:normal">Unit 8200</span></a>. This unit is among the most highly ranked state agencies for cyber espionage, and is <a href="http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=2&pagewanted=2&seid=auto&smid=tw-nytimespolitics&pagewanted=all" target="_blank"><span style="line-height:normal">allegedly responsible</span></a> (along with the U.S. NSA) for the so-called “Stuxnet” cyber attack on Iran’s nuclear enrichment facilities.</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>In short: we uncovered an operation seemingly undertaken by the United Arab Emirates using the services and technologies of an Israeli “cyber war” company who used precious and very expensive zero day iOS exploits to get inside an internationally-renowned human rights defender’s iPhone.</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>That’s right: Not a terrorist. Not ISIL. A <i>human rights defender.</i></span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span><i></i></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span><i>(</i>An important aside: we also were able to identify what we suspect are at least two other NSO Group-related targeted digital attack campaigns: one involving an investigative journalist in Mexico, and the other a tweet related to an opposition politician in Kenya).<i> </i></span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>Once we realized what we had uncovered, Citizen Lab and Lookout contacted Apple with a responsible disclosure concerning the zero days. </span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>Our full report is <a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" target="_blank"><span style="line-height:normal">here</span></a>.</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>Apple responded immediately, and we are releasing our report to coincide with their public release of the iOS 9.3.5 patch.</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>That a country would expend millions of dollars, and contract with one of the world’s most sophisticated cyber warfare units, to get inside the device of a single human rights defender is a shocking illustration of the serious nature of the problems affecting civil society in cyberspace. This report should serve as a wake-up call that the silent epidemic of targeted digital attacks against civil society is a very real and escalating crisis of democracy and human rights.</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>What is to be done? Clearly there is a major continuing problem with autocratic regimes abusing advanced interception technology to target largely defenceless civil society organizations and human rights defenders. The one solution that has been proposed by some — export controls on items related to “intrusion software” — appears to have had no effect curbing abuses. In fact, Israel has in place <a href="http://www.hfn.co.il/client-update-decided-%E2%80%93-facilitate-cyber-export-controls-much-possible" target="_blank"><span style="line-height:normal">export controls</span></a> ostensibly to prevent this very sort of abuse from happening. But something obviously slipped through the cracks…</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>Maybe it is time to explore a different strategy — one that holds the companies directly responsible for the abuse of their technologies. It is interesting in this respect that NSO Group masqueraded some of its infrastructure as government, business, and civil society websites, including the International Committee for the Red Cross, Federal Express, Youtube, and Google Play. </span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>Isn’t that fraud against the user? Or a trademark violation? If not considered so now, maybe it should be.</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Arial"><span>Meanwhile, please update your iPhone’s operating system, and while you’re doing it, spare a thought for Ahmed Mansoor.</span></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><span></span><br></div><div style="margin:0px;line-height:normal;font-family:Times;min-height:14px"><span></span><br></div>
<table cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td valign="top" style="width:608.0px;border-style:solid;border-width:1.0px 1.0px 1.0px 1.0px;border-color:#000000 #000000 #000000 #000000;padding:7.0px 7.0px 7.0px 7.0px"><div style="margin:0px;font-size:11px;line-height:normal;font-family:Arial"><span>All iPhone owners should update to the latest version of iOS immediately. If you’re unsure what version you’re running, you can check Setting > General > About > Version.</span></div>
</td>
</tr>
</tbody>
</table><div style="margin:0px;line-height:normal;min-height:14px"><br></div><div style="margin:0px;line-height:normal;font-family:Arial;min-height:14px"><br><span></span></div><div>
<span style="border-collapse:separate;line-height:normal;border-spacing:0px"><div style="word-wrap:break-word"><span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word"><div>Ronald Deibert</div><div>Director, the Citizen Lab </div><div>Munk School of Global Affairs</div><div>University of Toronto</div><div><a href="tel:%28416%29%20946-8916" value="+14169468916" target="_blank">(416) 946-8916</a></div><div>PGP: <a href="http://deibert.citizenlab.org/pubkey.txt" target="_blank">http://deibert.citizenlab.org/<wbr>pubkey.txt</a></div><div>8B84 F5D8 1691 8D87 93CB 3398 443A CE6C 19A8 6481</div><a href="http://deibert.citizenlab.org/" target="_blank">http://deibert.citizenlab.org/</a><br><a href="http://twitter.com/citizenlab" target="_blank">twitter.com/citizenlab</a></div><div style="word-wrap:break-word"><a href="http://twitter.com/rondeibert" target="_blank">twitter.com/rondeibert</a><br><a href="mailto:r.deibert@utoronto.ca" target="_blank">r.deibert@utoronto.ca</a><br><br><br></div></span></div></span>
</div>
<br></div></div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div style="font-family:arial,sans-serif;font-size:12.666666984558105px;background-color:rgb(255,255,255)"><div dir="ltr" style="font-family:arial;font-size:small"><div style="font-family:arial,sans-serif;font-size:12.666666984558105px"><table style="font-size:12.8px;font-family:Times"><tbody><tr><td style="vertical-align:top"><table cellpadding="0" cellspacing="3" style="width:45pt;height:45pt;table-layout:fixed;color:rgb(197,194,197)"><tbody><tr style="line-height:0.5em"><td style="text-align:center;width:16px;height:15px;background-color:rgb(197,194,197)">#</td><td style="text-align:center;width:16px;height:15px;background-color:rgb(197,194,197)">#</td><td style="text-align:center;width:16px;height:15px;background-color:rgb(197,194,197)">#</td></tr><tr style="line-height:0.5em"><td style="text-align:center;width:16px;height:15px;background-color:rgb(197,194,197)">#</td><td style="color:rgb(223,52,28);text-align:center;width:16px;height:15px;border-radius:50%;background-color:rgb(223,52,28)">•</td><td style="text-align:center;width:16px;height:15px;background-color:rgb(197,194,197)">#</td></tr><tr style="line-height:0.5em"><td style="text-align:center;width:16px;height:15px;background-color:rgb(197,194,197)">#</td><td style="text-align:center;width:16px;height:15px;background-color:rgb(197,194,197)">#</td><td style="text-align:center;width:16px;height:15px;background-color:rgb(197,194,197)">#</td></tr></tbody></table></td><td style="font-family:sans-serif;vertical-align:top;padding-left:16px"><div style="margin-bottom:1em"><span><div><b style="font-family:arial,sans-serif;font-size:small"><font face="verdana, sans-serif" size="1">Carolina Rossini </font></b><br></div><div><span style="color:rgb(102,102,102);font-family:verdana,sans-serif;font-size:x-small">Vice President, International Policy and Strategy</span><br></div></span><div><a value="+16176979389" style="color:rgb(102,102,102);font-family:verdana,sans-serif;font-size:x-small">+ 1 (617) 697 9389 | </a><font color="#666666" style="font-family:verdana,sans-serif;font-size:x-small">skype: carolrossini | </font><font color="#0000ff" style="font-family:verdana,sans-serif;font-size:x-small">@carolinarossini </font></div><div><font color="#666666"><span style="font-family:verdana,sans-serif;font-size:x-small">PGP ID: 0xEC81015C</span></font></div></div><div><b style="font-family:verdana,sans-serif;font-size:x-small"><font color="#ff0000">PublicKnowledge</font></b><span style="font-family:verdana,sans-serif;font-size:x-small"> | </span><a href="https://twitter.com/publicknowledge" style="color:rgb(17,85,204);font-family:verdana,sans-serif;font-size:x-small;text-decoration:none" target="_blank">@publicknowledge</a><span style="font-family:verdana,sans-serif;font-size:x-small"> | </span><a href="http://www.publicknowledge.org/" style="color:rgb(17,85,204);font-family:verdana,sans-serif;font-size:x-small;text-decoration:none" target="_blank">www.publicknowledge.org</a><span style="font-family:verdana,sans-serif;font-size:x-small"> </span><span><br style="font-family:arial,sans-serif;font-size:12.8px"><div style="font-family:arial,sans-serif;font-size:12.8px"><div style="font-size:12.6667px"><div style="font-size:small"><font face="verdana, sans-serif" size="1">1818 N St. NW, Suite 410 | Washington, DC 20036 </font></div></div></div></span></div></td></tr></tbody></table></div></div></div></div></div></div></div></div></div></div>
</div></div>