[bestbits] New Citizen Lab report: “The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender”

Thu Aug 25 14:00:51 EDT 2016

sorry for cross posting, but great report!

---------- Forwarded message ----------
From: Ronald Deibert <r.deibert at utoronto.ca>
Date: Thu, Aug 25, 2016 at 1:09 PM

I am pleased to announce a new Citizen Lab report
<https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/>:
“The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a
UAE Human Rights Defender,” authored by senior researchers Bill Marczak and
John Scott Railton.

If you are one of hundreds of millions of people that own an iPhone, today
you will receive a critical security patch.  While updating your software,
you should pause for a moment to thank human rights activist, Ahmed Mansoor.

Mansoor is a citizen of the United Arab Emirates, and because he’s a human
rights activist in an autocratic country his government views him as a
menace.  For security researchers at the Citizen Lab, on the other hand,
Mansoor’s unfortunate experiences are the gift that won’t stop giving.

Mansoor is an outspoken defendant of human rights, civil liberties, and
free expression in a country that routinely flouts them all. While he has
been praised internationally for his efforts — in 2015, Mansoor was given
the prestigious Martin Ennals Award for Human Rights Defenders
<https://www.amnesty.org/en/latest/news/2015/10/ahmed-mansoor-selected-as-the-2015-laureate-martin-ennals-award-for-human-rights-defenders/>
— his government has responded with imprisonment, beatings, harassment, a
travel ban…and persistent attempts to surreptitiously spy on his digital
communications.

For example, in 2011 Mansoor was sent a PDF attachment that was loaded with
a sophisticated spyware manufactured by the British / German company, Gamma
Group.  Fortunately, he decided not to open it.

In 2012, he was targeted with more spyware, this time manufactured by an
Italian company, Hacking Team.  His decision to share that sample with
Citizen Lab researchers led to one of our first detailed reports
<https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/>
on the commercial spyware trade.

And so earlier this month, when Mansoor received two unsolicited SMS
messages on his iPhone 6 containing links about “secrets” concerning
detainees in UAE prisons, he thought twice about clicking on them.
Instead, he forwarded them to us for analysis. It was a wise move.

Citizen Lab researchers, working in collaboration with the security company
Lookout, found that lurking behind those SMS messages was a series of “zero
day <https://en.wikipedia.org/wiki/Zero-day_(computing)>” exploits (which
we call “The Trident”) designed to take advantage of unpatched
vulnerabilities in Mansoor’s iPhone.

To say these exploits are rare is truly an understatement.  Apple is widely
renown for its security — just ask the FBI
<https://www.wired.com/2016/03/fbi-drops-case-apple-finding-way-iphone/>.
Exploits of its operating system run on the order of hundreds of thousands
of dollars each.  One company that resells zero days paid
<https://www.zerodium.com/ios9.html> $1 million dollars for the purchase of
a single iOS exploit, while the FBI reportedly
<http://arstechnica.com/tech-policy/2016/04/fbi-paid-at-least-1-3m-for-zero-day-to-get-into-san-bernardino-iphone/>
paid at least $1.3 million for the exploit used to get inside the San
Bernadino device.  The attack on Mansoor employed not one but *three
separate* zero day exploits.

Had he followed those links, Mansoor’s iPhone would have been turned into a
sophisticated bugging device controlled by UAE security agencies. They
would have been able to turn on his iPhone’s camera and microphone to
record Mansoor and anything nearby, without him being wise about it. They
would have been able to log his emails and calls — even those that are
encrypted end-to-end. And, of course, they would have been able to track
his precise whereabouts.

Through careful, detailed network analysis, our team (led by Bill Marczak
and John Scott Railton) was able to positively link the exploit
infrastructure behind these exploits to an obscure company called “NSO
Group”.

Don’t look for them online; NSO Group doesn’t have a website. They are an
Israeli-based “cyber war” company owned by an American venture capital
firm, Francisco Partners Management, and founded by alumni of the infamous
Israeli signals intelligence agency, Unit 8200
<http://www.ft.com/cms/s/2/69f150da-25b8-11e5-bd83-71cb60e8f08c.html>.
This unit is among the most highly ranked state agencies for cyber
espionage, and is allegedly responsible
<http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=2&pagewanted=2&seid=auto&smid=tw-nytimespolitics&pagewanted=all>
(along with the U.S. NSA) for the so-called “Stuxnet” cyber attack on
Iran’s nuclear enrichment facilities.

In short: we uncovered an operation seemingly undertaken by the United Arab
Emirates using the services and technologies of an Israeli “cyber war”
company who used precious and very expensive zero day iOS exploits to get
inside an internationally-renowned human rights defender’s iPhone.

That’s right: Not a terrorist. Not ISIL. A *human rights defender.*

*(*An important aside: we also were able to identify what we suspect are at
least two other NSO Group-related targeted digital attack campaigns: one
involving an investigative journalist in Mexico, and the other a tweet
related to an opposition politician in Kenya).

Once we realized what we had uncovered, Citizen Lab and Lookout contacted
Apple with a responsible disclosure concerning the zero days.

Our full report is here
<https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/>
.

Apple responded immediately, and we are releasing our report to coincide
with their public release of the iOS 9.3.5 patch.

That a country would expend millions of dollars, and contract with one of
the world’s most sophisticated cyber warfare units, to get inside the
device of a single human rights defender is a shocking illustration of the
serious nature of the problems affecting civil society in cyberspace.  This
report should serve as a wake-up call that the silent epidemic of targeted
digital attacks against civil society is a very real and escalating crisis
of democracy and human rights.

What is to be done?  Clearly there is a major continuing problem with
autocratic regimes abusing advanced interception technology to target
largely defenceless civil society organizations and human rights defenders.
  The one solution that has been proposed by some — export controls on
items related to “intrusion software” — appears to have had no effect
curbing abuses. In fact, Israel has in place export controls
<http://www.hfn.co.il/client-update-decided-%E2%80%93-facilitate-cyber-export-controls-much-possible>
ostensibly to prevent this very sort of abuse from happening. But something
obviously slipped through the cracks…

Maybe it is time to explore a different strategy — one that holds the
companies directly responsible for the abuse of their technologies.  It is
interesting in this respect that NSO Group masqueraded some of its
infrastructure as government, business, and civil society websites,
including the International Committee for the Red Cross, Federal Express,
Youtube, and Google Play.

Isn’t that fraud against the user? Or a trademark violation? If not
considered so now, maybe it should be.

Meanwhile, please update your iPhone’s operating system, and while you’re
doing it, spare a thought for Ahmed Mansoor.

All iPhone owners should update to the latest version of iOS immediately.
If you’re unsure what version you’re running, you can check Setting >
General > About > Version.

Ronald Deibert
Director, the Citizen Lab
Munk School of Global Affairs
University of Toronto
(416) 946-8916
PGP: http://deibert.citizenlab.org/pubkey.txt
8B84 F5D8 1691 8D87 93CB 3398 443A CE6C 19A8 6481
http://deibert.citizenlab.org/
twitter.com/citizenlab
twitter.com/rondeibert
r.deibert at utoronto.ca

# # #
# • #
# # #
*Carolina Rossini *
Vice President, International Policy and Strategy
+ 1 (617) 697 9389 | skype: carolrossini | @carolinarossini
PGP ID:  0xEC81015C
*PublicKnowledge* | @publicknowledge <https://twitter.com/publicknowledge>
 | www.publicknowledge.org
1818 N St. NW, Suite 410 | Washington, DC 20036
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/bestbits/attachments/20160825/6ac20cff/attachment.htm>