Bill Marczak and John Scott-Railton made headlines around the world this week when they disclosed serious iPhone security flaws after an attempted attack on the phone of the prominent human rights activist Ahmed Mansoor through a link in a text message. Scott-Railton and Marczak are senior researchers at the Citizen Lab at the University of Toronto's Munk School of Global Affairs. With the help of mobile security firm Lookout, they traced the link back to a company called NSO Group that sells access to these vulnerabilities to their clients.
U of T News writer Romi Levine spoke with Scott-Railton and with his Citizen Lab colleague Sarah McKune about the incident and about the murky territory that surrounds regulating companies like the NSO group.
Lookout’s vice president, research called the NSO group at the centre of the Citizen Lab report a “cyber arms dealer” – what does he mean by that?
This is an interesting way to describe it. We’re in a geopolitical situation – there’s a market desire from countries that don’t have the ability to build the capability domestically to do digital surveillance. They go looking to the private market. There are a series of companies that are looking to sell them those capabilities. These are companies that are selling kinds of tools governments want for espionage and law enforcement.
Some accuse these companies of being mercenaries. It raises the question of proliferation – how do you decide whether or not to sell to a country? Part of our work at Citizen Lab is based around shedding light on that marketplace and to show clear evidence into whether or not there are abuses.
Are companies like the NSO group doing something illegal?
Some people believe that the way to solve the problem of proliferation is for governments to have export control regulations that require that any sale of this kind of technology is required to get a license and go through a process of evaluation.
The challenge seems to be, even though many of these frameworks exist, it’s still the case these companies are selling spyware technology to countries with notorious histories of serial misuse of this kind of spyware.
It raises the obvious question: If that’s not enough to stop a sale, what would stop a sale?
Ahmed Mansoor has now been targeted three times with this kind of technology from three different companies. If this isn’t evidence of serial misuse, I don’t know what is.
“Zero-day exploits” would have allowed NSO group to jailbreak Mansoor’s phone. What are they?
Zero day vulnerability is something that the vendor – in this case Apple – has spent zero days working to close. It basically means this is a hole or a bug in a product or software that can be exploited to run malicious code. This is very powerful knowledge because it gets you around the kind of security that you would expect to be built into products.
There’s a market for this kind of knowledge because it represents information about where these secret unlocked doors are that could potentially be very valuable.
There’s also a market for intrusion tools that could be used on top of that.
So vulnerability is like a secret door, the exploit is a set of instructions that get you in the door and the malware is what you put inside once you gain access.
Should the average person see Mansoor’s hacking as a threat to their own privacy?
The attacks we work on at Citizen Lab tend to be targeted at high-value individuals. It is not necessarily something everyone should be instantly afraid of.
But we at Citizen Lab think activists, dissidents and journalists are canaries in the coal mine – this targeting shows us a glimpse of a future where if this kind of market is not in some way addressed, this kind of vulnerability will be more and more part of the daily conversation.
When you target dissidents and journalists you’re not just targeting individuals, you’re targeting the democratic process and the people who help contribute to a fairer and more just and honest society – both because of the direct violence it does to civil societies and because of what it shows us about the future and the risks that will come.
How can someone recognize this kind of threat?
The sophistication of this threat is that it’s hard to recognize. Our advice to the general population is treat links and attachments especially from people you don’t know with great care. With the kinds of threats we see, like in the case of Mansoor, we see the critical importance of companies like Apple quickly responding to security threats we report to them.
How are companies like the NSO group regulated?
The regulatory area that’s been explored so far is that of export control. It’s the first step because export controls include a framework devoted to compliance and there can be penalties if you violate the applicable export control violations.
There's a multilateral export control group called the Wassenaar Arrangement – it includes over 40 countries including Canada, the United States and Russia, but it does not include Israel (where the NSO Group is based). But Israel incorporates the regulations that are agreed upon in the Waassenaar framework.
Export controls are a very arcane and language-specific beast. The arrangement lists different items that are subject to control implemented on the national levels. Individual nations implement those controls.
One of the controls that was added in December of 2013 related specifically to intrusion software. What NSO Group offers does seem to meet the criteria to be considered one of the items. That’s the crux of the issue – how these controls are implemented.
(If a product falls under the criteria, it’s) not an outright ban, you need to submit a license application and the authorities will grant or deny it.
We just don’t have visibility into the process with respect to NSO Group. It’s possible they may have submitted a request to a licensing application. It’s also possible a request has been granted.
The UAE has significant problems with respect to human rights including a track record of surveillance so it seems that if the authorities did engage in this review of the license application, those human rights concerns were not determined on the decision to grant the application if it was indeed granted .
So there’s no form of regulation one country can enforce on another country?
That demonstrates the limitation of export controls. They aren’t enough to address the human rights concerns associated with these technologies.
We have to start thinking beyond export controls to what other avenues are available.
What other ways are there to address these regulatory issues?
It involves a number of different facets.
We can look at the applicable laws relevant to this type of activity – there are some criminal laws that could apply to this type of context.
We can also look at consumer protection – this is certainly an issue of fraud perpetrated against individual users. Websites and other components of these types of spyware kits often attempt to mislead users as to what it is they’re trying to access and download.
There are legal and policy options on the table – legislatiures need to tackle this issue.
It is very complex but I do think this case demonstrates how vulnerable these types of technologies render users at large. It’s not just about one specific target. It’s about undermining technologies that affect us all.