The Spies Hacking our Phones are Going Dark, and We're All in Trouble

Wednesday, August 14, 2019 - 4:40 pm5:30 pm

John Scott-Railton and Bill Marczak, Citizen Lab


Nation-states are increasingly abusing powerful commercial hacking and spyware tools to covertly surveil and invisibly sabotage entities they deem political threats, such as investigative journalists, human rights activists, and lawyers. Tools from companies such as EU-based FinFisher and Hacking Team, an Israel-based Cyberbit and NSO Group, allow their government clients to break into targets' computers and phones, access private files and passwords and even spy on activity in the vicinity of the device through its webcam and microphone. In 2018, we discovered likely attempts by the Mexican Government to spy on the phones of the wife and colleagues of a slain journalist, as well as a Saudi-linked surveillance operation that infected the phone of one of Jamal Khashoggi's close associates in the weeks leading up to his assassination.

Our identification of spyware targets is often a laborious process, driven by close work with targeted communities, and the establishment of delicate trust relationships which can take months or years to crystallize. We instruct targets to forward us suspicious links or attachments (common spyware vectors) for our analysis, and in some cases, we perform programmatic scanning of targets' email messages and devices. After we analyze spyware samples, we can perform global Internet scanning and DNS cache probing to map out the global extent of the activity. Though our work has uncovered dozens of cases of commercial spyware abuse around the world, it also suggests that the scale of the problem is significantly broader.

Compounding the difficulty of identifying targets is a trend towards the use of unavoidable zero-day zero-click attacks which leave little or no footprint that a target can notice and flag to us for analysis. Even in cases where a target is suspicious of compromise, legal and technical hurdles may preclude us from obtaining corroborating data from device forensics or cloud platforms. Two reported cases of these zero-click attacks have been recently documented through careful journalistic work with knowledgeable sources, including a hack of BBC and Al Jazeera journalists using an iMessage vulnerability, and a hack of a human rights lawyer using a WhatsApp vulnerability. These attacks cannot be prevented by a target's scrupulous security behaviors, such as screening suspicious messages or installing updates.

In this talk, we will illustrate the Citizen Lab methodology for identifying commercial spyware abuses, using cases from our most recent research, and highlight how developers, platforms, and fellow researchers can all help in addressing the problem of spies "going dark." It is clear that business as usual in the commercial spyware sector threatens our freedoms of thought and action, and perhaps democracy itself. Academic research, especially that which identifies specific cases of abuse can be an effective means to create accountability in the industry, and ultimately put an end to the misuse of these powerful espionage tools for political gain.

John Scott-Railton, Citizen Lab

John Scott-Railton is a Senior Researcher at Citizen Lab (at The University of Toronto). His work focuses on technological threats in civil society, including targeted malware operations, cyber militias, and online disinformation. His greatest hits include a collaboration with colleague Bill Marczak that uncovered the first iPhone zero-day and remote jailbreak seen in the wild, as well as the use of Pegasus spyware to human rights defenders, journalists, and opposition figures in Mexico, the UAE, Canada, and Saudi Arabia. Other investigations with Citizen Lab colleagues include the first report of ISIS-led malware operations, and China's "Great Cannon," the Government of China's nation-scale DDoS attack. John has also investigated Russian and Iranian disinformation campaigns, and the manipulation of news aggregators such as Google News. John has been a fellow at Google Ideas and Jigsaw at Alphabet. He graduated with a University of Chicago and a Masters from the University of Michigan. He is completing a Ph.D. at UCLA. Previously he founded The Voices Projects, collaborative information feeds that bypassed internet shutdowns in Libya and Egypt. John's work has been covered by Time Magazine, BBC, CNN, The Washington Post, and the New York Times.

Bill Marczak, Citizen Lab

Bill Marczak is a Senior Research Fellow at Citizen Lab, a co-founder of Bahrain Watch, and a Postdoctoral Researcher at UC Berkeley, where he received his Ph.D. in Computer Science. His work focuses on defending against novel technological threats to Internet freedom, including new censorship and surveillance tools employed by well-resourced actors against activists and civil society.

@conference {240687,
author = {John Scott-Railton and Bill Marczak},
title = {The Spies Hacking our Phones are Going Dark, and We{\textquoteright}re All in Trouble},
year = {2019},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = aug,

Presentation Video