Effects of Weaponized Malware on End-to-End Encryption and Exfiltrating Data from Signal Messenger

so just to run through little bit background of um c yeah so is a full stack developer system archit data privacy and security AST yeah is the is an handon leader that spent that spent way so much time behind the computer monitor releas their yeah um computer engineers and software developer to develop latest weaponize MB protection and security focused communication solution yeah he also advocate for data privacy and security through technological advancement and ucation yeah um at this point I want you all to join me to welcome um go Jeff Jeff that's okay that's okay all right so that I guess is my introduction I'll just add I've been working in the security industry now for

for 14 years and I'm really excited to share the wild world of uh weaponized M with you guys the stuff that's kind of behind the curtain um there's a couple slides we should be able to attempt to skip to kind of speed things along a little bit but we'll kind of go through what is weaponized M so weaponized m is the private industrialization of deadly and effective exploits that have been designed to simplify and reduce the technical complexity of launching a multitude of cyber kill chains against an intended target the purpose of weaponized malware is to deploy spyware agents which can Aid in a multitude of operational objectives including Espionage surveillance extortion blackmail and theft of sensitive or

classified information many of the surveillance vendors that we'll be talking about today are commonly referred to as commercial spyware vendors or csvs they advertise and sell their products like traditional armaments where you would need to purchase a magazine arounds that can be used with your new purchased weapon the current state of weaponized maare in regards to mobile device surveillance has reached an all-time high if you're sitting there and wondering is your phone vulnerable the answer is yes all you need is a phone number and within minutes you could be the next victim or Target as an attacker you have the ability to access the microphone camera emails text messages location services all of your browsing history your full

application data and so much more the the list will only become longer as I start to showcase the technical capabilities uh while we dive into the Hidden World of covert surveillance we must consider that most of our digital lives on are on our mobile phones and to many of us an extension of who we are as an individual weaponized M can have a profound impact on the intended target and the communities that they live in what I find Most Fascinating about these tools is that they are now predominantly sold by the private sector that which now actually surpass governments in the develop vment of similar tools required to conducts intelligence operations in cyber warfare commercial Spyro vendors trying

to make these attacks very easy for their customers with point-and clip dashboards like the Cyber operations platform you see here they can initiate attacks against Target devices gather intelligence and manage existing infections so of course in the security world we love our technical lingo and acronyms so I didn't want to leave anybody behind in this presentation because it kind of builds upon the base of the knowledge of what a zero day is um so we can kind of quickly go through it I guess so zero day vulnerability is a software flaw which is unknown by the vendor and where no fix is currently available uh this allows successfully infecting a Target even with a fully

patched and updated device for a system a zero click attack is a term used for an exploit that can infect a device without requiring any user interaction an example would be like receiving an iMessage or missing a phone call on WhatsApp a oneclick attack requires only a single action from the intended target typically various social engineering techniques are employed to trick the intended target into opening a malicious link uh non- remote attacks also referred to as tactical infections allows an attacker to exploit devices in physical proximity malicious Wi-Fi networks and mobile base stations can be used to silently deploy a zero click or a oneclick exploit attackers can also exploit vulnerabilities in cellular baseband software and Bluetooth some

leaked documents specifically now show exploits targeting voice over LTE and Wi-Fi calling which most of us will have on our phones right now a strategic ISP infection allows for Network injection attacks deployed at an internet service provider or national internet gateway uh this differs from standard Mass IP surveillance as um it's basically used to sign deliver spyware instead of just watching all the packets that move through uh what else we got on here man of the middle attacks this is an important one as well uh this is where an attacker can read modify block and manipulate Network requests man ofthe middle attacks can be used in a variety of ways but most notably for Network

injection and bypassing encryption altogether command and control server multiple uses they could be used to send commands to the spyware agent they can distribute malicious payloads they can also be used to receive stolen data exfiltrated from devices and spear fishing that's a really good one as we've all hopefully heard about that's a serious threat to everyone can be very difficult to detect it normally involves sending an email or a message to an intended target from a known or a trusted cender but in the case of weaponized malware the message is perfectly crafted to persuade the target to execute a one-click exploit players before we get into house some of these attacks work let's highlight some of the key players in the

industry so as we're all building up to get to the whole if you're here for the signol extraction so that should be good um many of these key players are prevailing today these Spyro vendors are collectively branded as lawful intercept companies they claim to only to sell to customers with legitimate use for surveillance wear such as intelligence and law enforcement agencies the reality is many of these tools are now often abused under the guise of national security from spying on human rights activists journalists academics and government officials in recent news Amnesty International released a report shedding light on how these tools are now being used to facilitate gender-based violence many of these companies have been caught selling to

private organizations uh for corporate Espionage extortion and intimidation thanks to the hard work from the EIC or the European investigative collaborations media network with technical assistant from Amnesty International Security lab we finally have into a glimpse into the global spyware trade Agnes camard which is amnes international secretary uh General said that the Predator files investigation shows what we have long fear the highly invasive surveillance products are being traded on a near industrial scale and are free to operate in the shadows without oversight or any genuine accountability it proves yet again that European countries and institutions have failed to effectively regulate the sale and transfer of these product

all right first one up it's my favorite intellect ciance they're an evolving group of companies and brands that have been involved in developing and marketing a wide range of surveillance products including Advanced spyware Mass surveillance systems and tactical infection platforms for targeting and intercepting nearby devices the links between these companies are shrouded in secrecy through corporate entities the structures between them are constantly morphing renaming rebranding and evolving the Nexa Group which is one of the members was created in 2012 and PR primarily operates from France specializing in Mass surveillance systems it was actually created to take over from another Mass surveillance business from the French company called armus the Nexa group originally contained Nexa Technologies from France

and advanced Middle East systems which is a sister sales office located in Dubai the intellecta group founded in 2018 by a former Israeli army officer is controlled by a Holdings company based in Ireland the main companies under the umbrella are cyrox wpar and sene which specialize in the creation of virtual avatars for spear fishing it is unclear if the alliance between the Nexa group of companies and the intellecta group is still currently active this year the intellect Alliance is best known for its Predator spyware which targets both IOS and Android devices it was originally created by the north Macedonian company cyrox uh which became part of the alliance in 2018 Predators is normally combined using other products that the alliance

offers to increase the probability of a successful infection using products like Mars or Jupiter for strategic ISP infections spearhead Triton and alphamax is a optional add-on for tactical infections oh sorry alphax for tactical infections with the optional add on uh what's the name of it optional add-on Epsilon to facilitate men- inth the-middle attacks against mobile devices or AAA automated active avatars which is a platform to manage fake social media accounts and messaging application accounts which is used to social engineer a Target into opening an exploit link the next one NSO group is an Israeli cyber Arms Company best known for the development of Pegasus they are well known thanks to the extensive media coverage they've received during

numerous legal battles uh they also made headlines when the FBI came very close to using Pegasus for domestic spying inside the United States early versions of Pegasus which was first identified in 2016 used spear fishing techniques but by 2019 the NSO group had finally up their game and they graduated from single click exploits to zero click exploits when it was found that WhatsApp was being targeted by Pegasus simply calling the intended targets WhatsApp number would automattic atically exploit and infect the device you didn't even need to answer the call by 2020 Pegasus shifted towards primary using Zer click exploits and network-based attacks these methods allowed clients to break into Target phones without requiring any user

interaction since 2020 many of the exploits used were based on vulnerabilities in iPhone's iMessage features if Pegasus fails to compromise device using a zero click exploit it can also be installed by setting up a wireless transceiver near a Target device or by gaining physical access to the phone RCS Labs is an Italian surveillance company they've been active for over 30 years recently they're acquired by cci4 gate which is a company that provides cyber electronic warfare and intelligence to private Enterprise and government and law enforcement agencies their spyware is named hermit and is known for its ability to infect both Android and iOS devices both companies have been surrounded in controversy and have been well known to

sell to authoritarian regimes hermit is specifically designed to infect mobile devices it can carry out various surveillance activities including tracking calls accessing your messages recording audio and EXO training data from the device their spyware operates using a modular approach additional features can be downloaded as needed after the initial infection takes place this makes it very flexible and adaptable for different surveillance needs depending on the individual Target hermit is often delivered via malicious links sent through SMS messages or through spear fishing attacks the spyware has been linked to sophisticated operations that often involve collaboration with local telecommunications providers to disable data connections forcing the victim to connect to a malicious Wi-Fi Bas station where it could then deliver its payload

it was also found to be embedded in legitimate carrier branded applications Black Cube all right this is more of an honorable mention this company does not all the technical capabilities of those previously mentioned but is widely recognized for its expertise in Espionage Services it started as an Israeli private intelligence firm and has been involved in controversial corporate Espionage legal investigations and intelligence gathering activities it wasn't until recently that they were found to have an affiliation with a company called ah Global technologies that offers zero click exploits for both Android and iOS its most notable tool was a Bluetooth exploit called which is a Bluetooth zero click tactical infection as long as your phone has the

Bluetooth drivers on it you're instantly infected within its radius aretes penetrates mobile devices with any interaction from that user once the device information and collected and transmitted the agent will automatically erase itself from the target removing all evidence that it was even there in the first place Black Cube was reportedly hired by Harvey Weinstein to gather information on individuals including journalist and potential accusers in an effort to prevent stories of sexual harassment from being published they have also been involved in numerous corporate cases where they were hired to gather intelligence on competitors critics and adversaries this demonstrates the power of these tools are now slowly shifting hands from governments and moving into the private sector once the exclusive domain of

governments many of these tools can now be purchased and deployed by non-state actors the consequences of this only exacerbate the ongoing struggle to protect ourselves as individuals and the organizations that we work for in recent years many ethical and legal questions have been raised regarding their use and have even started to earn the name mercenary spyer for hire the March threat intelligence report by Google noted they had observed 97 zero days exploited in the wild in 2023 compared to only 62 in the previous year many of these exploits were found have already been incorporated into weaponized M even encrypted messaging applications such as signal or can become vulnerable to data exfiltration when infected with such Mal despite their strong security

protocols the unchecked spread of these capabilities underscores the need for better regulation stronger defenses and heightened awareness of cyber security threats many of these exploits reported were able to run arbitrary code extract contacts call logs messages photos web browsing history as we mentioned ear earlier as well as gather information from many different applic including iMessage Gmail signal threa Viber Facebook WhatsApp Telegram and Skype the point of this is that most of those applications utilize some sort of encryption some sort of end to-end encryption right and they're still able to actually extract that many of these tools attempt to gain root access similar to jailbreaking on iOS devices and if this approach fails they still have a range of other attack vectors at

their disposal when combined with stealth techniques this creates an increasingly dangerous and lethal ecosystem

so you may be wondering how do these companies make sure their software doesn't fall into the wrong hands the growing number of leaked documents throughout my research suggests that most commercial surveillance vendors are indifferent to whom they sell their products while they may have started with good intentions increased sanctions have led them to find new and creative ways to expand their operations they've actually developed methods for handing off supporting Hardware at airports or terminals a key aspect to many csvs is that they offload the work of setting up the attack infrastructure to their customer allowing them to maintain plausible deniability by claiming they have no knowledge of where their software will eventually be used this

not only Shields them from reputational damage but also enables them to distance themselves from responsibility if their customers actions including the attack campaigns are exposed this technique as you can see here is known as inco term CIF which stands for cost insurance and free all right the advanced capabilities of weaponized Mau against mobile devices may feel like an uphill battle but there may be some hope at the end of the tunnel before we can learn how to protect ourselves we first need to understand how they operate so first step is normally the most obvious select your target to infect your target you're going to need to know some information about them can you simply in them remotely using their

phone number do you need to execute a tactical infection which would require physical proximity to a Target or do you need to perform some Recon reconnaissance to understand their behavior in the best way to infect your device using a remote zero click attack is the fastest and the easiest option but sometimes the device may not meet the requirements for the explo in such cases the Tactical infections are normally used however this approach frequently affects multiple devices in the vicinity to confirm a successful infection many innocent users are caught in the crossfire and have their personal information compromised while the attacker locates through the information gathered for the eventual targets device these tools come with an arsenal

of techniques to make sure they can exploit the intended target even when one or two methods May Fail the most commonly used attack Vector is a zero click exploit meaning the target doesn't need to click on a malicious link or open the attachment a simple Miss call on apps on whats up or iMessage or FaceTime which is another vulnerable system uh could be enough to trigger the infection if this fails a non remote also known as a tactical infection will silently infect the device many of these exploits leverage multiple cves in the 2021 Google tag report they describe how threat actors leverage five different zero day exploits to deliver the alien agent in charge of loading Predator if

these methods fail they can fall back to the age-old technique of social engineering uh which hopefully you guys kind of know about but uh basically send us a fishing message uh through email SMS or other messaging applications they also love to use social media and this message will normally contain a one-click exploit and then once it's open the device is infected now an interesting note on that is most of these techniques do rely on a web browser actually being present on the device for it to work Spyro vendors go through Great Lengths to make sure the final payload is very difficult to detect reverse engineer and protect against once the payload has been delivered depending on

the type of malware it gets to work quickly activating or downloading any remaining components based on the configuration and of the device before the exploit is initiated the spyware will perform some initial checks many of these steps make sure that a security researcher is not actively engaged in trying to extract components of the malware or analyze the device so first thing they normally do is they make sure sure that the phone isn't already infected so they're not wasting you know one of their licenses they're going to double check that the system log is not actively being monitored they're going to perform a basic location check they're going to abort if the local is set to a restricted country depending on

the the CSV they're going to check if developer mode is enabled they're going to check for root or jailbroken device they're also going to check to see if the device is being monitored by processes like TCP dump net stap stuff like that they're also going to make sure that no proxy is in use on the device as proxies can be used to intercept encrypted traffic and they're also going to validate if there's any additional root CA installed on the phone since the root CA could be an indication security researchers are on the device trying to intercept traffic it's my favorite slide of the day alien which is a unique piece of spyware that loads the Predator malware

can receive new modules to prevent the need for repeated exploitation they come as a team and they're offered by the intellect Alliance while alien and Predator can be used against Android and iOS much of the information available is regarding Android exploitation the Android agent first checks to see if it is running in a privileged address space and was launched in an independent thread it can then start forking other processes and by using interprocess communication or IPC if you're Android developer uh the agent can start communicating with The Predator malware this allows for a discrete communication system that hides itself within other legitimate system processes and also avoids network-based indicators and avoids SE Linux restrictions as you can see in this

diagram um alien exploits the memory space reserved for zygote to sidestep its way into creating privilege processes inside the Android permission model since zygote is the basis for starting all services and applications on the device alien can actually change uids and use other SE Linux contexts that possess different privileges since it's the parent process this allows bypassing the majority of all security restrictions well not all but the majority of security restrictions designed into that operating system assistance in 2021 exiled politician IM Manor's iPhone was infected with not only Predator but Pegasus as well analysts suggested Pegasus was the first infection using the zero-click iMessage exploit followed by Predator an hour later via one-click exploit in WhatsApp

this agent calls a function which downloads an iOS automation payload to ensure its persistence on reboot the automation is triggered when certain apps are opened which include the majority of both built-in Apple applications and thirdparty applications persistence is a module installed by first checking if the batter is greater than 9% most of us developers don't do an update right make sure that battery is good then it automatically downloads the JavaScript code from C two servers and presumably the automation triggers the exploit which results in Auto reinstallation of the Predator malware on subsequent reboots in 2021 Predator could only survive a reboot on iOS devices by April of 2022 persistence became an add-on feature for both Android and iOS

depending on the customer requirements and how much money they have available to them the majority of weaponized malware communicate with command and control servers and thank thanks to tallow's intelligence uh we have further insight into how the malware knows what information to capture on the device before being exfiltrated in the case of Android the Spyro will look at the product manufacturer and it'll actually just requ the build props right from the device and then depending on the manufacturer it will ask the C2 server for which directories and applications to start targeting as you see here the stolen data is then written to a temporary directory and uh before being exfiltrated from there um some also use

encryption to to make it a little bit harder if it's pass through uh your network uh yeah this one touches on that so Pegasus has multiple communication channels in the past Pegasus has employed SMS as a legitimate way to receive commands from the attacker as you can see above so the text message looks like a legitimate password reset but it actually contains instructions for Pegasus to update its C2 server this functionality allows Pegasus to be updated out of band if HTTP or https is currently unavailable this genius functionality allows the function sorry the infection to persist even when the command and control servers have been taken down or compromised and um just kind of side note on that one so when

you look at the a little laser pointer on here the nine is actually the instruction and inside of that is actually the URL when it's actually takes out the hash from that one it's kind of interesting so it has different instructural commands depending on the last digit of that one uh many of the exporation methods uh also run low and slow they gather up as much information is possible and then exfiltrate it when they're ready to avoid detection uh but in addition to storing information for a later date they also have the time to conduct realtime Espionage when your device's mic or basically uh real-time M where your device's microphone and Camera can be enabled remotely given the attacker

continuous access to your current surroundings some of the commercial Spyro vendors will prevent detection by only exfiltrating data on specific intervals and making sure to use un metered connections Wi-Fi data is normally not monitored as closely as your sim card data since it has no effect on your mobile internet plan some Target devices may have agents installed or could be in a protected Network so the attackers will go to Great Lengths to obscure obscure and anonymize the network traffic making it very hard to identify the nature or source of these attacks as seen in the Predator architecture diagram

one of the main reasons exploits used by weaponized malware can sustain such long life cycles is due to the fact that the spyware goes through Great Lengths to make sure it's erased without leaving any trace evidence it was even there in the first place this makes it very hard to figure out how the Spy operates and build solutions to protect from these types of attacks Pegasus is a highly sensitive built-in self-destruct mechanism when the software appears to be threatened or unable to command can communicate with its command and control servers it will automatically self-destruct removing all persistence mechanisms with it Pegasus even goes as far to remove all of the libraries used for the live video and audio

recording the attacker can also send remote self-destruct commands for when the surveillance has been completed um which this functionality is important as licenses are actually based on concurrent infections so now it allows for more uh potential targets by using these methods it makes it very difficult to attribute the attack to its originator and maintain the operational and help maintain the operational effectiveness of the spyware encryption works until it doesn't uh encryption is a very important aspect in all of our Lives Many people don't even realize how many day how many times in a day they actually interact with some form of encryption whether it's navigating to a website using https connecting to a Wi-Fi network watching Netflix or even

scarier uh we'll go into that one uh or making sure your private photos stay in the cloud where they belong some of you may have heard the phrase encryption is rarely cracked it's bypassed cracking encryption can be hard really really hard so why waste computational resources when you can simply bypass it all together most secure messaging applications and protocols focus on the endtoend encryption aspect but when dealing with weaponized malware you really need to take holistic approach to data security so we're going to do just a quick run through a history of mainstream encryption so starting with pgp um or pretty good privacy uh was created by Philip Zimmerman he released the open source code in

1991 but back then the government thought these ideas were dangerous it was a paradigm shift from Ultimate control to No Control they thought the ideas were so dangerous they considered them to be weapons they classified cryptography as munition if you wrote some crypto code and you sent that to a friend in another country it would be considered the same as selling them a Hellfire missile at today standards since books are considered to be free speech Zimmerman was able to circumvent these policies and publish his source code in a book called pgp source code and internals using MIT press pgp is primarily known for Email encryption uh but can also be used to encrypt data at

rest the problem with pgp adoption was the complexity of setup and still required the user to manage the cryptographic keys of course understand pki infrastructure and uh manually encrypt and decrypt messages what's our time looking like all right OTR was presented in 2004 as an improvement over open pgp in esime the protocol allowed for real-time chat-based Communications pigeon was the first mainstream implementation of OTR encryption this protocol had many issues and was repeatedly subject to many man- inthe middle attacks by 2007 many vulnerabilities were discovered which led to the creation of the Socialist millionaires protocol improving protection against man- inthe middle attacks OTR was the inspiration for protocols like the signal protocol uh which allowed offline messages and omo

which provided multi-end encryption allowing messages to be synchronized across multiple devices or clients the signal protocol is the backbone of modern secure messaging systems it started its journey in 2010 as a small startup called whisper systems co-founded by Moxy Marlin Spike and roboticus Stewart Anderson um where they created oh yeah where they created the first tech secure and ren redphone application for Android it was actually acquired November 2011 by Twitter in 2013 Moxy founded another company this time called open whisper systems for the continued development of the open- source Tech secure protocols where he developed the Axel AAL ratchet with Trevor parin the ratchet named after the endangered aquatic salamander with self-healing abilities allows for every

message sent and received to use a new key which provides forward secrecy and allows for public keys to be periodically refreshed ensuring that even if a single session is compromised future messages can remain secure in November of 2015 the tech secure and red phone applications were merged to become signal for Android which many of us use today the following year the Axel Auto ratchet was renamed to the double ratchet algorithm uh and the text secure protocol became known as the signal protocol and this was done to avoid confusions between both the ratchet and the full actual protocol so the protocols that we just went over primarily deal with the problem of endtoend encryption many other aspects including identity

verification and storage are left to the Developers and this is where things go wrong the majority of application developers do not use any storage encryption at all mobile application developers think that Android and iOS devices are a magical blackbox the fact is most of these applications rely on the operating system for protection when dealing with weaponized malware if you haven't implemented any type of storage encryption your application is vulnerable to attack without two- Factor identification or or like a password or hardware token um you you know can basically one second here yeah without two Factor identification like a password or hardware token exploits are then created to decrypt and access this encrypted information here is one such exploit

that has been leveraged by many surveillance vendors to access your signal Communications after a successful privilege escalation so I did a pre-record so we don't have any uh technical difficulties during this one so right now we' basically we have a privilege escalation so if you're not familiar with this this is Genie motion thanks man uh this is Genie motion of course root privileges installed on this so just like how weaponized M would attack it most of the hard work is done um but signal changed a few years ago signal used to use a passphrase you could you could actually have for the database and then they slowly started moving towards using Android key store protection but because they're now you

know they specialize in end to end encryption why should they have to worry about the storage encryption so they said okay let's just pass it on to Google and everybody has a Google phone so when you're looking for exploits of course most of the exploit Brokers I think right now it's $2.5 million for an Android zero click and only two million for an iPhone zero click on the market right now which is kind of interesting um yeah so as we're setting this up can't see from here yeah as we're setting this up we're setting out a legitimate phone number you'll see that I keep me in challenge because I did this quite a few times so

didn't ex up didn't like what I was doing but of course I have hum I'll we pass the challenges um and I'm actually talking with my partner there SEL on her phone and so yeah what we're going to do is just kind of send some conversations back and forward um which people use some standard phone and then from there we that so how many of you heard who you sing on show my hands ni all right this would be good for you guys

and just kind of showing we show only a single device um now I had a really interesting question onless so I'm using a I'm interacting with this device and so one of the questions that I have in the previous uh talk to this was well you know what if VB is unavailable but remember we don't have to worry about ad and available to the computer because this exploit is just an a de that you would just on to theault this is me doing a manual ination Al theit you can kind of see a little bit longer of the process but most of this oh yeah this quite interesting so I've extracted database extracted you open the share

prances so everything in this section here that's actually your encrypted Secret in play text right there so the explo that we're going to run which is available prob available you guys can use it um yep it's follow steps think itself which is kind of fun so you can see there's a single

device so there's a section here once we do a pull on the database this very fast

area yeah so we're just running the check some on it as well so you can kind of see it work uh because what we're actually doing is when signals installed there's a secret inside show here so you're able to actually see the chaps from that so then all we're going to is with this exploit we're basically going to use this key here and our little application is going to build another key right next it on so here it is here and funny enough this actually uses the Signum code for the decryption so open source technology is greates but it's a Del s the F too so I should go in graph signal code for decretion and how fire

he store and actually dumped in here so if you can see where just copy and pting into

this yeah the new Android Studio lock cap sucks out time get it all foring your few gu yeah so here's the app over here just launched it up per so now what it's done is actually just create another key store just like s did and so we go in here there was a few titles I'm sorry but we're going to find the new key store that was pretty n jet to see we have two different hatches on

it it should be different to start there a for key inside of the key SW but then we're going to override it with the S as now the same b s b

so that we should be able to see there is so we fac and duplicated the key store from s so now the we should be able to get that fter and we should be able to open so from here to just take a couple seconds to fire through and pass race I see so I believe earlier I showed I tried to open the database and it said hey this isn't a database it didn't not understand or recognize what it was so now we're going to open it up DB browser DB browser for encryption let the actually have to use use main database and one say this one was a little bit tricky you can't just hit go so uh there's a got an

excellent blog on how to do this as well too uh and he actually figured out where what numbers you actually needed to be able to open stff for cool and so yeah you know full access to the database and from here you can basically just start storing storing storing storing and then eventually you just send off secret uh and you send off the database and full AIS all your signal indications as you can see here that's our private conversation yeah

all right so I'm sure many in this people in this room of course as We Know by show hands have a signal so you know make sure to get those tinfoil hats ready you already have one I think so you're good uh so let's look into some ways that we can protect ourselves from weaponized mware one of our developers this guy actually right here Anthony shared this with me and actually the whole team a few week weeks ago uh the surveillance industry has always of course uh survived in a murky and shadowy world uh with a thanks to an entire community of volunteers surveillance watch create an interactive map that allows you to visualize the global surveillance

industry uh you get to browse through known targets affiliations subsidiaries partners and what's really cool is the financial backers as well too so when you start going through this it's a little bit scary to see what some of these companies you'd never think have been involved in which is super cool um and it's also community driven well executed with numerous credible sources so you can actually site your work um I highly recommend checking it out and if you haven't already definitely take a picture before I change the

slide Perfect all right privacy washing award goes too yeah an interesting takeaway that I learned during my research is that having the newest device or the latest operating system has absolutely no impact on Commercial Spyro vendors Google and apple release or at least try to release a new version of the operating system every year but they allow Early Access to Beta versions months sometimes you know half a year or more before General availability and this gives plenty of time for vendors and exploit suppliers to confirm previous attack chains are still working and give them time to develop new exploits before it's actually released to the public so there they are jumping with joy um exploit Brokers I mean we only

have 45 minutes we don't got much time but exploit Brokers sell full or partial exploit chains as a subscription model um customers are entitled to working exploit Replacements if an attack chain that they purchase fails exposing vulnerabilities as a security researcher is very important but it doesn't seem to make any impact on the csvs all right so armed with your new knowledge make sure to do your research when considering a change in your security I hear all too often privacy-based operating systems are the savior of our digital security some of their websites even boast that their security focus and help Google and the Android team find numerous security vulnerabilities but let's just take a step back for a second security focused

and privacy focused are two very different approaches to system architecture and design the confusion stems from the fact that privacy focused operator systems Implement many security features but at their core they are built to break free from the big companies tracking your every move with weaponized Mau as we've learned any phone using features like a web browser SMS GMS calling or Bluetooth is susceptible to an attack users are often the weakest link in cyber security so even application stores and side loading can be harmful as human behavior is unpredictable and vulnerable to manipulation which is just one of the methods prayed upon by commercial spy vendors these companies offer great alternatives to the mainstream offerings

but they are not designed against Advanced threat actors with weaponized M at their disposal all right this one's just kind of a a funny real quick we'll just kind of go through it but um as we've seen throughout the presentation weaponized Mau is designed to circumvent all standard practices we thought we would keep us safe so we know strong passwords aren't going to work they're already on your phone we know that latest updates aren't going to work because they already have access to latest update before it's pushed to your phone uh the latest device doesn't matter they already have access to the OS before it's released antivirus as you can see they do a very good job of making sure

that they can avoid your antivirus not a bad thing but they make sure they can um encrypted messaging as we've seen most of it's endtoend encryption nobody's really looking at the storage of the actual device that is being targeted tofa MFA right we all want to use that they're on your phone they have access to your text messages they have access to your authenticator they have all the information they need uh daily reboot this used to be a really good thing to do now with persistence being an optional add-on it may not be a bad thing to do but if whatever country or private company purchased it um they can potentially circumvent that all together

it reinfect every time you reboot uh changing SIM cards that is one that can kind of help but tactical infections can also break through that um last so last slide on the last one there is some hope though apart from investiga or investing in a dedicated secure Communications device um there are some solutions to keeping your personal phone safe if you use iPhone disable iMessage and FaceTime the majority of exploits are actually designed for iPhone um browse the internet this is a really cool one browse the internet with an alternative browser like Firefox Focus Firefox is a target Chrome is a target Safari is a target but Firefox focus is an example is not a Target cuz it's not mainstream

enough always use a VPN or tour I didn't have a chance to go into really cool tactical ISP infections with 307 redirects maybe they'll do another talk on that one um install a Security application that checks and warns if the device is rooted or jailbroken and that one's really cool because they are going to normally run for root or jailbreak it before they do anything crazy on your device so if you can detect that right away you know there's something on there never click links and messages we all still have a habit of opening links from time to time especially if we feel it's from a trusted sender uh which brings me to my favorite personal method this is

the tried and true um factory reset your device on a quarterly basis especially after traveling uh this is a sure way to keep your device free of spyware a really interesting fact on all of this as well is in 2019 at Lara International Airport uh a lot of The Travelers through there weree pleasantly surprised with the new high-speed internet that was available what they didn't know is between I think it was fall the next summer uh over 99 million devices were compromised as they walked through cyprus's main airport zero click infection across the whole system yeah thank

you all right I think we have a a few minutes for questions anybody has anything

you it does help a little bit um if you look at I think citizens lab if you just typed in citizen lab lockdown mode Egypt um they actually got through that as well too and they were kind of it was very hard to infect it so it does help but they were still able to get through and they found my by send it to Citizens lab and they did a full forensic on it and sound out yeah youve been infection any been time yeah but it it is started in the right direction so apple is kind of getting there anybody else yeah first thank you for the presentation my question this for your research have you

seen any um information where any of this experts have use Coral label access so they have even even a few Factory site your device uh this is still a you it can so factor and the tech open question is uh guys this is so sophistica um again your research have you see this is more private give was Vib pH books uh from the You Know M St need it's good question so the first one on the Kernel uh a lot of them are kernel exploits Factory resets actually seem to get rid of them which is really good uh M can really speak to Android I'm not an iOS all uh but they're not able to persist through full Factory

resets which is really cool uh and your second question was um if you go back to 2019 2020 this was really nation state stuff as you can see with that inco term CIF with all the sanctions being put onto these companies they're basically now you mean they got to stay in business and so they're now kind of reaching out and finding different ways that they can sell so recently in the news or maybe not recently this is a couple years ago actually uh Finn spy which was Finn fiser that was a German company uh the German government used it uh our government I believe used it many governments used it right um well they weren't they they kind of crossed the

line we could say that right they started basically selling through an intermediary and they got caught selling to sanctioned countries to try and boost their revenue and they were caught for that and the Germans actually arrest U which is quite interesting so yeah but it is now it's like I mean Harvey Weinstein right how should he have access to this stuff that's that's kind of crazy thank you well yeah I'm just wondering I saw your La demo y y yep

y but actually pretty easy because you just script the whole thing right so once you have your privilege escalation which is what the CSV specialize in from there that's just a really basic exploit on the phone that's why I just kind of wanted to show how easy it was going through it manually to script that would take nothing and then from there they would just exfiltrate that key with the rest of the package which is quite scary um okay um I think after the B you will wa be that yes yes you can come up and ask questions for sure yeah I also have many questions that's good yeah thank you so much for this uh wonderful

presentation I I actually grabbed so much and I leave leave everyone as and be um your thank you thank you so much