Ron Deibert

Show Notes

For more than 15 years, the Citizen Lab at the University of Toronto has been doing groundbreaking research into a variety of security, privacy, and civil liberties threats. Ron Deibert, the founder and director of the lab, joins Dennis Fisher to talk about the team's origins, its work uncovering GhostNet and other cyberespionage operations, and the current work investigating surveillance vendors such as NSO Group and others.

Transcript

Speaker 1: 0:13

Welcome to the decipher podcast. My guest today is Ron diver, who is the director of the citizen lab, Anthony university of Toronto. Ron, thanks very much for joining me today.

Speaker 2: 0:23

My pleasure. Thanks for having me. So

Speaker 1: 0:27

I think a lot of people in the security community, uh, have a pretty basic, uh, familiarity with citizen lab and what you guys do. But maybe let's start out with a little bit of background on the type of research that that citizen lab does and how you all got started.

Speaker 2: 0:44

Sure. So citizen lab is a research lab. I'm a professor at the university of Toronto. So we're an academic organization. We do research on digital security, but we don't cover the entire terrain. So as you're more aware than anyone, cybersecurity is a very big topic. There's not a day that doesn't go by that there's not some story in the news about some aspect of it. We don't cover all of that. Instead, we, uh, focus in on digital security issues that arise out of human rights concerns. Um, we're not an advocacy group or an activist group. Uh, but we do narrow our focus on questions that are related to human rights considerations. So to give you an example, while we are interested in cyber espionage, our principle interest around that is, is not cyberespionage for its own sake. It's to look at how cyber espionage may affect global civil society such as human rights defenders, nongovernmental organizations, journalists and others. Um, the main character of the citizen lab is our mixture of methods. So I am a international security person by background and training. But, uh, at citizen lab we leverage skills and methods and techniques from many different disciplines, especially computer science and engineering, science. A lot of our work starts with technical, uh, work that's done by very skilled computer scientists and engineers. And I guess, you know, if I have one, um, good idea in, in terms of setting up the lab, it was to recognize that there were these methods and skills from these other disciplines that could be used to effectively dig deep into the technological world that surrounds us and on earth. Uh, things that power powerful actors wouldn't, wouldn't want to be exposed. Um, and, um, I think we've done that pretty successfully over the last 15 years or so.

Speaker 1: 2:47

Yeah. I think citizen lab was the first one. I can remember having that kind of mix of, uh, you know, folks on the research team at least in, in my experience. But now you see certainly more institutions and even private organizations that have these interdisciplinary teams that are looking at, you know, uh, specific security areas, whether it's cyber espionage, um, or other aspects of it. So it seems like you, you folks have had an influence in that way. For sure.

Speaker 2: 3:18

Yeah. In fact, arguably we published the first evidence-based public report on cyber espionage with the ghost net report. We are part of the team that worked on that. Oh yeah. Before ghost net came out, there really wasn't much of a, of a threat intelligence industry to speak of, or at least one that was constituted the way it is now. So after ghost net came out, it became very common for first of all threat intelligence companies to publish, uh, those types of reports. And also a byproduct of us naming the operation and the actor go snap, uh, became something that was almost, uh, uh, essential for any type of threat intelligence report was to name the operators or the malware and um, it's become kind of de rigueur to do that now.

Speaker 1: 4:09

Oh yeah. I, I can remember very clearly when that report came out, I think it was, I think I was at like a family Easter celebration and somebody, yeah, somebody texted me and said, Hey, have you seen this? And I went and read it. I was like, Oh my God, I probably spent, you know, an hour digging through it until somebody came and got me and said, uh, you want to come back out here? I don't know. This is more interesting than, uh, the discussions that were going on out there. Right. Um,

Speaker 2: 4:38

so

Speaker 1: 4:39

yeah, I wanted to dig a little bit into your work. Um, in the WhatsApp NSO, uh, research, which is the most recent stuff you guys have been been involved in, in the, at least in the targeted threat, a security world. And this all came back to light a couple of weeks ago when what's app slash Facebook decided to file a suit against NSO group, which is a maker of however you want to turn their stuff's by where, you know, lawful intrusion, whatever you want, and you'd lawful intercept surveillance software, uh, that is very well known slash infamous in the security industry. Um, and a lot of this goes back to research that you guys did earlier this year. Mmm. Give us a little bit of background on the vulnerability that was being exploited in, in how you guys got involved in, in assisting in that investigation.

Speaker 2: 5:37

Sure. So actually a one needs to go back a bit further. So, you know, I, I would actually say, you know, this is part of a trajectory that even goes back to ghost and that, so we started looking at cyber espionage against civil society and those early reports, ghost not and others like them were mostly focused on, on state actors. Looking at the techniques they used, uh, to undertake cyber espionage. And, and I guess, you know, beginning around 2011, 2012, we started notice noticing that there was this new industry developing, uh, the market for commercial spyware, which was effectively taking, yeah, I can clearly remember when I first came across this, that what it looked like to me were companies that were packaging malware and, um, branding it as a product and a service. And very quickly this market proliferated, especially around the time of the Snowden disclosures, which I think ironically acted as a bit of a blueprint, a kind of catalog for, for, um, for States in terms of what they could be doing in cyberspace. And maybe they weren't, uh, this industry started to spread. So we started looking more carefully at the industry, um, examining espionage campaigns against human rights defenders and journalists, uh, that involved a spy where from different companies like hacking team, Ben Fisher and others. And naturally we were led to NSO group because, um, uh, beginning around 2015, 2016, I think they really started to emerge as a significant player. And we have been, uh, tracking some of their infrastructure. Um, as we were looking at a, uh, campaign, uh, emanating from the United Arab Emirates, which turned out to be a company called dark matter. We didn't know it at the time, but we published a report called stealth Falcon. And, uh, in that report, uh, as we were doing the research, we came across some of the infrastructure of NSO group. Um, it wasn't until August of 2016 that we encountered there, spy were called Pegasus. Um, and this came as a result of a human rights defender in the UAE, Ahmad, who are receiving, uh, text messages that contain links to NSO groups, infrastructure. He shared those with us and we, um, loaded them onto an iPhone in a laboratory setting effectively, um, infected our own device and got a copy of the Pegasus spy ware. So from August, 2016, right up to present time, we have been monitoring NSO is infrastructure, looking at, um, attacks as we come across them from various targeted individuals. Um, I guess the biggest of them was around, um, both the Mexican case where we saw, uh, more than two dozen targets and a widespread abuse of NSOC. Uh, product offerings and not country context. And then Omar Abdulaziz, a Canadian, uh, XRD who emigrated to Canada, fled Arabia in 2014 he had his phone hacked by Saudi intelligence using Pegasus. And of course he ended up being, and we didn't know it at the time, but he was a very close confident in the murdered journalist, Jamal[inaudible] Shogi. Um, after those reports came out in 2017, 2018 targets initiated legal action against NSO. And in the spring of 2019, I lawyer representing some of those targets in those litigation cases reported to us that his phone was evincing some disturbing, questionable characteristics. He would be receiving drop phone calls from odd phone numbers. Uh, we had heard rumors in the, in the security community that NSO had developed, uh, an, uh, very sophisticated iteration of their attack technology. And so we got in touch with WhatsApp security team. They were already on the case investigating this and discovered that this exploit involved no click targeting. In other words, all the operators had to do was simply ring up a phone number and, uh, the malware would take advantage of a[inaudible]. Uh, a flaw in the handshake for the, for the initiation of the phone call over WhatsApp to effectively install the next um, uh, phase of the malware and take over the device. So in may, as I said, we got in touch with a what's up security team. They issued a patch and from may until October, uh, citizen lab volunteered to do research on the dataset that they'd provided to us.

Speaker 1: 10:42

Then that whole series of events is kind of incredible when you think about the sophistication and capabilities that that kind of spyware has. You know, as you mentioned, uh, no, not just a no click, but all you would see as a missed call on your, on your device. You didn't have to answer the call. There was no user interaction required. That's all that it took. And you're, your device is infected with this spyware that you had. The victim would clearly have almost no way of discovering. Right,

Speaker 2: 11:16

exactly. It, uh, as I described it at the time when we first encountered it, to me it was like the nuclear option of spy where there really is no meaningful defense for such an exploit.

Speaker 1: 11:29

And that the targets of these kind of, uh, operations are as you, as you mentioned earlier, almost always people in at risk groups, you know, uh, civil rights defenders, political activists, sometimes journalists in, you know, possibly in countries with repressive regimes where they don't have a lot of defense mechanisms available to them.

Speaker 2: 11:53

Yeah. Well it was interesting for us because we had a great opportunity here and again, it's important to understand we're academics, right? And so looking at this was an important dataset for us. Very unique window, a snapshot into a set of targets, um, that NSS clients would be going after. And it offered a, a rare opportunity for us to essentially test our claims about abuse. So, you know, we can't see everything that all of the clients of NSO are doing with NSOC technology. Uh, we see victims here and there. We see infections checking in. We don't always know who the targets are when it comes to the network scanning that we do. Mmm. And when we find targets, we don't know whether these are exhausting all of the targets in a particular country. Um, so we have a[inaudible] up until now anyway, I kind of limited window, uh, from different angles into NSOC operations and how clients use this. The spy ware, this case offered a really rare snapshot, a kind of window. We had a two week, uh, a set of data covering targeting for two weeks. And all we had from uh, WhatsApp that they agreed to share with us wa were phone numbers. So, um, with the phone numbers in hand, we then did essentially kind of open source contextual research to associate names with the phone numbers and occupations with the names and, and try to get a better sense of who precisely is being targeted, um, as WhatsApp has acknowledged in their, in their public statements. In total during that two week period period, there were around 1400 targets in more than 20 countries of which we will, we were able to determine, uh, uh, more than a hundred were clearly abuse cases. In other words, uh, NSO and other companies like it market their spy ware publicly as a way to assist government in fighting crime or terrorism, right? Yes, they're going to be a number of clients that will use it in that narrow way. But unfortunately, the world being what it is, there are numerous governments that lack accountability or oversight. Uh, there's, uh, widespread corruption, um, and human rights problems, um, that would lead them to abuse how the spyware is being deployed. And this case certainly, uh, bore that out. So we, we saw more than a hundred targets and across 20 countries that by any reasonable person's definition are not criminals or terrorists. These are journalists, these are lawyers, uh, women who, whose, who are facing extortion, um, and, um, and in others. And that's, you know, part of the issue with this kind of powerful surveillance software is that once it's out out of the can, there's very little that the op, you know, the manufacturers, no matter how scrupulous they may be, can do to control what the customers are doing with it. Right? That's exactly right. It's a structural problem if you will. So you have, um, this marketplace, uh, and companies like NSO group, you know, and, and I, I don't believe that NSO is, um, is being authentic when they make claims about controlling how their products are used. Because frankly, I've seen so many cases of widespread abuse that I've come even after we've reported them. Um, so I just don't believe that they have the capability or the will to properly control how their technology is being deployed. There may be other companies out there I'm sure that are more professional, that have more integrity or whatever, but it really doesn't matter because the issue is structural. There is no a legal constraint at an international level on how these technologies are deployed. Um, some people say, well, can't there be export controls? Well, the fact of the matter is the government of Israel controls the export of NSLS technology. All of NSO sales have to be licensed through the Israeli ministry of defense. And, uh, it may be the case that they're gaining some benefit by having NSO export to certain countries, a kind of value added when it comes to their own visibility into geopolitical issues. That comes as a byproduct of having an Israeli company service the security services of the States. So in the absence of any safeguards, naturally you're going to see widespread abuse. And that's what we're doing in terms of the research is raising awareness that this is a critical issue. Yeah, it certainly is. And it was really interesting to me to see the step that Facebook and WhatsApp took to file an actual lawsuit over this. And you know, in the absence of meaningful, uh, controls or regulation, I wonder if you anticipate other organizations that are somehow involved taking that same step. Well, I, I hope so. That would be encouraging. I do think it is a very significant step that Facebook has taken here. Mmm. You know, given the absence of any international controls and the unlikely prospect of governments doing anything to change that, it really leaves only some kind of, uh, litigation or, um, maybe some kind of class action lawsuit or, uh, efforts like this. So, you know, when NSO is, is undertaking its, its service offering, it's actually piggybacking off of a lot of infrastructure and enabling governments to, uh, and, and operators that use our technology to effectively violate local laws. And what we need to do is actually, you know, encouraged various stakeholders to prevent that from happening or to punish the offenders when it does happen. Um, so I hope that this serves as a, an important lesson or model for other companies to follow. Um, and I, you know, I do think that the companies have a service to their users to protect them from this sort of abuse. Um, and, and maybe, uh, with the Facebook suit, it will create some momentum around doing something about the harms that were documented.

Speaker 1: 18:50

I wonder how much of an issue, um, the kind of duality between law enforcement agencies in intelligence agencies using this kind of software.

Speaker 2: 19:01

And you know,

Speaker 1: 19:02

no us expecting law enforcement agencies to possibly prosecute misuses of the software. You know, that it,

Speaker 2: 19:08

it's kind of a conundrum probably in some cases. Well I think it's, you're, you're definitely correct that law enforcement is, uh, you know, that's one of the, one of the, the S the client sectors that companies like NSO are actively targeting. Yeah. And um, there might be a kind of contradiction there. I think when it comes to the use of technology like NSOC buy signals, intelligence agencies, that may be one of the reasons why some governments are reluctant to get into this area, uh, in terms of controlling it because it opens up a Pandora's box that they'd rather keep closed. You don't want to, you know, initiate a public discussion about particular uses of spy ware. Uh, it might lead down a path that that opens up other things that you don't want being publicly discussed. So I understand where the political constraints come from. However, I think that there, there are a lot of people in my experience, people working, uh, for like the department of justice in the United States or other law enforcement agencies and other countries. They take their, their mission very seriously and Mmm. Want to make sure that, that they, uh, pursue criminal offenses when they can and certainly we're seeing criminal offenses emanating from the use of this technology. So, um, I'm optimistic that um, we can along with others encourage more of this to happen.

Speaker 1: 20:43

There's definitely a few legislators and other public here in the U S that, that have[inaudible] begun to dig into this kind of thing. It'll be interesting to see how far, how much farther it goes. Um, Ron, in terms of like individual folks that might be, you know, potential targets or victims for this kind of targeted surveillance software, do you folks at the citizen lab get involved much in trying to help them out, advising them, giving them, you know, resources and tools to defend themselves?

Speaker 2: 21:15

It's not a principle part of what we do. In fact, the opposite. We have a disclaimer that we often have to send to people explaining that we're not a service organization. We, you know, we don't take walk-ins. We're very much an academic research group. So, um, yeah. Do you know anyone that we mentioned publicly who is a patient zero if you, if you will, including people like Omar Abdulaziz or Amman Monsour, the people that I mentioned, they are signed up as part of a research ethics protocol that goes through an institutional review board at the university of Toronto that ensures their confidentiality and anonymity protects their privacy. So we have all sorts of, you know, very important constraints about how we interact with the public. And the analogy might be, you know, if someone has a cold, they don't go to a research group at a university to try to get help for it. Those are the people that are doing the studies and you know, trying to investigate, you know, how, how diseases propagate and what are the methods to mitigate it. You go to the clinic or to your family doctor. The problem in this area is that there are so few resources frankly out there to help the average person. So we recognize that we don't want to just slough it off. Uh, we try our best. So first of all, we develop this resource called security planner that I'd recommend everyone take a look at. If you just Google security planner, you'll see that it's a, uh, a resource, a portal that asks a visitor a number of questions about, uh, their, their use of digital technologies and what their concerns are. And they're given a series of recommendations that come from, uh, a group of digital security experts. So they're peer reviewed in other words, and then people affirming us to be a quite useful resource. We also put out some special instructions that WhatsApp communicated to all of the targets as to what to do in this particular case. Um, uh, and so those instructions are on our website. The reality is when it comes to this level of sophisticated spyware, it's very difficult to determine whether you've been hacked in the past. You know, even our own research is looking at essentially artifacts of targeting. So maybe we'll discover a text message includes a link to the infrastructure. Uh, it's very that we will actually be able to open up a device and, and determine 100% that this device was hacked with Pegasus or some other spyware because aspire itself is, um, constructed in a way to evade antivirus detection, to evade forensic analysis and even to silently self-destruct. Uh, so it's hard for researchers like us to, to actually get ahold of the thing at the center of this.

Speaker 3: 24:15

Okay.

Speaker 1: 24:16

Yeah, that seems like one of the foundational problems of this, of this area. So, um, I know you have a bunch of partnerships with, uh, security vendors and, and independent researchers. How much do you rely on them to bring you, uh, that kind of information?

Speaker 2: 24:33

Well, you know, one of the things I recognized about a decade ago, honestly, was that, um, it would be very hard for me as a professor at a university to sustain a lab with, um, you know, talented people who can remain here for an indefinite period of time. It's just not the right model. You have researchers, maybe they come through for a period of time and then they go and you may have a small number of full time staff that you can retain as, as employees. I've been very fortunate to have a core group of very talented people who have stuck with me for some of them as long as 10 years. Um, but then I had to come up with a hack, if you will. And, and that was where I was able to encourage people to participate in citizen lab research as visiting or remote fellows. So we have a number of people who work for the threat intelligence, uh, for threat intelligence companies who with the agreement of their employers, spend maybe 10% or 20% of their working time or even time outside of their work, uh, assisting us with research and analysis. And needless to say, this allows us to punch above our weight and, and benefit by the extraordinary expertise of some of the people working for these companies.

Speaker 1: 25:56

Yeah, that's, I think that's the, one of the advantages that you discovered, you know, is that you have that core group of external folks that can act as our outside experts without having to, you know, um, and it allows them to have other jobs and

Speaker 2: 26:14

exactly. And I, you know, I can't compete when it comes to, um, salaries and, you know, even when it comes to, we try to have a nice work environment, but I can't, uh, afford to put out, you know, free M and M's and things like that. So what do we have to offer? It's honestly, it's really the fact that a lot of people deeply care about these issues. They recognize that a civil society broadly is being threatened and there normal environment is not set up in such a way that they can, you know, really go after those type of cases. Um, the revenue models of threat intelligence companies obviously focus on lucrative clients. Well, a lone journalist working in East Africa is not going to be a profitable client for one of these threat intelligence companies. And that leaves us, right? We're filling in this gap. And I think my experiences that, you know, people who work in the threat intelligence community really get it. They care about it and they want to do something about it, and we can offer them an outlet, uh, to undertake that type of very important consequential work. Yeah, it's, it's incredibly important work and I'm really glad that, that you folks are still at it after a, as you said, 15 or so years wrong. Um, and again, I know you're super busy and, and thank you very much for taking your time to, to talk with me today. I know you've got classes and all kinds of other work to get to, so, uh, I really appreciate it. Thanks a lot and good luck with your podcast. Thanks very much Ron. Take care.