Citizen Lab senior researcher Bill Marczak said that while the organization has achieved some important wins against spyware proliferation, the progress is inevitably hindered by vendors that continually adapt their technologies and practices.
During the keynote at SANS Cyber Threat Intelligence Summit on Monday, Marczak led the session titled "Cybersecurity Is Geopolitical: Lessons From the Fight Against Mercenary Spyware Proliferation," where he discussed the attack surface, evolving technologies and potential mitigations. The Citizen Lab at the University of Toronto's Munk School has become one of the foremost authorities on commercial spyware and surveillance technology for mobile devices.
Marczak emphasized that defending against the threat, which governments commonly use to target human rights activists and journalists, is increasingly challenging and requires government regulations.
One of the main challenges Citizen Lab faces, he said, is vendors constantly adapting and changing tactics to allow the continuation of spyware use. NSO Group was one significant spyware player he highlighted, known for developing the Pegasus spyware used against U.K. government officials in 2022.
Marczak stressed that spyware doesn't work without the vendors' continuous support.
"What really drives the proliferation is the fact that the technology is packaged along with this service and updates and support. And it's this whole package rather than just the technology which is really allowing governments with potentially not very good technical expertise [to use] these incredible capabilities," Marczak said during the keynote.
The problem of commercial spyware, he said, goes back many years. In 2014, for example, a hacker leaked files allegedly stolen from Gamma Group International, a surveillance software vendor behind the FinFisher spyware product. The leaked data showed that FinFisher interacted with customers to troubleshoot and helped users circumvent security precautions to deploy the spyware on targeted victims.
Such support is crucial, Marczak said, because it would be "suboptimal" if a customer bought spyware and then antivirus programs detected it on mobile devices, rendering the product unusable. Therefore, the spyware vendors must be on hand to aid customers in their attempts to target specific individuals and bypass security features while remaining undetected.
Although spyware is marketed for use against criminals and terrorists, Marczak said it's often abused for political purposes. Commercial spyware vendors will look the other way, claiming that they only provide a service and that "any service can be abused."
That's where mercenary spyware comes in, Marczak said. Arguably the most significant case of abuse occurred in 2018 when NSO Group's Pegasus was linked to the murder of Saudi journalist Jamal Khashoggi. A lawsuit filed by Khashoggi's widow claimed that the Saudi government and NSO Group deployed spyware to intercept her husband's communications. While the lawsuit was later dismissed in 2022, a forensics investigation revealed Pegasus infections on the mobile phones of Khashoggi's associates.
"It's not just 'sell a product and forget it.' It's ongoing support, ongoing maintenance, without which the product is essentially useless," Marczak said. "There's a whole industry of companies that make up the mercenary spyware network."
Citizen Lab investigations often involve tracking NSO spyware through IP address scans and fingerprinting. In one investigation, when Citizen Lab made progress, NSO Group changed its servers to return a blank response, which made it more difficult for Citizen Lab to fingerprint. The back and forth went on for years, but more recently, Marczak said, Citizen Lab discovered a way to fingerprint and enumerate NSO Group servers despite the "extreme measures" enacted by the spyware vendor.
Mobile forensic challenges
Another challenge with spyware vendors is how they assist customers in circumventing precautions that the target is taking on their own or protections that are built into users' devices. A lawsuit Apple filed against NSO Group in 2021 showed how widely iOS devices are targeted.
Mobile forensics plays an important role in Citizen Lab's research. Targets receive SMS messages with links to spyware vendors' infrastructure, which Citizen Lab analyzes. The process involves obtaining logs and looking for "implausible artifacts" or suspicious activity. Then, researchers determine if that artifact is related to commercial spyware.
Marczak emphasized the importance of log analysis in the spyware fight. However, he also warned that demonstrating forensic methodology can hinder Citizen Lab's progress. For example, commercial spyware vendors aren't the only companies to change their technology or practices.
"Amnesty International had an interesting feature in their [forensic] tool that would process a particular file on the iPhone, which contained a list of all iCloud accounts that had ever interacted with the device," he said. "Once it was publicized, the next version of iOS conspicuously removed the feature, preventing users from doing it. You have to be careful with what you talk about with mobile forensics -- not only because of the threat actors, but the device manufacturers."
Another significant threat to mobile devices is zero-click exploits, which require no user interaction for attackers to deploy spyware. While Marczak said Citizen Lab research often "burns" zero-click exploits by disclosing them publicly, attackers are always coming up with new ones, or OS changes allow new ones to emerge. He referred to it as an "endless pipeline" full of sophisticated exploits.
Pegasus is one example of spyware that uses zero-click exploits for Android or Apple devices. An exploit dubbed "ForcedEntry" allowed Pegasus customers to infect targeted devices through Apple's iMessage service. In the 2021 lawsuit, Apple claimed that the zero-click exploit was used to spread spyware through its servers. Though Apple developed the BlastDoor sandbox to protect iMessage from zero-click attacks, Marczak said NSO later discovered a way around it.
Rather than attempting to burn individual exploits, Marczak said, the focus should be on reducing and even eliminating attack surfaces altogether. "It doesn't hurt to have a mitigation or sandbox, but attackers adapt. Markets for these tools adapt," he said.
Recommendations for the long run
Mobile technology companies have made some progress in curbing the spyware threat. One successful development was Apple's Lockdown Mode feature, released in 2022 with the iOS 16 upgrade. The feature blocks attacks from anyone who isn't a contact of the device's owner. Though victims can still be targeted, Marczak said it prevents many types of spyware infections. He also hoped Apple would make Lockdown a standard feature instead of an optional one, since it's more effective than burning individual zero-click exploits.
Marczak said another effective mitigation, at least in some aspects, was the implementation of threat notifications. In response to ForcedEntry in 2021, Apple started sending out notifications to warn users if they were targeted by mercenary spyware and nation-state threats. Notifications were sent to thousands of people in more than 150 countries, Marczak noted.
Marczak said the feature was "shocking" when it emerged, even to NSO. "We never saw any deployment of ForcedEntry after this," he said. "It seemed like they were distancing themselves from ForcedEntry."
To prevent spyware proliferation, Marczak said the "answer lies in policy and regulation." Recent government actions have shown some success in the fight against spyware. For example, he cited the Biden administration's 2021 ban on the purchase and use of NSO products within the U.S.
Based on conversations he's had with cybersecurity professionals, Marczak said such government actions appear to be a strong deterrent. But he warned that those efforts aren't set in stone.
"These have been sort of positive steps, but remember that any step which can be undertaken with a stroke of a pen can be reversed by a stroke of the pen," he said. "We need to develop more enduring tactics to go after the proliferation of these tools."
Arielle Waldman is a Boston-based reporter covering enterprise security news.