This post is a summary of eight major research reports released by the Citizen Lab in 2016 which received substantial national and international media coverage.
The “One App, Two Systems” report, released in November, outlined the censorship mechanisms at play in popular Chinese social media platform WeChat. The app was found to enable keyword censorship for only those users with registered mainland China phone numbers, and persisted even if these users link to an international phone number. WeChat’s internal browser blocks China-based accounts from accessing a range of websites including gambling, Falun Gong, and media that report critically on China. Websites that are blocked for China accounts were fully accessible for International accounts (with intermittent blocking of some), indicating that a separate system was used for international censorship from the Chinese domestic one. The report was covered in the Globe and Mail.
In tandem with CIPPIC Staff Lawyer Tamir Israel, Research Associate Christopher Parsons authored a report examining the use of IMSI Catchers, a class of surveillance devices used by Canadian state agencies. They are used to intercept communications from mobile devices, and identify otherwise anonymous individuals with their devices, and track them. The report noted that the instructive nature of IMSI Catchers means that they pose a worrying threat to privacy. After exploring the regulatory environment for their use and their technical capacities, the report concludes by setting out best practices for a framework with better legal safeguards for user privacy. Read coverage of the report via the Globe and Mail.
Citizen Lab researchers published in August a report titled “Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender.” This report investigated malware exploits sent to internationally recognized human rights defender Ahmed Mansoor. Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in United Arab Emirates’ (UAE) jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers, who recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management. If infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements. Apple immediately released security updates that patched the vulnerabilities identified in the report. Read Citizen Lab Director Ron Deibert’s blog post on this report.
“Group 5: Syria and the Iranian Connection,” another report also released in August, described an elaborately staged malware operation with targets in the Syrian opposition. We named the operator Group5, and suspect they have not been previously reported. Group5 used “just enough” technical sophistication, combined with social engineering, to target computers and mobile phones of well-connected individuals in the Syrian opposition with malware. The report was covered in an exclusive release with the Associated Press, and Ron Deibert offered further comment in a blog post, and an op-ed for the Washington post.
In another study, researchers discovered the presence of malware attacks coordinated by a sophisticated operator against Emirati journalists, activists, and dissidents. The software, dubbed “Stealth Falcon” by Citizen Lab researchers, was explored in the report titled “Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents.” The report was produced after a spyware-laden email sent to Rori Donaghy, a UK-based journalist covering the UAE government, was analyzed by researchers. Circumstantial evidence suggested a link between Stealth Falcon and the UAE government. Ron Deibert commented on the report in a blog post.
In March, we released another report outlining concerns with browser security, this time with QQ Browser, a free web software for multiple platforms developed by Chinese firm Tencent. Our research showed that both Windows and Android versions of the application transmit personally identifiable data with weak or non-existent encryption, and do not adequately protect the software while it undergoes the update process. The report, titled “WUP! There It Is: Privacy and Security Issues in QQ Browser,” was also discussed by Citizen Lab Director Ron Deibert in a blog post.
In February, a report on Baidu Browser, titled “Baidu’s and Don’ts: Privacy and Security Issues in Baidu Browser,” uncovered key vulnerabilities in the Windows and Android versions of the software. Researchers pointed out that the application transmits personal user data to Baidu servers without encryption or with easily decryptable encryption, and is vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks. Much of the data leakage is the result of a shared Baidu software development kit, which affects hundreds of additional applications.
Earlier that month, Citizen Lab partner Open Effect published a report comparing the privacy and security protections of various wearable fitness trackers and their accompanying mobile applications. The report, titled “Every Step You Fake: A Comparative Analysis of Fitness Trackers,” found that seven out of the eight fitness trackers studied emitted persistent, unique identifiers (Bluetooth Media Access Control address) that can expose their wearers to long-term tracking of their location when the device is not paired, and connected to, a mobile device. Read Ron Deibert’s blog post on the report.