The 9th USENIX Workshop on Free and Open Communications on the Internet (FOCI ’19) assembles researchers from technology, law, and policy to address topics related to the free flow of digital communications. This year, Citizen Lab researchers will present on issues ranging from WeChat image filtering to the methodologies used for identifying commercial spyware abuses.
Wednesday, August 14, 2019 – 10:30 am–12:00 pm
Ruohan Xiong and Jeffrey Knockel
WeChat, the most popular social media platform in China, has over one billion monthly active users. China-based users of the platform are subject to automatic filtering of chat messages limiting their ability to freely communicate. WeChat is one among many Chinese Internet platforms which automatically filter content using keyword combinations, where if every keyword component belonging to a blacklisted keyword combination appears in a message then it is filtered. Discovering these sensitive combinations has previously been performed by sending messages containing potentially sensitive news articles and, if the article is filtered, attempting to isolate the triggering keyword combination from the article by sending additional messages over the platform. However, due to increasing restrictions on account registration, this testing has become decreasingly economical. In order to improve its economy, we analyzed the algorithm previously used to extract keyword combinations from news articles and found large areas of improvement in addition to subtle flaws. We evaluate multiple approaches borrowing concepts from group testing literature and present an algorithm which eliminates the aforementioned flaws and which requires on average 10.3% as many messages as the one previously used.
Wednesday, August 14, 2019 – 4:40 pm–5:30 pm
John Scott-Railton and Bill Marczak
Nation-states are increasingly abusing powerful commercial hacking and spyware tools to covertly surveil and invisibly sabotage entities they deem political threats, such as investigative journalists, human rights activists, and lawyers. Tools from companies such as EU-based FinFisher and Hacking Team, an Israel-based Cyberbit and NSO Group, allow their government clients to break into targets’ computers and phones, access private files and passwords and even spy on activity in the vicinity of the device through its webcam and microphone. In 2018, we discovered likely attempts by the Mexican Government to spy on the phones of the wife and colleagues of a slain journalist, as well as a Saudi-linked surveillance operation that infected the phone of one of Jamal Khashoggi’s close associates in the weeks leading up to his assassination.
Our identification of spyware targets is often a laborious process, driven by close work with targeted communities, and the establishment of delicate trust relationships which can take months or years to crystallize. We instruct targets to forward us suspicious links or attachments (common spyware vectors) for our analysis, and in some cases, we perform programmatic scanning of targets’ email messages and devices. After we analyze spyware samples, we can perform global Internet scanning and DNS cache probing to map out the global extent of the activity. Though our work has uncovered dozens of cases of commercial spyware abuse around the world, it also suggests that the scale of the problem is significantly broader.
Compounding the difficulty of identifying targets is a trend towards the use of unavoidable zero-day zero-click attacks which leave little or no footprint that a target can notice and flag to us for analysis. Even in cases where a target is suspicious of compromise, legal and technical hurdles may preclude us from obtaining corroborating data from device forensics or cloud platforms. Two reported cases of these zero-click attacks have been recently documented through careful journalistic work with knowledgeable sources, including a hack of BBC and Al Jazeera journalists using an iMessage vulnerability, and a hack of a human rights lawyer using a WhatsApp vulnerability. These attacks cannot be prevented by a target’s scrupulous security behaviors, such as screening suspicious messages or installing updates.
In this talk, we will illustrate the Citizen Lab methodology for identifying commercial spyware abuses, using cases from our most recent research, and highlight how developers, platforms, and fellow researchers can all help in addressing the problem of spies “going dark.” It is clear that business as usual in the commercial spyware sector threatens our freedoms of thought and action, and perhaps democracy itself. Academic research, especially that which identifies specific cases of abuse can be an effective means to create accountability in the industry, and ultimately put an end to the misuse of these powerful espionage tools for political gain.