This post is a summary of six major research reports released by the Citizen Lab in 2016 which received substantial national and international media coverage.
Citizen Lab researchers published in August a report titled “Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender.” This report investigated malware exploits sent to internationally recognized human rights defender Ahmed Mansoor. Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in United Arab Emirates’ (UAE) jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers, who recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management. If infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements. Apple immediately released security updates that patched the vulnerabilities identified in the report. Read Citizen Lab Director Ron Deibert’s blog post on this report.
“Group 5: Syria and the Iranian Connection,” another report also released in August, described an elaborately staged malware operation with targets in the Syrian opposition. We named the operator Group5, and suspect they have not been previously reported. Group5 used “just enough” technical sophistication, combined with social engineering, to target computers and mobile phones of well-connected individuals in the Syrian opposition with malware. The report was covered in an exclusive release with the Associated Press, and Ron Deibert offered further comment in a blog post.
In another study, researchers discovered the presence of malware attacks coordinated by a sophisticated operator against Emirati journalists, activists, and dissidents. The software, dubbed “Stealth Falcon” by Citizen Lab researchers, was explored in the report titled “Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents.” The report was produced after a spyware-laden email sent to Rori Donaghy, a UK-based journalist covering the UAE government, was analyzed by researchers. Circumstantial evidence suggested a link between Stealth Falcon and the UAE government. Ron Deibert commented on the report in a blog post.
In March, we released another report outlining concerns with browser security, this time with QQ Browser, a free web software for multiple platforms developed by Chinese firm Tencent. Our research showed that both Windows and Android versions of the application transmit personally identifiable data with weak or non-existent encryption, and do not adequately protect the software while it undergoes the update process. The report, titled “WUP! There It Is: Privacy and Security Issues in QQ Browser,” was also discussed by Citizen Lab Director Ron Deibert in a blog post.
In February, a report on Baidu Browser, titled “Baidu’s and Don’ts: Privacy and Security Issues in Baidu Browser,” uncovered key vulnerabilities in the Windows and Android versions of the software. Researchers pointed out that the application transmits personal user data to Baidu servers without encryption or with easily decryptable encryption, and is vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks. Much of the data leakage is the result of a shared Baidu software development kit, which affects hundreds of additional applications.
Earlier that month, Citizen Lab partner Open Effect published a report comparing the privacy and security protections of various wearable fitness trackers and their accompanying mobile applications. The report, titled “Every Step You Fake: A Comparative Analysis of Fitness Trackers,” found that seven out of the eight fitness trackers studied emitted persistent, unique identifiers (Bluetooth Media Access Control address) that can expose their wearers to long-term tracking of their location when the device is not paired, and connected to, a mobile device. Read Ron Deibert’s blog post on the report.