MADRID—Continuing a theme that picked up momentum at Black Hat this summer, two influential speakers at Virus Bulletin today painted grim pictures of the threats to physical safety and civil liberties posed by commercial spyware and high-end surveillance software often sold to governments.
The call to action was again foisted upon security professionals—as it was by Facebook chief security officer Alex Stamos during his Black Hat keynote—to do more with their considerable skills, share their insight into this type of technology, use their ability to thwart these threats, and influence others to spread awareness about these issues.
Claudio Guarnieri of Amnesty International, and Daily Beast journalist Joseph Cox said in separate talks today that lives are at risk, be it from oppressive governments or scorned lovers who use these readily available tools to spy on the activities of others and not enough is being done about it.
“I invite security companies to create human rights boards,” Guarnieri said. “To create a bridge to look at things they’re not seeing so often, and reach out to this community. You may see that some of your customers are even affected.”
Guarnieri’s advocacy during his time at Amnesty International has included work to help create Security Without Borders, a collective of researchers and security practitioners who volunteer to provide pen-testing, incident response and other security services to people living in repressed parts of the world in need of such help. He has also helped attacks where FinSpy and other surveillance tools were used to corrupt the privacy of activists or impede their work.
Guarnieri, who is also a Citizen Lab fellow, said that clear communication from security influencers is critical to educating victims.
“People are legitimately confused. Talk to them and get their perspective of what they perceive to be threats and safe practices,” he said. “They feel overwhelmed and powerless in the use of technology. In some cases they’ve abandoned technology altogether. They hear that Windows 10 may be unsafe or there are attacks against it, and their response is a complete shutdown. They’re not thinking they may be affected by something and just concentrate on their work.”
Guarnieri said that surveillance is only one piece of this disturbing puzzle. Censorship, he said, is common where internet access is cut off, access to content denied, or platforms such as secure communications apps is denied outright.
“Every single portion of human rights activism overlaps, manifests or is exercised with the use of technology,” he said. “That alone caused attackers and adversaries to recognize that technology itself is a good vehicle to get to these people and interfere with them or cause them harm.”
Physical harm isn’t just reserved for targets of oppressive governments. As Cox learned during a lengthy and ongoing investigation into consumer spyware, jilted lovers and scorned spouses are just as likely to drop a piece of malware onto a partner’s device, track their activities and exact some kind of violence in some cases.
Cox told eye-opening and sickening stories of murder and sexual assault conducted by husbands or former spouses. One NPR survey of 70 abuse shelters revealed that 75 percent of them were dealing with victims impacted by hidden mobile tracking apps, Cox said. He cautioned too that some in the security community are quick to deride the quality of the malware, for example. And while it may be true, that doesn’t lessen the potential consequences for victims.
“That would be to misunderstand the threat people face from this malware and from people who are often in the same room or even in the same bed,” Cox said. “The threat is more complicated than a typical Android or smartphone threat. This is an overlap of physical and digital security that you may not always see in your line of work.”
Consumer spyware such as FlexiSpy, HelloSpy, Mobistealth and many others are marketed for spying on wives, children and even employees. Their capabilities are common too: the spyware monitors and steals emails, SMS messages, photos, GPS location and sends them often to slick dashboards that the husband or employer has access to.
Cox, who was formerly at Motherboard, spent some time on FlexiSpy, which can also be used to remotely activate the microphone or camera on a compromised device. He said it’s also sold as a white-box product to resellers who market it under a number of names.
“These products are constantly being updated, and until recently were marketing explicitly toward jealous lovers,” Cox said.
In July at Black Hat, Facebook’s Stamos urged the security community to have empathy for victims of cybercrime and reinforced the need for diversity—along with empathy—to solve these complicated problems.
“Unfortunately, the truth is our community is not yet living up to its potential,” Stamos said. “We’ve perfected the art of finding problems over and over without addressing root issues. We need to think carefully about what to do about it downstream after discovery.”