May 16, 2019
This miniseries of #HackForJournalism blogs introduces mobile security threats used against journalists and our solution for securing mobile as presented 4.2.2019 in Brussels. The goal of the hackathon for Journalists event was to introduce journalists to mobile threats and share information on how to protect themselves. We invite journalists, activists and researchers to co-design a truly secure mobile system from the ground up.
In the previous blog we opened the conversation about the cases where mobile malware vendors and governments use these vulnerabilities to target journalists and human right activists. According to the latest news and findings, the notorious NSO group has been once again connected to the targeted surveillance. Now the target has been confirmed to be a lawyer who has been involved in lawsuits that accuse NSO Group of providing tools to execute extreme surveillance.
The used spyware has the ability to give hackers full access to a phone remotely, allowing them to collect any available data including photos, messages and passwords. It can see their contacts and even activate the camera without a trace.
The spyware that we are facing today, demonstrates yet again how vulnerable and unsecured smartphones, operating systems and apps are. To think, that individual’s personal or professional data can be stolen by just one WhatsApp call, may falsely suggest that the fault is just in one or few particular apps. It has been detected in both Android and iOS operating systems and other applications as well.
WhatsApp has addressed the security flaw and took action to fix the issue with a security patch. However, the reality is that the spyware was used by exploiting a zero-day. WhatsApp spokesman stated that the flaw was discovered while “our team was putting some additional security enhancements to our voice calls”. One could think: is our smartphone security relied on accidental discoveries of such dangerous flaws?
The Citizen Lab has studied NSO Group and the deployment of spyware against civil society activists, journalists, scientists, and politicians in a number of reports. We should understand that these targeted individuals are investigating and publishing important stories about events that affect us all. In a way, by targeting these individuals, our information access and thereby knowledge of the world is targeted. We shouldn’t be fooled by the thought that everyone is not important enough to be targeted. Global surveillance disclosures have proven this not to be a fact. Even if the surveillance would be targeted on some individuals, we should acknowledge it as a fact, but not accept it.
One research from the citizen lab shows, that a journalist and the wife of killed journalist Javier Valdez, was targeted with NSO Group’s Pegasus spyware following his assassination. We could imagine a pattern that develops as an outcome of targeted surveillance. Attackers gain information about the targets, study their behavior and profile. Using target’s contacts, they connect even more individuals with similar intentions. Surveillance gets even bigger by targeting their contacts, family and sources.
For being able to develop truly effective and sustainable security solutions, we should observe mobile device ecosystem as a whole. Currently most of the mobile hardware is produced by a few very large manufacturers. There is hardly any competition in the market, which limits the freedom of mobile devices greatly. Most of the largest hardware manufacturers embed their own proprietary binary blobs (unreadable binary code) in the hardware. This black code can run anything in the device virtually undetected. Here lays the issue with current security measures. Discovering new 0-days, faults and vulnerabilities and patching them is not sustainable solution if the whole system lays on closed proprietary software. You can not know what runs on your device.
Currently this fundamentally vulnerable infrastructure is used as a platform for all features that your mobile devices contain. On top of the already fault system, yet another set of vulnerable components is added: applications. Securing communications is a another tall task to handle when dealing with smartphones. In fact, SIM-card and the cellular modem are the most vulnerable parts of a mobile device so we chose to ditch them completely. Connectivity as well is a weak link, but in our world today connectivity is the force behind anything ‘smart’.
There are good practices to secure smartphones to some level, like end-to-end encryption and VPN, but they are shown to be useless when someone can access to your device by closed firmware and that is the problem we want to tackle.
Supply chain transparency
Verifiable open hardware and software
Full mobile security as a service
Transparent application development
Not using your data as a fuel
The ultimate goal is to be a free and open source mobile platform with rich app ecosystem, where the user is in control and the device is verifiably secure all the way from hardware to the applications.
We want to work together with journalists, activists and their organizations to co-design security tools for protecting journalist and their sources in 2019, on Necunos NE_1 – the most secure mobile device platform. We wish to inspire these groups to take action and demand truly secure solutions and empower them to get involved in the design and creation of these tools.
Follow us on twitter @necunoscom and join our mailing list from below for updates.