Last Week on my Mac: Where the law fails to protect

One of the purposes of government is to safeguard its citizens – from preventable disease, threats of war by foreign powers and terrorists within, and from those acts which we deem criminal. This week we have seen a major threat to hundreds of millions of innocent civilians around the world, undetected by any government, addressed by industry not government, and without any official acknowledgement by government agencies.

I refer, of course, to the exploited vulnerabilities in iOS prior to version 9.3.5, which were reported to Apple, and fixed by Apple in its iOS 9.3.5 update.

Many countries now have laws which make it illegal to ‘hack’ into any form of computer system, such as a smartphone. Although individuals are increasingly being prosecuted for breaking those laws, it is widely known that there are many commercial and government organisations which exploit vulnerabilities in order to obtain access to computer systems. The companies which do this offer the service for money, and it appears to be extremely lucrative. The governments which do so often have some form of legal let-out, although many question the moral and legal basis of their doing so. Hacking, exploiting vulnerabilities, trading in knowledge of vulnerabilities, and malware have all become weapons in what might be termed cyberwarfare.

This week, it became clear that NSO Group, based in Herzelia, Israel, which is probably owned by a private equity firm with its headquarters in San Francisco, had developed a malware delivery system which exploited three vulnerabilities in iOS, and had used this to launch an attack on a prominent Saudi dissident. The whole story is told in detail by the team which investigated it, on the blog of the Munk School of Global Affairs, at the University of Toronto.

The teams at Citizen Lab and Lookout Security did the responsible thing, and reported the vulnerabilities which they suspected to Apple, even though they were not offered any incentive (i.e. a bounty) to do so. Apple came up with fixes to close each of the three vulnerabilities which NSO Group’s Pegasus product was exploiting, and released them in iOS 9.3.5 on 25 August 2016.

Everyone who has an iPhone or iPad should be extremely grateful that Citizen Lab, Lookout Security, and Apple all did the right thing, and safeguarded us.

As that article makes clear, this is not the first time that this individual had been attacked by commercial malware: he had previously been attacked by FinFisher’s FinSpy, and HackingTeam’s Remote Control System. They have both been used in other attacks on civil society groups, journalists, and human rights workers.

FinFisher describes itself as specialising in “offensive IT intrusion”, and operates from Germany. HackingTeam is based in Italy, from where it sells “the hacking suite for governmental interception”. Such tools for ‘intrusion’ and ‘interception’ can of course also be used to introduce forged evidence, something which is discovered occasionally, despite the difficulty of proof.

In spite of the shadowy Wassenaar Arrangement, which is supposed to regulate international trade in arms and security-related computer products – such as those of FinFisher, HackingTeam, and NSO Group – national and international law is manifestly failing to protect vulnerable people around the world. This ‘arrangement’ embraces some countries such as Russia and Turkey, whose records are not exactly faultless, and excludes Israel, which continues to supply such products to countries which are part of the arrangement, and Saudi Arabia, which had greatest incentive to hack this particular individual.

Within Wassenaar members, it remains perfectly legal to trade without regulation in the knowledge of security vulnerabilities. A security researcher in the USA can quite legally discover a vulnerability in iOS which they know can be exploited, can refuse to disclose it to Apple, and sell the vulnerability to a third party, which can then exploit it in a product offered to ‘legitimate customers’. All without any record-keeping, disclosure, or supervision.

When rattling their cybersabres, governments such as those in the US and Europe like to tell us how important their cybersecurity agencies are, and how much additional funding they are being given, as if that builds our confidence. The real reason that our governments are so reluctant to safeguard us effectively is that they also want to exploit vulnerabilities and use the products sold by FinFisher, HackingTeam, and NSO Group. The occasional casualty, collateral damage as it were, in their cyberwarfare is of little importance to them.

NSO Group has been claimed to be worth $1 billion. If it is, then it must have other products, and lucrative trade with ‘legitimate customers’, which must include agencies of the US, UK, and other European governments. Far from commending Citizen Lab, Lookout Security, and Apple in closing these vulnerabilities, most are probably angry that one of their best and most expensive tools has now been made much less useful.

Not only do our governments not want to safeguard us from those existing threats, but they now want powers to force backdoors in encryption, and enable greater intrusion into our private communications – only by the good guys of course. Should we really trust them to safeguard us then?