Use of cyber weapons against citizens and journalists
The current excitement surrounding the use of the NSO Group’s Pegasus surveillance and trojan software, uncovered by Amnesty, shows that there must be a ban on the use of this type of software, which also includes the state trojans. As a minimum, the use of software of this type against civilians and journalists should result in long prison sentences for all directly and indirectly involved. A “weapon” like Pegasus will always tempt people to use it against their political or economic opponents and thus expand the area ofapplication far beyond the fight against terrorism.
Amnesty has a very good publication of the case (https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/) and also a forensic tool to help those affected is published as open source (https://github.com/mvt-project/mvt). There is also a good entry on Wikipedia (https://en.wikipedia.org/wiki/Pegasus_(spyware)#cite_note-amnesty-1).
The current situation is that Apple’s IPhones were, or still are, to be taken over with a zero-click attack. Zero-CLick means that the user does not have to take any action to activate malware such as the state trojan, Pegasus, or software from criminals. After activation, the software hides extremely well and the “best” solutions are not noticed for years. Especially pure users have almost no way to find it.
All analyzes currently indicate that Apple’s iPhones are hardest hit and Android does better. This does not mean, however, that there can be no zero-day or zero-click exploits with Android phones that can be used to take over the phone. It is just currently not known.
In addition, it is extremely dependent on the installed apps, because there can be back doors to the phone in these too.
Since there was a change in the law in Germany to permit the state Trojan (https://www.mdr.de/nachrichten/deutschland/politik/ueberendung-messenger-staatstrojaner-geheimdienst-bundestag-100.html), there is now, also for citizens of others Countries, the risk of being contaminated with the state Trojan not only from the USA, but also within the EU, from an EU member state. There is also the possibility that, for example, Germany uses Pegasus as a state Trojan, because Pegasus should currently be a leader in this area. All in all, the name of the software does not matter, the functionality is the same everywhere - unnoticed intrusion into the smartphone and then, without being discovered, collecting and transmitting data - end-to-end encryption is no longer of any help here, because the Trojan is dead in the smartphone so that it can read all texts, images, passwords and much more before encryption and transmit them to the person who controls the Trojan. In addition, the device can be accessed directly via a back door and the actions of the user can be followed live.
Protection against malware of any kind
First of all, as with IT and digital solutions in general, there is no 100% protection and the combination of people who do not understand the technology with a smartphone as a permanent companion in every life situation increases the risk extremely.
Nevertheless, anyone, even the technical layman, can dramatically reduce the risk of a malware attack with simple actions. The KMJ.at blog already contains many instructions for installing custom ROMs and securing mobile devices. In summary, here is an overview of simple ways to massively reduce the attack surface.
Oh and if you now think you have nothing to hide, then you are wrong. In contrast to me, who uses an offline tan generator for banking and of course has not installed the app, access to your phone is probably sufficient to empty your accounts and to sign these transfers with the APP. You have a lot more to hide, but when the accounts are empty, none of this is so important anymore. If you already rely on the correct 2-factor signature with an offline device as the 2nd factor, you have already done a lot right.
The simplest rules
Don’t install apps, and if so, only open source
Unfortunately, in times like these, it is common to advertise apps with people who are sometimes stupidly dancing, while at the same time talking about - Safe, Advantage, Relief, Simple, Helpful. Of course, the apps are free and technically inexperienced users download these programs. App is just a nice name for a program that runs on your device. Then allow access to the contacts, the calendar and the phone list and all data has already landed with the provider of the app.
Apart from the fact that, since you neither have written permission from every contact and you cannot exercise the right of revocation and deletion, it is illegal under GDPR to upload the address book to the provider. You give data to third parties for forensic evaluation, who build and sell huge databases from it. In the best case. In the worst case scenario, you’ve passed everything on to criminals. The possible legal consequences are a fine of several thousand euros due to the GDPR violation and high claims for damages, for example if you publish the unpublished phone number of a contact as a result.
In addition, many users do not delete apps, although malware does not uninstall itself, of course, even if the app that brought the malware is uninstalled. All of these apps that have been installed at some point will continue to run in the background even if they are not opened and will continue to collect and transmit data. A state that you certainly did not want
The installation of apps is like giving strangers the key to your apartment and trusting that everything is still in its place afterwards and nothing is missing. When using the browser, you stand in the door and only give the agreed things to them who stands in front of the door without letting him in.
TIPS for standard phones
In general, it is not advisable to use Apple IOS telephones until this zero-click break-in option for IOS has been clarified. The following applies to all phones, regardless of whether Android, LineageOS or IOS:
- Do not normally install any apps, always prefer to use the browser. Secure open source browsers such as the Tor Browser, Firefox, DuckDuckGo or LibreWolf are only designed to guide you safely through the Internet. Every reputable provider has a website that you can reach with the browser and on which you can do everything that the app can do. In contrast to the app, the website has no access to the phone and cannot read anything from it, except for browser data, etc. And if you stop the browser or move it away from the website, nothing is running in the background to collect data. The attack surface is already massively reduced and you are largely in control of your data and avoid the drive-by installation of malware by installing the app by using the browser. It is understandable that providers of apps prefer the installation over the browser, because you always know where you are, you can evaluate your behavior and also send messages to you, which are then displayed on the smartphone as an event notification. These messages always appear when you do not use the app for a longer period of time. In this way, the provider generates activity and can better evaluate your behavior again. This, too, is probably undesirable for the majority of people.
- Use the Tor Browser (https://torproject.org) as the default browser. The Tor Browser protects many professional groups, journalists and activists from persecution every day through anonymization! It is extremely valuable for you that the Tor Browser disguises your IP address and website operators only see the IP address of the so-called Tor Exit Node, which is not related to you. With it you can also visit critical pages, e.g. about health and politics, without anyone knowing that you are. Not even your provider knows that you are visiting these pages. The Tor Browser is available for every operating system except IOS. Apple apparently does not want you surfing anonymously. Since my last IOS device, a 5S, has been waiting for its final destruction for years without electricity, I won’t go into it here. Instructions for my current LineageOS setup can be found in the blog.
- If you need apps, only use open source apps. With these, the program code (source) is publicly visible and since this is checked by many in successful projects, back doors and security gaps are rare and are usually fixed much faster. There are currently only open source applications on my smartphone and there are additional tests due to the use of F-Droid.
- Check the permissions of the apps, only allow access that cannot be avoided. Never open the contacts, calendar, data storage, etc. to an app. Always consider why an app wants this access and if in doubt, you should not grant access.
- Use offline tan generators (CardTan) for banking transactions and do not install an app from the bank. Visit the bank website with the browser and generate the required tan with this CardTan device, into which you insert the ATM card to generate the tan. In addition, the EB pin must be entered as additional protection on the CardTab device. This makes it impossible to make transfers and your money stays in your account, even when your smartphone and PC have been completely taken over.
- Do not open any links in dubious SMS or emails. Always think before you click! And even if curiosity makes your finger twitch, take a deep breath and delete the email or SMS.
- Immediately delete apps that are no longer used.
- Always keep your smartphone up to date with the latest software version. If your manufacturer no longer offers an update for more than 6 months, switch to a custom ROM, such as LineageOS with all security patches, or destroy the smartphone by physically destroying it.
The above rules are of course far too few for smartphone professionals and a correct setup looks something like this:
- Never give your smartphone out of your hand. As soon as someone can plug in a cable or USB stick, even for a few minutes, you are lost and the cell phone must be destroyed. In a case like this you must also change ALL passwords!
- Buy a smartphone from which you can always remove the battery. As long as the device has power, certain services run even if it is “switched off”. The device only has no function without a battery. The FairPhone 3+ (https://en.wikipedia.org/wiki/Fairphone_3) is ideal here. Long service life possible thanks to the possibility of repair and easy removal of the battery. Alternatively, one of the newly released Linux smartphones can also be used.
- Like the Fairphone, the smartphone should support LineageOS. This simplifies the installation and does not end the device warranty.
- Install LineageOS on the smartphone without gaps (Google Apps) and root the phone with Magisk. Only use the F-Droid Store to install open source apps. The Google App Store is not available without Google Apps.
- Encrypt the device with a PIN code of at least 8 digits, which must also be entered after 2 minutes of inactivity.
- Install AFWall+ Firewall (IPTables) from the F-Droid App Store. In the KMJ blog there are many instructions for the installation of LineageOS and the secure setup including custom scripts for AFWall+ and automation with Easer.
- Replace the standard programs with open source software and deactivate the programs of the basic installation. For example, use K9 Mail as e-mail program, QKSMS as SMS program, WebDAV based calendars and address books with DAVx5. The Hackers Keyboard is ideal as a keyboard.
- Use Greentooth to deactivate Bluetooth a few minutes after the last device was disconnected. This means that the Bluetooth attack surface is always switched off when no device is connected.
- Back up with Titanium on an encrypted SD card and transfer the backup, e.g. to your self-hosted OwnCloud.
- Install Orbot and route all traffic via AFWall+ (not via Tor VPN) through the Tor network. The DNS instructions in the KMJ blog describe how to redirect DNS requests via Tor and thus be protected from DNS man-in-the-middle.
- Use OpenVPN to connect to your home or office.
- Use xBrowserSync as an encrypted storage for bookmarks.
- Install KeePass on your PC and smartphone, ideally via WebDAV for access from any device, to save your passwords. Use at least a 16-digit passphrase and create a separate password for each access. Never use a password twice and a password should look like this as a minimum: -70AFdd3321RrV5jh78203ac602b3d256 - You do not have to remember the password because it is stored in the KeePass DataSafe. Transfer takes place with copy / paste.
- Do not install apps from major social media or messenger providers. If absolutely necessary, install these apps on a virtualized Android-x86 phone that runs under Proxmox, VMWare or VirtualBox. At Proxmox you can connect to the console with Spice and pass USB camera and microphone through if necessary. But it’s best to never install it on your own smartphone.
- Switch to a decentralized open source messenger that does not collect any data about you. The Element Matrix Messenger (https://element.io) should currently have over 35 million users and is my first choice. In addition, I use the Session Messenger, a signal fork that is completely anonymous and, for very special cases, Briar, which is a pure peer-to-peer messenger through the Tor network. If you absolutely need one of the big data messengers, use the Element Messenger with a bridge (https://matrix.org/bridges/) and communicate with users of other systems via the Element Messenger. As a result, of course, with an empty address book so that no data is transferred.
- Switch from Twitter to the decentralized Fediverse. All Mastodon, Friendica and Co. servers are connected via ActivityPub, everyone can communicate, follow and answer with everyone. In addition, as with Matrix, everyone can operate their own server, which is then connected to all the others via ActivityPub. Micro blogging and social networking the way it should be. If necessary, you can continue to operate your Twitter account with an RSS2Tweet bot based on the postings in Fediverse, without the need for an app or without logging in.
What options do I still have
In summary, it can be said that if the above rules are observed, there is a massive reduction in the attack surface and it becomes rather unlikely that an attack will be successful without physical contact with the smartphone.
Zero-day and zero-click security gaps are traded on the Darknet for many millions of USD and companies that offer software like the state trojan are happy to buy up these security gaps. As a result, no information is sent to the manufacturer of the software and the buyers of the security vulnerability will try to use it for as long as possible and to sell it in connection with the Trojan software for many millions to customers.
However, the goal must be that security gaps are closed as quickly as possible, also in order to avoid an attack by other people who also find the security gap. The idea that someone finds a gap on their own is more likely to be classified in the realm of fantasy, because with all the many people looking for such gaps, it is very likely that the gap will also be found and exploited by someone else in a relatively short time.
Deliberately not closing security gaps for your own profit is unacceptable and at some point will trigger a disaster in the sense of penetrating networks of electricity providers, nuclear power plants and similar systems. Since, as has been shown in the last few months, there are also people here who believe that the most delicate systems must have an Internet connection, the effects of such an intrusion can be devastating.
Politicians of all parties should really look for a way of using such “weapons”, similar to the War Weapons Act, in order to prevent the looming catastrophe. The dream of the total surveillance state by exploiting the security gaps and the use of state Trojans would almost certainly end in a cyber war of unimaginable proportions. The EU would be a pure victim in this cyber war, or collateral damage with no prospect of any positive aspects. It is therefore particularly important for EU politicians to take the right steps here.
But how do we say here in Austria - Hope dies last -
- Link to the domains and email addresses of the NSO Group published by Amnesty: https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso
CTS IT Solutions (https://ctssupport.at, German / English site), which I founded, has been offering commercial customers perfect and well-tested IT solutions since 1985! We would be happy to advise you on all questions relating to IT!
Questions? Join my public room in the Matrix
If you like this blog entry feel free to join my public room by entering /join #kmj:matrix.ctseuro.com anywhere in the Element Messenger (https://element.io) box to send a message! Or follow this Link: https://matrix.to/#/#kmj:matrix.ctseuro.com Help or answering questions ONLY in this room!
Greetings from Austria,
Karl M. Joch