Here’s how Mexican journalist avoided iPhone spyware hack

AUGUST 26, 2016

mcclatchydc.com

BY TIM JOHNSON

tjohnson@mcclatchydc.com

WASHINGTON 

Mexican investigative journalist Rafael Cabrera didn’t take the bait.

Mysterious text messages would pop into his iPhone but he refrained from clicking on the links they contained. It saved his phone from turning into a surveillance tool, a digital ankle bracelet transmitting his every move, email and contact list entry.

Cabrera’s caution served him well, but the spyware scandal that rocked Apple this week brought only bad news for dissidents, human rights activists, investigative journalists and others in the sights of repressive or meddlesome governments. Their cellular phones are potentially their worst enemies.

Cyber experts revealed this week that an Israeli firm, NSO Group, had created spyware that allowed remote operators to seize virtual control of iPhones and iPads, listening to all conversations, intercepting all data and activating the cameras and microphones at will.

Apple reacted quickly, offering security updates to address the vulnerabilities. Owners of the estimated 1 billion Apple devices running the iOS operating system have only to download the patches onto their devices.

But experts say sophisticated spyware can now be put in the hands of leaders of even the most backwater nations.

NSO Group, which was formed in Herzliya, near Tel Aviv, in 2010, has done business in Mexico, Panama and the United Arab Emirates. It also retains internet domains in Turkey, Thailand, Qatar, Kenya, Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria and Bahrain, according to peerlyst.com, a portal for information security professionals.

The company is a pillar in the industry of “lawful intercept” software that is prized by government agencies whose task it is to maintain stability, combat crime and fight terrorism.

Such surveillance software is expensive, higher than $1 million, but for governments the capabilities that it brings make it a bargain.

“It’s pocket change for a government entity,” said Eva Galperin, global policy analyst for theElectronic Frontier Foundation, a nonprofit in San Francisco that champions free expression and civil liberties in the digital world.

“The defense ‘while it’s legal’ is actually very weak. The United Arab Emirates does not treat its dissidents very well,” Galperin said. “If you are selling lawful intercept software to the UAE, you have to know that it will not be used to send milk and cookies to the targets.”

Cabrera, the Mexican journalist, works for a digital news portal, Aristegui Online, that has been a perpetual thorn in the side of President Enrique Peña Nieto, leader of the Institutional Revolutionary Party, which has an authoritarian past.

The site first rankled Peña Nieto when it reported in 2014 that a $7 million mansion had been built by a major government contractor to the design specifications of the first lady. Earlier this year, the site, reporting in tandem with McClatchy, revealed that the contractor had sought to hide $100 million in assets in offshore companies.

Last weekend, Aristegui Online reported that nearly 29 percent of Peña Nieto’s 1991 undergraduate law thesis had been plagiarized.

Cabrera began getting text messages on his iPhone in mid-2015, and as time went on the messages became increasingly personal in their quest to have him click on a link to infect his phone.

“The links for Cabrera, the only word I can put on it is diabolical, as clever as they were evil,” said Geoffrey King, a lawyer and technology program coordinator for the Committee to Protect Journalists, a group that promotes press freedom worldwide.

The first messages made mention of the “white house” scandal involving the first lady. One said that those behind the Aristegui report would be sued for defamation, and a second one said the reporters might be jailed while an investigation unfolded. Both spoofed an address for a new television network. Both ended with a hyperlink.

Other, later text messages addressed Cabrera by his nickname, Rafa, he said, and mentioned that he owed money on his cellular account or offered a credit with the Uber ride-sharing service. An additional text was disconcerting and needling.

“It was quite vulgar. It asked if I wanted to see my partner having sex with another person,” Cabrera said, noting that a link would lead to the supposed video.

“Clicking on any one of these (links) would have been game over,” King said.

Cabrera said he wasn’t the only member of the Aristegui Online team to receive such baited messages. No one knows for sure who was behind the surveillance gambit.

But one expert said he thought the NSO Group surveillance spyware had been sold to governments all over the world. Lookout, a San Francisco cyber-forensics firm that took part in uncovering the NSO spyware, said in a report Thursday that NSO Group had been sold to a private equity firm, Francisco Partners, for $110 million in 2014.

“Given that kind of high valuation, it’s highly likely . . . that it’s in very wide use around the world,” said Edin Omanovic, a research officer at Privacy International, a charity in London that opposes unlawful and intrusive surveillance.

The spyware allows an attacker to take complete control of an iPhone or iPad if the user clicks just once. The infected device gives no indication that anything has gone astray. Once the iPad or iPhone is infected, the attacker can observe and control all activity on the device.

The researchers who discovered the spyware found that it had three chains of what are called zero-day exploits, major vulnerabilities that are so named because once discovered they give the software engineers zero days to fix it. The problem is immediate.

Uncovering such flaws in coding “tend to be very expensive and very rare, particularly for Apple because Apple is very good at security,” said King of the Committee to Protect Journalists.

Journalists, dissidents and others who may run afoul of governments should not give up using Apple devices if they can afford them, King said, noting that once a security update is downloaded the devices appear to be safe again.

In addition to Mexico, it is known that Panama bought surveillance equipment from NSO Group for $6 million to $8 million. President Ricardo Martinelli’s administration bought surveillance platforms during his 2009-14 term to intercept cellular phones. The resulting espionage scandal, in which some 150 of Martinelli’s political opponents were targeted, ledMartinelli to flee Panama early last year. A high court judge ordered his arrest last December, but his whereabouts are not known.

The use of sophisticated spyware for cellular phones may prove in the future to be simply too tempting for many national leaders to resist.

“We’re talking about petty grudges, it seems, by governments. It’s frightening,” King said.

Tim Johnson: 202-383-6028, @timjohnson4