WEBVTT - ICE Partners with Israeli Phone Hacking Spyware 0:00:01.720 --> 0:00:08.200 All zone media welcome to it could happen here a 0:00:08.240 --> 0:00:12.600 show about things falling apart. One such thing frequently falling 0:00:12.600 --> 0:00:18.000 apart is any notion of privacy or digital privacy. Ever, 0:00:18.239 --> 0:00:21.440 encroaching surveillance is one of the biggest global issues affecting 0:00:21.480 --> 0:00:25.640 free expression and a free press, both directly through surveillance 0:00:25.680 --> 0:00:29.880 technology but also by chilling speech. I'm Garrison Davis, and 0:00:30.120 --> 0:00:34.520 this past week, news has swept the Internet that ICE 0:00:34.680 --> 0:00:39.040 is using software from an Israeli company called Paragon, which 0:00:39.120 --> 0:00:44.000 allows ICE or DHS to secretly hack into any smartphone, 0:00:44.360 --> 0:00:48.840 break encryption, access messages, track real time location, and turn 0:00:48.960 --> 0:00:53.639 your iPhone or Android into a walking listening device, all 0:00:53.680 --> 0:00:57.920 of which sounds very scary, and some of which is true, 0:00:58.680 --> 0:01:02.800 though some of these class are exaggerated or even likely 0:01:02.880 --> 0:01:06.960 false based on what we can currently infer from published research. 0:01:07.800 --> 0:01:11.200 Due to legitimate fears, we live in a world of 0:01:11.319 --> 0:01:16.200 surveillance paranoia, which can lead to surveillance myths. This is 0:01:16.240 --> 0:01:20.800 a core function of the Panopticon. People should take ICE's 0:01:20.840 --> 0:01:25.720 new enhanced smartphone surveillance capacity seriously, but to adequately do 0:01:25.880 --> 0:01:30.640 so requires an accurate understanding of the threat model, which 0:01:30.680 --> 0:01:33.440 we will get into later this episode with some help 0:01:33.680 --> 0:01:38.760 from the Electronic Frontier Foundation. But first let's address the 0:01:39.000 --> 0:01:43.120 newsworthy aspect of this story. What has actually changed recently. 0:01:43.840 --> 0:01:48.080 DHS first contracted with the US branch of Paragon in 0:01:48.200 --> 0:01:52.360 September of twenty twenty four, or two million dollars, but 0:01:52.480 --> 0:01:55.960 later that October, the contract was put on hold thanks 0:01:55.960 --> 0:01:58.960 to a Biden executive order restricting a government use of 0:01:59.040 --> 0:02:02.800 foreign spyware, and ever since then the contract has been 0:02:02.800 --> 0:02:07.200 frozen pending a compliance review. But then on September first, 0:02:07.320 --> 0:02:11.560 twenty twenty five. Just last week, investigative journalist Jack Paulson 0:02:11.880 --> 0:02:15.320 reported that the stop work order affecting the Paragon contract 0:02:15.560 --> 0:02:19.320 had quietly been lifted, allowing Ice to follow through on 0:02:19.360 --> 0:02:23.680 the contract and start using Paragon's spyware technology, most likely 0:02:23.840 --> 0:02:29.960 including their flagship product, Graphite. What is Graphite? Great question 0:02:30.880 --> 0:02:34.840 one that I felt underqualified to fully answer myself, so 0:02:35.000 --> 0:02:37.639 I spoke with an expert, Cooper Quinton, of the Digital 0:02:37.720 --> 0:02:41.480 Rights group the Electronic Frontier Foundation. You'll hear from him 0:02:41.560 --> 0:02:43.080 throughout the episode. 0:02:43.400 --> 0:02:46.160 My name is Cooper Quinton. I am a senior staff 0:02:46.160 --> 0:02:50.280 technologist at the Electronic Frontier Foundation. There I do a 0:02:50.320 --> 0:02:53.840 lot of different things. Most specifically, for the purposes of 0:02:53.840 --> 0:02:57.840 this talk, I do malware research on malware that targets activists, journalists, 0:02:57.840 --> 0:03:03.239 and civil society. So is a type of spyware that 0:03:03.480 --> 0:03:08.280 is able to read your messages from your phone the 0:03:08.320 --> 0:03:10.760 same way that you or you know, maybe a cop 0:03:10.800 --> 0:03:14.400 could if they had physical access to your unlocked phone, right. 0:03:14.840 --> 0:03:17.760 That is the main capability that it has. According to 0:03:17.800 --> 0:03:20.960 the reporting published by Citizen Lab, its main job is 0:03:21.000 --> 0:03:25.560 to hook into WhatsApp and into other encrypted chat apps 0:03:25.960 --> 0:03:28.680 and just read the messages in those apps, like in 0:03:28.720 --> 0:03:32.040 the messages you've already sent and any future messages that 0:03:32.120 --> 0:03:35.880 you send. That's really it's the that's the meat of Graphite. 0:03:36.160 --> 0:03:40.360 Something that sets Paragon apart from their fellow Israeli competitors 0:03:40.520 --> 0:03:44.240 is that Paragon has marketed itself as the ethical choice 0:03:44.400 --> 0:03:47.960 for spyware. One of their early investors in Israeli firm 0:03:48.000 --> 0:03:52.000 called red Dot wrote, quote Paragon builds best in class 0:03:52.080 --> 0:03:56.960 cyber intelligence software to empower democratic countries, providing cutting edge 0:03:57.000 --> 0:03:59.320 capabilities that make the world safer. 0:03:59.760 --> 0:04:00.000 Quote. 0:04:00.720 --> 0:04:03.920 On their US website, Paragon says that they are quote 0:04:03.960 --> 0:04:08.880 unquote empowering ethical cyber defense and that they provide customers 0:04:08.920 --> 0:04:12.680 with quote ethically based tools, teams, and insights to disrupt 0:04:12.840 --> 0:04:18.760 intractable threats unquote. Though they use the term cyber defense 0:04:19.000 --> 0:04:24.240 on their US site, Paragon's startup page reads quote Paragon 0:04:24.440 --> 0:04:28.400 is an offense focused cyber company using digital intelligence for 0:04:28.480 --> 0:04:32.919 smartphone and internet surveillance solutions. The company applies strict moral 0:04:32.960 --> 0:04:36.839 restrictions on itself, limiting its extraction of information from targeted 0:04:36.839 --> 0:04:41.840 devices to conversations on chat apps. Paragon works solely with 0:04:41.920 --> 0:04:45.520 police forces and intelligence agencies that meet the standards of 0:04:45.560 --> 0:04:51.040 an enlightened democracy, which includes only thirty nine countries unquote. 0:04:51.480 --> 0:04:54.240 One of Paragon's senior executives told Forbes in twenty twenty 0:04:54.320 --> 0:04:56.960 one that they would only sell their technology to governments 0:04:56.960 --> 0:05:01.000 that quote unquote abide by international norms and respect fundamental 0:05:01.080 --> 0:05:05.919 rights and freedoms, and that quote authoritarian or non democratic 0:05:05.960 --> 0:05:11.320 regimes would never be customers. Unfortunately, Paragon was not pressed 0:05:11.400 --> 0:05:17.160 on what their definition of authoritarian regimes includes. In recent reporting, 0:05:17.160 --> 0:05:20.039 there's been a lot of misconceptions about the capabilities of 0:05:20.160 --> 0:05:25.160 Paragon's main product, Graphite. The Guardian wrote, quote, by essentially 0:05:25.200 --> 0:05:28.119 taking control of the mobile phone ice can not only 0:05:28.200 --> 0:05:31.320 track in individuals whereabouts, read their messages, look at their photographs, 0:05:31.560 --> 0:05:34.800 but also open and read information held on encrypted applications 0:05:34.839 --> 0:05:37.960 like WhatsApp or signal. Spyware like Graphite can also be 0:05:38.040 --> 0:05:41.400 used as a listening device through manipulation of the phone's 0:05:41.480 --> 0:05:45.960 recorder unquote. But research into Graphite by the surveillance watchdog 0:05:46.000 --> 0:05:50.920 group Citizen Lab has not indicated that Graphite has all 0:05:50.920 --> 0:05:54.320 these capabilities or tries to quote unquote take control of 0:05:54.360 --> 0:05:58.520 the entire device, But other tech journalists have since parroted 0:05:58.600 --> 0:06:02.720 The Guardian's unfounded class that Graphite fully takes over a 0:06:02.800 --> 0:06:05.719 phone and can record audio through the microphone. 0:06:06.120 --> 0:06:10.320 This is actually less full featured than other spyware we've 0:06:10.320 --> 0:06:14.360 seen in the past, like NSL groups, Pegasus spywere. Other 0:06:14.720 --> 0:06:17.000 types of spyware that I've seen tend to have a 0:06:17.080 --> 0:06:20.320 lot more capabilities, right, They have the capability of like 0:06:20.400 --> 0:06:25.000 turning on GPS location tracking, the capability to turn on 0:06:25.080 --> 0:06:27.320 a hot mic, to do all these other things. And 0:06:27.360 --> 0:06:30.640 this seems as far as as far as Citizen Lab 0:06:30.680 --> 0:06:34.080 has reported to not be present within the Graphite malware, 0:06:34.120 --> 0:06:38.640 and I think this is because Paragon has presented themselves 0:06:38.640 --> 0:06:43.159 as kind of being the quote unquote responsible malware manufacturer, right, 0:06:43.200 --> 0:06:45.960 and they're like like trying to minimize the amount of 0:06:46.040 --> 0:06:48.680 data they collect. It doesn't mean they couldn't add this 0:06:48.720 --> 0:06:51.000 stuff in the future, but that's the that's the gist 0:06:51.040 --> 0:06:52.839 of it. It's actually, you know, kind of a very 0:06:52.920 --> 0:06:56.120 stripped down malware. I don't want to minimize like how 0:06:56.160 --> 0:06:59.160 impactful it would be for this mawur to get all 0:06:59.160 --> 0:07:02.240 of your messages. That could have a huge impact for people. 0:07:02.720 --> 0:07:06.480 But we don't need to make up capabilities that our 0:07:06.520 --> 0:07:11.040 adversary has, especially under fascism, right, Like we can we 0:07:11.080 --> 0:07:13.400 can just work with the capabilities that we know they have. 0:07:14.320 --> 0:07:17.200 A lot of reporting and discussion of Graphite and Paragon 0:07:17.480 --> 0:07:21.040 frame it as an equivalent to nsoss by where Pegasus, 0:07:21.200 --> 0:07:24.440 which has been banned in the United States for four years, 0:07:24.880 --> 0:07:28.520 Pegasus seeks to completely hijack the target device more broadly, 0:07:28.960 --> 0:07:34.160 similar to guardians claims about Graphite. But by forcing this comparison, 0:07:34.520 --> 0:07:38.760 people might be inadvertently boosting Paragon's brand with free marketing 0:07:38.880 --> 0:07:41.320 by making their product out to be something that I'm 0:07:41.320 --> 0:07:44.440 sure Paragon would like to have people think it is, 0:07:45.120 --> 0:07:48.720 but doesn't actually equate their realistic threat model, similar to 0:07:48.760 --> 0:07:54.040 how predictions of an evil superintelligent AI actually currently serve 0:07:54.120 --> 0:07:56.880 to boost the stock price of AI companies. 0:07:57.280 --> 0:07:59.200 I think a lot of people are doing the work 0:07:59.440 --> 0:08:03.760 for the these companies that are aligning themselves with fascism, right, 0:08:03.880 --> 0:08:08.200 And I don't think it's a great trend actually, right, like, 0:08:08.200 --> 0:08:13.000 like people are assuming that you know, Palateer is sort 0:08:13.000 --> 0:08:16.600 of watching everything, right, and it really Palanteer is just 0:08:16.880 --> 0:08:22.360 like fancy visual graphing software essentially, right, Like the danger 0:08:22.440 --> 0:08:25.920 of Palenteer is combining these two government databases, right, this 0:08:26.080 --> 0:08:29.480 mawere the GRAPHI mawere right, Like, yeah, it's it's not good, 0:08:29.600 --> 0:08:33.000 but you know it's not magical, right, it's not omniscient. 0:08:33.080 --> 0:08:35.560 It's not able to you know, I don't know, go 0:08:35.600 --> 0:08:37.960 eat the fridge out of your food and you know, 0:08:38.080 --> 0:08:39.520 beat up your dad or something like. 0:08:39.600 --> 0:08:42.920 You know, well now we're talking now, Now that's a 0:08:42.960 --> 0:08:43.719 good app. 0:08:44.200 --> 0:08:47.080 If only if only chech bros could solve such social problems. 0:08:47.679 --> 0:08:49.000 No, no, they would never. 0:08:49.400 --> 0:08:52.120 No, but yeah, you know it's not it's not imagical, right, 0:08:52.120 --> 0:08:54.160 And we don't need to do their work for them, right, 0:08:54.200 --> 0:08:56.640 We don't need to do their myth making for them. Right, 0:08:56.920 --> 0:09:00.520 A bigger threat to the majority of people in the 0:09:00.600 --> 0:09:05.679 US is getting your phone seized by the cops. Right, totally. 0:09:05.880 --> 0:09:09.560 There's nothing this maur can do, according to public reports, 0:09:09.559 --> 0:09:11.280 at least that the cops can't do if they get 0:09:11.320 --> 0:09:12.520 hold of your unlocked phone. 0:09:12.679 --> 0:09:16.560 Right. Having phased idea or fordgit pass code is much 0:09:16.600 --> 0:09:20.959 more dangerous to your digital security. Yes, as an average person, 0:09:21.120 --> 0:09:23.800 even as it like anaged person, like going to a protest. 0:09:24.120 --> 0:09:29.720 Yes, yes, absolutely absolutely. You know, Celebrate, which is the 0:09:29.760 --> 0:09:31.960 machine that police plug your phone into you to make 0:09:32.000 --> 0:09:34.240 a copy of all the data on it, is much 0:09:34.280 --> 0:09:37.600 more dangerous to the average American than the Paragon is. 0:09:37.600 --> 0:09:39.080 They're much more likely to encounter that. 0:09:39.720 --> 0:09:42.080 This is more of a niche gripe, but one that's 0:09:42.120 --> 0:09:46.080 still important. There's been claims that quote ice can now 0:09:46.240 --> 0:09:50.720 hack any phone and break encryption, but Graphite doesn't actually 0:09:50.800 --> 0:09:54.840 quote unquote break encryption. It's not going after the encryption 0:09:54.960 --> 0:10:00.080 on Signal or WhatsApp. Instead, Paragon tries to circumvent and 0:10:00.160 --> 0:10:02.920 encryption by trying to gain access to content on a 0:10:02.960 --> 0:10:06.920 targeted device once it's been unencrypted by an application like 0:10:07.040 --> 0:10:10.880 WhatsApp for the user to read similar to how if 0:10:10.920 --> 0:10:13.680 you have push notifications on for an application like Signal, 0:10:14.040 --> 0:10:18.080 if the police seize your phone and push notifications display 0:10:18.280 --> 0:10:21.840 messages from Signal, that doesn't mean the police have quote 0:10:21.880 --> 0:10:26.240 unquote broken signals encryption. Now, in order for Graphit to 0:10:26.320 --> 0:10:29.480 extract messages from your phone, it needs to get onto 0:10:29.520 --> 0:10:32.720 your phone in the first place. Graphite is just the 0:10:32.760 --> 0:10:36.840 implanted code that can read and extract your messages. First, 0:10:36.880 --> 0:10:39.440 it needs to get onto your phone via what's called 0:10:39.440 --> 0:10:42.720 an exploit, which is usually a message sent to a 0:10:42.720 --> 0:10:46.199 phone number or a WhatsApp account that attacks a vulnerability 0:10:46.240 --> 0:10:49.240 in your phone's code to gain permissions to load the 0:10:49.320 --> 0:10:53.319 Graphight onto the messaging apps. Graphight and the exploit are 0:10:53.600 --> 0:10:57.600 two separate programs that work together, but exploits need to 0:10:57.600 --> 0:11:01.120 be frequently changed to keep up with soft where security updates, 0:11:01.480 --> 0:11:06.040 and that's expensive. You need different exploits for Android and iOS. 0:11:06.800 --> 0:11:11.160 Paragon has been using zero click exploits, meaning the owner 0:11:11.200 --> 0:11:13.920 of the phone doesn't have to manually click a link 0:11:14.040 --> 0:11:17.040 or intentionally download a file for the exploit to try 0:11:17.040 --> 0:11:20.360 to gain permissions on the device. You don't have to 0:11:20.440 --> 0:11:22.280 click or do anything. You just have to receive the 0:11:22.320 --> 0:11:25.720 message and then the spyware gets to work, which is 0:11:25.920 --> 0:11:29.320 very scary. But this technology cannot be deployed en mass 0:11:29.559 --> 0:11:32.079 because of how expensive and specific it needs to be 0:11:32.280 --> 0:11:33.200 in order to work. 0:11:33.520 --> 0:11:35.440 The other thing that I think is missing a lot 0:11:35.440 --> 0:11:38.800 from the conversation about Graphite in particular, is that the 0:11:38.920 --> 0:11:41.880 malware is just the program that runs when it gets 0:11:41.920 --> 0:11:46.080 on your phone, and first, before they can install Graphite, 0:11:46.160 --> 0:11:48.720 they have to get onto your phone through some sort 0:11:48.720 --> 0:11:51.160 of exploit. If your phone is up to date and 0:11:51.160 --> 0:11:53.600 fully passed, this will have to be a zero day exploit, 0:11:53.640 --> 0:11:56.720 which means it's an exploit that has had zero days 0:11:56.720 --> 0:11:59.520 for Apple or Google or whoever to fix it because 0:11:59.559 --> 0:12:02.720 it is un known to them, and these exploits cost 0:12:03.080 --> 0:12:05.839 millions of dollars right now. Paragon is not going to 0:12:05.880 --> 0:12:08.720 pay that millions of dollars for each person they're exploiting, 0:12:08.720 --> 0:12:13.080 but there is a large per person cost to Ice 0:12:13.120 --> 0:12:15.920 for each person they're going to exploit, because Paragon doesn't 0:12:16.000 --> 0:12:19.600 want to blow their zero day, which costs them millions 0:12:19.640 --> 0:12:30.640 of dollars to either buy or develop themselves. 0:12:32.559 --> 0:12:35.040 Welcome back. I'd like to get into a little bit 0:12:35.040 --> 0:12:38.360 of Paragon's backstory and how they've grown as a company. 0:12:39.360 --> 0:12:42.600 Paragon was founded in twenty nineteen by former Israeli Prime 0:12:42.600 --> 0:12:46.400 Minister A hood Brock and A Hood Schnorsen, a former 0:12:46.440 --> 0:12:51.560 commander of the IDF's cyber Warfare Unit, basically Israel's equivalent 0:12:51.600 --> 0:12:56.200 of the NSA called Unit to eight two hundred three. 0:12:56.240 --> 0:13:00.760 Other Paragon co founders are also ex Israeli intelligence. The 0:13:00.760 --> 0:13:03.920 startup got early financing from a Televiv investment fund called 0:13:04.040 --> 0:13:08.160 Red Dot Capital, though Paragon also received backing from American 0:13:08.240 --> 0:13:11.760 venture capital. In twenty twenty one, Forbes reported that the 0:13:11.800 --> 0:13:15.600 Boston based Battery Ventures had invested between five to ten 0:13:15.679 --> 0:13:20.000 million in Paragon. Bloomberg Capital has also supported the company. 0:13:20.760 --> 0:13:23.679 In twenty twenty two, Paragon launched a U S subsidiary 0:13:23.880 --> 0:13:27.439 and started recruiting former US Feds to help break into 0:13:27.480 --> 0:13:30.920 the American market. The New York Times reported that the 0:13:31.000 --> 0:13:34.720 DEA has used graphite as far back as twenty twenty two. 0:13:35.400 --> 0:13:39.840 Former CIA assistant director John Finbar Fleming became the executive 0:13:39.920 --> 0:13:43.360 chairman of Paragon US in January of twenty twenty four, 0:13:43.640 --> 0:13:47.560 according to his LinkedIn. In December of twenty twenty four, 0:13:47.800 --> 0:13:52.760 Paragon was acquired by AE Industrial Partners for nine hundred 0:13:52.880 --> 0:13:57.240 million dollars. AE Industrial Partners is a Florida based private 0:13:57.240 --> 0:14:02.480 equity fund with a specialized security portfolio. Once they bought Paragon, 0:14:02.800 --> 0:14:08.000 emerged with another a asset, this cybersecurity company, red Lattice. 0:14:08.400 --> 0:14:11.280 Back in twenty twenty one, Paragon had about fifty employees, 0:14:11.920 --> 0:14:15.200 now it has over five hundred. In June of twenty 0:14:15.240 --> 0:14:18.240 twenty five, they were hiring one hundred and fifty more. 0:14:18.840 --> 0:14:22.440 Just a week ago, executive chairman John Finbar Fleming shared 0:14:22.520 --> 0:14:26.840 a recruitment post that red Lattice was hiring quote emerging 0:14:27.000 --> 0:14:32.920 and offensive cyber engineers unquote. Next, let's discuss the biggest 0:14:33.040 --> 0:14:36.240 case study of Graphite being deployed that we know of. 0:14:36.760 --> 0:14:40.480 On January thirty first, twenty twenty five, Meta's encrypted messaging 0:14:40.480 --> 0:14:44.720 app WhatsApp sent a notification to ninety accounts that their 0:14:44.760 --> 0:14:48.680 smartphones were suspected of being targeted by spyware, which has 0:14:48.720 --> 0:14:53.040 since been traced to the Paragon product Graphite. People targeted 0:14:53.080 --> 0:14:57.120 were journalists, human rights activists, and members of civil society 0:14:57.320 --> 0:15:01.640 across Europe and the Mediterranean, but Timer based out of Italy. 0:15:02.440 --> 0:15:07.040 This was a zero day and zero click exploit, meaning 0:15:07.040 --> 0:15:10.800 it both attacked to previously unknown vulnerability and required zero 0:15:11.040 --> 0:15:15.040 user interaction to infect the device. At first, the Italian 0:15:15.080 --> 0:15:20.560 government denied knowledge, but Paragon canceled two contracts with customers 0:15:20.600 --> 0:15:25.000 in Italy, and a parliamentary oversight committee later confirmed the 0:15:25.000 --> 0:15:29.280 Italian government was using Paragon technology for spyware attacks against 0:15:29.480 --> 0:15:33.760 c migration activists. One thing that's interesting to me is 0:15:33.800 --> 0:15:35.920 that we talk about this technology is being very expensive, 0:15:36.040 --> 0:15:38.720 very individual, they have to individually target you. But then 0:15:38.760 --> 0:15:41.520 you see, you know, ninety people on WhatsApp, and you're like, 0:15:41.600 --> 0:15:43.520 that's that's a lot of people. So you can talk 0:15:43.520 --> 0:15:46.640 about how this attack was like structured and what we've 0:15:46.720 --> 0:15:47.400 learned from it. 0:15:47.840 --> 0:15:51.480 For sure, ninety people is a lot of people for 0:15:51.640 --> 0:15:55.200 such a targeted attack, although it's you know, in terms 0:15:55.240 --> 0:15:59.000 of most malware, like most commercial mawer, ninety people would 0:15:59.040 --> 0:16:01.920 be a very very small attack, right, Like it wouldn't 0:16:02.000 --> 0:16:04.080 be worth your time, So you know, it depends on 0:16:04.120 --> 0:16:05.000 the scale of things. 0:16:05.280 --> 0:16:08.880 I don't know what the scale of Italian civil society is, right, 0:16:08.960 --> 0:16:12.160 but ninety people is likely I think a small fraction 0:16:12.360 --> 0:16:15.720 of the whole of Italian civil society, right, But yeah, 0:16:15.760 --> 0:16:17.520 those so those people. 0:16:17.200 --> 0:16:21.360 That were targeted by Paragon, the ones that we know about. 0:16:21.440 --> 0:16:25.560 You know, one was a Italian anti fascist journalist, right, 0:16:25.680 --> 0:16:27.800 I think another there were a couple of other journalists 0:16:27.840 --> 0:16:32.400 that were covering migration issues, and you know, just a 0:16:32.600 --> 0:16:37.280 sort of a large swath across Italian civil society. So 0:16:37.360 --> 0:16:41.160 the way they were targeted was on WhatsApp. They were 0:16:41.160 --> 0:16:43.440 added to a group and then they were sent a 0:16:43.480 --> 0:16:47.000 malicious PDF which they didn't even have to open, and 0:16:47.040 --> 0:16:49.120 they didn't have to approve being added to the group. 0:16:49.680 --> 0:16:52.560 But as soon as that malicious PDF was received by 0:16:52.560 --> 0:16:56.800 their WhatsApp app, but by their WhatsApp client, WhatsApp client 0:16:56.920 --> 0:17:00.440 processed the PDF and it contained code which exploited WhatsApp 0:17:00.560 --> 0:17:04.479 and allowed Graphite to start running. So Graphie doesn't actually 0:17:04.520 --> 0:17:07.600 install anything. To get a little bit technical, Graphie only 0:17:07.680 --> 0:17:10.920 runs in memory of the phone, right, It only runs 0:17:10.920 --> 0:17:14.600 in the like temporary RAM so to speak. Okay, Right, 0:17:14.640 --> 0:17:17.439 So rebooting the phone would have cleared out of the 0:17:17.440 --> 0:17:20.600 Graphite infection and they would have had to reinfect the person. Interesting, 0:17:20.680 --> 0:17:23.840 right in this case. Yeah, it's possible that in the 0:17:23.840 --> 0:17:27.280 future Paragon will find a way to make Graphite persistent. 0:17:28.000 --> 0:17:31.479 But it does make it more stealthy, It makes it 0:17:31.520 --> 0:17:35.600 harder to detect, It makes it harder to forensically analyze 0:17:35.600 --> 0:17:38.600 for people like citizen Lab and like eff if it 0:17:38.760 --> 0:17:41.439 just runs in memory, sure, right, so it kind of 0:17:41.480 --> 0:17:43.600 makes sense that they would want to keep running it 0:17:43.640 --> 0:17:45.680 in memory, even though rebooting it would clear out the 0:17:45.720 --> 0:17:47.640 infection because you can just reinfect the. 0:17:47.560 --> 0:17:50.840 Person, even like like developers like WhatsApp or like Apple 0:17:50.960 --> 0:17:53.760 might have a harder time, like yeah, realizing that they've 0:17:53.800 --> 0:17:55.960 been attacked. If it can get cleared out so quickly, 0:17:56.000 --> 0:17:56.639 I guess. 0:17:56.760 --> 0:18:00.480 Yeah, absolutely absolutely, And in this case, WhatsApp had realized 0:18:00.520 --> 0:18:04.080 they had been attacked, they quickly figured out the pattern, 0:18:03.760 --> 0:18:08.479 and you know, to their credit, warned everybody immediately. Often, 0:18:08.560 --> 0:18:11.680 the only way I think people will find out they've been, 0:18:12.280 --> 0:18:15.880 you know, infected by this spywear is if WhatsApp or 0:18:16.080 --> 0:18:20.000 you know, somebody else maybe Apple warned you. That's not great, 0:18:20.600 --> 0:18:22.959 but it is, but it is better than the alternative 0:18:22.960 --> 0:18:24.560 where they just don't warn you at all. 0:18:24.720 --> 0:18:28.119 Right, After the targets were notified of the spyware attack, 0:18:28.440 --> 0:18:32.679 some including journalists and migrant refugee activists in Italy, agreed 0:18:32.680 --> 0:18:36.080 to participate in a forensic analysis of Graphite by citizen Lab. 0:18:36.600 --> 0:18:40.080 They found that Paragon spyware had spread from WhatsApp to 0:18:40.160 --> 0:18:43.760 at least two other apps on the device. In April 0:18:43.800 --> 0:18:46.560 of twenty twenty five, we got forensic confirmation of Graphite 0:18:46.600 --> 0:18:51.080 spyware on iPhone with a zero click exploit attacking I message. 0:18:51.320 --> 0:18:53.919 Citizen Lab was able to analyze the devices of a 0:18:53.960 --> 0:18:57.399 prominent European journalist who requested to remain anonymous, and an 0:18:57.480 --> 0:19:01.199 Italian journalist linked to the previous cluster of attacks in Italy. 0:19:01.680 --> 0:19:05.359 iPhone is slightly harder to target than your average Android, 0:19:05.680 --> 0:19:08.560 but certainly not impervious to this sort of attack, as 0:19:08.560 --> 0:19:11.680 we've seen from these examples in Europe. To date, citizen 0:19:11.760 --> 0:19:17.520 Lab has also identified suspected Paragon deployments in Australia, Canada, Cyprus, Denmark, Israel, 0:19:17.640 --> 0:19:21.760 and Singapore. Though the encrypted messaging app Signal is not 0:19:21.960 --> 0:19:25.440 mentioned in the citizen Lab reporting, their analysis did find 0:19:25.480 --> 0:19:28.320 that graph Fight had the capability of going after several 0:19:28.400 --> 0:19:31.560 different messaging apps, and it's probably safe to assume that 0:19:31.680 --> 0:19:34.520 Signal would be one of the apps that Paragon would 0:19:34.560 --> 0:19:38.359 want to extract messages from. We don't have much information 0:19:38.560 --> 0:19:43.439 about this spyware targeting Signal, possibly because Signal does not 0:19:43.600 --> 0:19:46.760 have as large of an international user base compared to 0:19:46.840 --> 0:19:51.000 other apps like WhatsApp, I Message or Telegram, despite Signal 0:19:51.080 --> 0:19:55.560 being much more secure. So what can you do? Though 0:19:55.600 --> 0:19:59.720 Graphite might not be the total phone hijacking super spy 0:19:59.760 --> 0:20:02.439 away that the Guardian and others claim it to be, 0:20:02.880 --> 0:20:06.840 it still poses a significant security threat. Some basic digital 0:20:06.880 --> 0:20:11.000 security precautions apply here. Get into a habit of regular 0:20:11.160 --> 0:20:16.520 digital cleaning. Remove unnecessary content from your device, save space. 0:20:17.160 --> 0:20:21.000 Old photos can be uploaded to an external encrypted hard 0:20:21.040 --> 0:20:25.119 drive in question. If you really need years of messages 0:20:25.160 --> 0:20:29.120 stored on your phone, use an encrypted chat app like Signal, 0:20:29.160 --> 0:20:32.679 which has disappearing messages so that there isn't a large 0:20:32.720 --> 0:20:36.399 backlog of communications that could be suddenly accessed by a 0:20:36.440 --> 0:20:40.520 hostile actor. Be very wary of cloud backups. They are 0:20:40.560 --> 0:20:43.280 often one of the least secure aspects of your digital life, 0:20:43.720 --> 0:20:47.120 especially if they are unencrypted, and though it won't deter 0:20:47.440 --> 0:20:51.120 zero click exploits, it's still best practice to avoid clicking 0:20:51.359 --> 0:20:54.359 mysterious links or downloading files and photos is sent to 0:20:54.400 --> 0:20:57.960 your phone. Another tip is to regularly reboot your phone. 0:20:58.160 --> 0:21:01.359 Contrary to claims that once your phone been targeted by graphites, 0:21:01.400 --> 0:21:06.840 now compromised forever something called malware persistence. To our current knowledge, 0:21:07.080 --> 0:21:11.439 rebooting can wipe Paragon's exploits. It does not appear that 0:21:11.560 --> 0:21:15.359 Paragon spyware is at the moment reboot persistent, and it 0:21:15.400 --> 0:21:18.400 seems that rebooting would actually remove it from the phone. 0:21:18.720 --> 0:21:22.040 My reading is that rebooting it would remove the malware 0:21:22.080 --> 0:21:24.199 from your phone until you were re exploit. Which so 0:21:24.359 --> 0:21:27.240 you know, if you just reboot and you don't update, 0:21:27.320 --> 0:21:29.400 or you know, the zero day isn't out yet, right, 0:21:29.960 --> 0:21:31.480 they're just going to run the exploit again. 0:21:31.560 --> 0:21:31.679 Right. 0:21:31.800 --> 0:21:33.240 I think it's a fair bet that they're just going 0:21:33.240 --> 0:21:35.440 to run the exploit again. But it would be. 0:21:35.440 --> 0:21:37.680 Enough to get it off for that time, right, And 0:21:37.760 --> 0:21:41.199 I mean, I think as far as in mitigation, my 0:21:41.280 --> 0:21:44.200 friend recommends that people like reboot their phone every morning 0:21:44.240 --> 0:21:45.960 when they're brushing their teeth, right, And I don't think 0:21:46.000 --> 0:21:49.040 it's a bad bit of security hygiene. 0:21:49.520 --> 0:21:51.440 If these guys are going due, in fact, you might 0:21:51.480 --> 0:21:53.639 as well make it, you know, more of a headache 0:21:53.680 --> 0:21:55.320 for them, right, You might as well make it more 0:21:55.320 --> 0:21:57.560 costly to them, because there is going to be a 0:21:57.640 --> 0:21:59.760 charge to them for each time they have to reinfect you. 0:22:00.520 --> 0:22:04.040 But yeah, it's certainly I think overblown to say that. 0:22:04.440 --> 0:22:06.040 You know, once it's on your phone, it's on your 0:22:06.040 --> 0:22:08.239 phone forever. There's you know, you just got to, you know, 0:22:08.320 --> 0:22:11.119 throw your one thousand dollars phone in the trash and 0:22:11.160 --> 0:22:13.280 go buy another one. Like, no, you can you know, 0:22:13.359 --> 0:22:15.520 if you don't feel safe, just rebooting it, right, like 0:22:15.560 --> 0:22:18.040 a factory reset, that would be the next step, right, 0:22:18.080 --> 0:22:20.800 I think that would that would most likely get rid 0:22:20.840 --> 0:22:24.600 of any persistence mechanisms that were installed. I'm not familiar 0:22:24.640 --> 0:22:27.720 with any iOS mower certainly that would survive a factory reset. 0:22:28.240 --> 0:22:30.919 But probably the most important thing besides using signal is 0:22:30.960 --> 0:22:34.639 to keep your phone software updated. That's the simplest and 0:22:34.720 --> 0:22:38.080 best way to make it harder for spyware like graphites 0:22:38.160 --> 0:22:40.639 to make it onto your phone in the first place. 0:22:41.040 --> 0:22:44.600 Out of date software has many more known vulnerabilities to attack. 0:22:45.119 --> 0:22:49.120 For extra protection, enable lockdown mode on iPhone or advanced 0:22:49.119 --> 0:22:50.680 Protection on Android. 0:22:51.160 --> 0:22:54.600 So the reason it's important to keep your phone up 0:22:54.600 --> 0:22:57.840 to date and always install the latest security updates, even 0:22:57.880 --> 0:22:59.240 if it's a pain in the ass, and I know 0:22:59.280 --> 0:23:03.240 it's a pain in the app is because this makes 0:23:03.320 --> 0:23:06.440 an attacker have to use zero day exploits. So, if 0:23:06.480 --> 0:23:09.200 you have an old version of the software on your phone, 0:23:09.240 --> 0:23:14.840 there are known exploits. Known exploits are you know, more 0:23:14.920 --> 0:23:18.399 or less free, right, They are already out there, They 0:23:18.440 --> 0:23:20.960 are already burned. They do not matter, right like the 0:23:21.000 --> 0:23:25.160 company already knows about them. An exploit loses basically all 0:23:25.200 --> 0:23:28.280 of its value as soon as you know the company 0:23:28.280 --> 0:23:31.000 knows about it, and it's patched. Right, So, if you 0:23:31.160 --> 0:23:32.920 have out of date software on your phone, if you 0:23:32.920 --> 0:23:35.800 have out of data software in a computer, it changes 0:23:35.840 --> 0:23:39.600 the entire economics of attacking. Right, It's basically free for 0:23:39.760 --> 0:23:42.600 me to exploit your phone at this point, and I 0:23:42.760 --> 0:23:44.399 you know, I will exploit it as many times as 0:23:44.440 --> 0:23:46.359 I want. And I don't care if that exploit is burned. 0:23:46.400 --> 0:23:49.280 I don't care if you find it, because again it's free, right. 0:23:49.720 --> 0:23:52.919 Zero A exploits for especially for Apple, for like you know, 0:23:53.400 --> 0:23:58.879 Android pixel phones, for graphene, the alternative Android OS not 0:23:59.000 --> 0:24:03.480 graphite is giving me real problems lately. Zero D explots 0:24:03.520 --> 0:24:07.280 meaning explicit that the manufacturer does not know about and 0:24:07.320 --> 0:24:11.000