Israeli spyware firm, NSO Group, has become a threat for human rights defenders everywhere, and in the MENA specifically, where the group is selling its products to governments and authoritarian regimes. Through “Mobile Network Injection Attacks,” Pegasus penetrates phones with minimal suspicious activity on the target’s device. According to reports by Whatsapp, the spyware has infected over 1,400 people in 3 months by exploiting a software loophole in these phones. Activists, human rights defenders, and journalists who have been targeted by NSO, have suffered psychologically and physically as a result of the attacks. Many have become paranoid and socially isolated as they constantly feel watched by an invisible eye, while others have been executed right after being surveilled. At the same time, those whose phones remain intact practice self-censorship in fear of a potential hacking attempt. To counter this culture of fear and self-restriction, SMEX has initiated its Forensic Analysis Unit to provide support and protection against spyware campaigns in our region.
The SMEX Technology Unit, whose role is to deploy technology to advance advocacy and digital resilience, steps in to provide forensic analysis of the devices of activists, journalists and human rights defenders who suspect they are spyware targets.
What is forensic analysis and how does it work?
Forensic analysis is the process of analyzing a device to detect traces of specific spyware. The Tech Unit at SMEX uses Amnesty’s MVT tool and libimobiledevice for Iphone communication from Linux and adb for Android.
The process is conducted by following three steps: seizure, acquisition, and examination/analysis.
Seizure consists of acquiring the device that needs analysis, with the proper identification required (for example PIN code).
Acquisition is about extracting data from the mobile device. This can be done in different ways depending on the location of the phone. At the moment, the analysis we are conducting happens via phone backup or a full system dump that requires rooting the device. The backup extraction is localized in an isolated environment with no-public access.
During the Examination and Analysis stage, our technologists analyze the data and cross-compare it to multiple Indicators of Compromise (IOC) of publicly known spyware campaigns mainly targeting human rights activists and journalists. At the end of the process, SMEX provides the mobile device holder with a report indicating the type of spyware detected, if any.
The Examination and Analysis findings are added to the database of cases and shared with collaborators such as Amnesty International, AccessNow and CitizenLab, to detect future spyware cases and their manufacturers.
What are the legal aspects of this forensic analysis?
A data processing agreement has been drafted by SMEX’s Legal Unit to ensure SMEX’s compliance with the different provisions on the protection of personal data set out by international standards including the GDPR.
Call for action!
The findings of the forensic analysis will help SMEX and other partners look together for proactive ways to protect the civic space.
SMEX urges activist, lawyers and human rights defenders from the MENA region who believe they have been targeted by Pegasus to submit a request for analysis via forensic@smex.org
