THEOS Cybernova: The Cybersecurity Podcast for APAC Leaders

Paul Jackson: Welcome to another episode of the THEOS Cybernova podcast. Today I’m delighted to be joined by a very special guest, a very unusual guest. His name is Bill Marczak, and he works at the University of Toronto as a cybersecurity researcher. Listening to Bill at a couple of conferences, cybersecurity conferences recently, where he raised some very interesting angles on cybersecurity and as you’re about to hear, some very interesting perspectives. So, Bill, thank you so much for joining me today.

Bill Marczak: Thank you for having me.

Paul Jackson: Yeah, it’s a real honour. I’m very much looking forward to this conversation. We were chatting just very briefly, this is totally unrehearsed, totally ad hoc and spontaneous, so let’s see where it leads. We’ll kick off with the very interesting topic that you just presented on yesterday, around mobile phone hacking and security, and the importance of protecting privacy when using mobile devices. There were big stories a few years ago, as you mentioned, with Macron and other leaders whose phones were hacked, those stories around Pegasus. But what are the realities? Because this is a very much overlooked kind of aspect of cybersecurity, where we see about ransomware all the time, denial of service, but not so much about these devices that we all carry around with us and carry a wealth of information. So what is it about these devices, and what are the real concerns at the moment?

Bill Marczak: Well, a lot of the efforts that the cybersecurity undertakes, a lot of the defensive efforts are designed to defend against these very visible, very disruptive attacks like ransomware. If your company or your computer is hit with ransomware, it’s something you very quickly realise because you get a pop-up on your screen that says, your files are now encrypted, here’s where you pay the ransom, and there is a disruption to the business.

It’s very visible, very disruptive. Whereas the attacks that are typically directed against our mobile devices are because of the efforts that Apple, Google, and mobile device manufacturers undertake to make these devices very secure, it turns out it’s complex and very expensive to hack into our devices. So, what this means is that these attacks are often espionage conducted by very well-resourced attackers like governments. These espionage attacks are really any sort of espionage is designed to be invisible, totally transparent to the person who’s being spied on. If you don’t notice anything wrong with your phone, why would you invest a lot of effort in trying to remediate something that may or may not be there?

Paul Jackson: Yep. Now I find there’s a lot of paranoia around this, because sometimes if there is a breach in a client company of ours, we obviously at THEOS do a lot of investigation. The executives go are our phones hacked? Can you test them? Can you make sure that they’re not being hacked? They knew information that they shouldn’t have known. So maybe it’s our phones. How realistic is that?

Bill Marczak: Well, actually, it’s quite a big concern, I would say. Mobile phones are a platform of choice for espionage. The reason is simple. We carry them around with us everywhere. Not only do they have really juicy, really intimate data about us on them: our photos, our passwords, maybe our journals. But these devices also have microphones. They also have cameras, and we may be carrying them into sensitive meetings, sensitive locations where if spyware can turn on that microphone, can turn on that camera, there can potentially be very juicy data that gets captured in a way that you might not happen if your computer gets hacked.

Often, I would say that the investment in developing these hacking tools, developing these espionage platforms, tends to centre on mobile devices, because that’s where that’s where the juice is, that’s where you want to go.

Paul Jackson: So the big question before we get into some more details is Android or Apple. What should we be buying?

Bill Marczak: Well, it’s a question that I get asked a lot, and it’s rather hard to give a definitive one size fits all recommendations. I would say that one of the problems that we encounter over and over with individuals using Android devices that we work with is that the devices often aren’t supported, meaning they’re not getting security updates from the manufacturer for more than maybe a year or two in most cases. What that means is there’s a lot of out-of-date Android devices out there, which might be vulnerable to vulnerabilities which are publicly known and publicly documented. Maybe someone has written up some proof-of-concept code online to exploit them. It means that the cost to hack these old, out-of-date phones is much, much lower. Whereas if you’re receiving the latest updates, you’re on the latest version. Then, in theory, there are no known bugs or bugs that are publicly known which are present on the device, making them harder or more expensive. You have to hunt if you’re an attacker for a so-called zero-day, a bug that is not known to the cybersecurity community or really anyone, and then figure out how to weaponize that and exploit that to spy on your target. So that’s a common problem we encounter out of date Android devices.

The nice thing about iPhones in that regard is, well, there’s only one manufacturer, Apple. They control the updates, and they make sure that the updates are pushed out in a reasonably efficient way. So, I would say that’s one point there for Apple. However, Android, in some ways, has other things to recommend it; it’s more customisable. If you are a very technically advanced user, maybe you can do more sorts of detection or remediation on your device yourself without having to circumvent the device’s security.

Paul Jackson: Yeah. That’s right. Well, what about my Harmony OS, though, on my Huawei phone?

Bill Marczak: Well, it’s interesting we’ve seen the recent media reporting about President XI going around saying, Huawei phones can’t be hacked. It’s sort of an interesting question. If you’re a company that’s developing one of these hacking platforms, you want to focus on what is the most efficient investment I can make right now? If I can invest X dollars in research and development, developing these attack capabilities, developing the spyware, developing the espionage platforms, how can I get the most bang for my buck? What are the devices that most people are using? They’re using maybe iOS, they’re using Android. Within Android, obviously, you have different flavours of Android. You have Samsung’s, you have the other manufacturers too.

Then you might have your completely different things like Harmony OS, where how much do you really want to invest in that? If you are a company, you can say to your customers, we can be on Harmony OS, and the customer is like okay, how many Harmony OS phones are out there? Are the people that I want to spy on actually using that? So I think that is there is a little bit of what we call, security by obscurity. If you have an obscure platform that is not very popular, it’s probably not going to have a whole lot of off-the-shelf attack tools ready to go for it.

Paul Jackson: Yeah, that’s very interesting. I love the phrase “security by obscurity.” So, you work at the University of Toronto, you and your group or whatever you call it’s called Citizen Lab, right?

Bill Marczak: Correct. That’s right.

Paul Jackson: You mentioned that you focus a lot on the security and privacy of journalists, I think obviously this is extremely important in protecting freedom of speech and the ability of journalists, investigative journalists in particular, to do their great work that they tend to do around the world. Do you find this a major challenge? Do you see that these journalists who are involved in sensitive investigations are indeed targets of, with their mobile devices?

Bill Marczak: Time and time again, yeah, in many different country contexts all around the world, we have documented cases of journalists being hacked, from cases surrounding journalists and investigators in Mexico, journalists in other continents like Africa, Asia, and Europe. It’s really sort of a global phenomenon. One of the problems, I think one of the challenges with these sorts of hacking tools, is they’re designed to be invisible, designed to be completely transparent, so transparent in the sense that the target doesn’t recognise anything. But critically, they’re not transparent in the sense that if they’re very hard to audit, how do you understand who this tool is being used against?

Maybe the intelligence agency who’s operating the hacking, the espionage platform knows who they’re spying on. But how do the people conducting oversight of the intelligence agency, maybe they don’t even know that this tool has been procured? So how can they even investigate that? I think it’s a big, a big challenge. I mean, any sort of feeling on the part of people conducting espionage, said, we’re invisible, we can’t be detected. It can be a breeding ground for these sorts of abuses, where not only are you going after in terms of espionage, not only are you going after the criminals, the terrorists, the serious problems, but you’re also going after, maybe people who are investigating corruption or maybe people who are saying bad things about the government or things like this. And there can be this sort of mission creep, and you get into these cases of abuse

Paul Jackson: Of course, these mobile phones are tracking devices essentially. So we’re not just talking about theft of data. Okay, I don’t want to trivialise it, but compared to life, when somebody could actually track you down and threaten you physically or even worse, then I guess that’s the real danger, isn’t it?

Bill Marczak: There’s a lot of dangers associated with it. Yeah, I would say that certainly physical tracking is one, but also often what we see is that the espionage that’s directed against a target, that’s not always about the target. It’s sometimes about their contacts, especially with journalists, you might imagine. The journalists are chatting with sources, confidential informants, whistleblowers. Maybe you would spy on a journalist. But, you’re not super interested in the journalist themselves, you’re interested in their network. Who are they contacting? Then maybe once you’ve identified/ unmasked the contacts, then bad things happen to those people who might not have their phones, might not have been hacked, but because the journalist’s phone got hacked, they are now in danger.

Paul Jackson: Yeah, their sources. Exactly, it is opening up a pretty terrifying world in many ways, and one that’s hard to protect against. So that is the important bit. How does one? Well, let’s step back a little bit. What typical methods do the attackers use to try to infiltrate the phones?

Bill Marczak: Well, there’s a variety of techniques that attackers might use on the very “sophisticated end”. Attackers tend to like what are referred to as “zero click exploits”, meaning, I think we all have some sort of vague idea that, oh, if I install something malicious on my phone, I might be at risk, right? Maybe the malicious app is going to steal my data. But what if you don’t actually know that you’ve installed an app? Or, taking it one step further, what if you haven’t actually done anything at all on the phone? The phone is just sitting on the table, and then one minute it’s safe, the next minute it’s hacked. So that’s the idea of zero-click exploit.

The attackers are able to find a vulnerability, a weakness in some code, some software, some app that your phone is running in the background when you’re not doing anything. We all use chat apps on our phone, iMessage, WhatsApp, Telegram, WeChat. These apps are constantly running code in the background, and it’s easy to sort of conceptualise or understand this. Your phone might be sitting on the table, and all of a sudden, ding! It lights up, and there’s a notification from WhatsApp saying you’ve received a new message. Maybe there’s a little thumbnail of a photo that someone sent you on WhatsApp. What’s actually going on here is that the phone is processing very complex data in the background. There’s a lot of a lot of action going on in your phone when it’s just sitting on the table. If there’s some bug, some weakness there that attackers can find, then instead of, you know, the attacker sending you an actual image, they send you something which takes advantage of a bug in the image parser, for example. Then they can use that maybe to install spyware or run other exploits that, that compromise the device.

That’s kind of the really scary stuff. That’s quite hard in many cases to defend against. Now, device manufacturers like Apple and Google have started introducing this “lock down mode” or “advanced protection mode”, features that are kind of opt in, optional features where if you feel that you are at heightened risk for these sorts of sophisticated zero click attacks, you can turn locked on mode on your iPhone or Advanced Protection mode on if you have Android 16, and this will disable certain features of the operating system. So maybe less stuff will happen automatically, which is designed to kind of reduce the attack surface and reduce your vulnerability.

The zero-click attacks are the very scary stuff. But there’s also more mundane things socially engineering a user into installing a malicious app, which then requests access to photos or, location or contacts. Right, and the app might appear innocuous, but, the data is being gathered and synthesised and sent back to an attacker who’s using it for malicious purposes.

Paul Jackson: Do you think these malicious apps, in any way prevalent, is this a common thing, or do you think this is just something that gets overhyped?

Bill Marczak: Well, it’s an interesting question. I think there’s a lot of stuff out there which you can view as sort of malicious at a low level. But in terms of really invasive espionage, I think it’s relatively targeted and rare. But there are a lot of apps out there which are collecting behavioural data, collecting data from lots and lots of users. Maybe this data is not ever used to target most of the users, but it provides a kind of data trove which data brokers might purchase and sell. Then ultimately, at the end of the day, intelligence agencies, governments, etc., might be able to query or look into this data for specific targets and pull on specific threats there. An example might be an app that is submitting back data on locations somehow. The location of most people is probably not very interesting, but if you have a specific target in mind, then maybe you can query that bulk database of locations and find something interesting.

Paul Jackson: Excellent. Let me step back a little bit because I think you’ve given probably scared the hell out of our listeners already. But how did you get into this? I mean, what’s your story? Because obviously this is an Asian focused podcast, but you do indeed have an Asia history to yourself, don’t you? What was your story? How did you get into this?

Bill Marczak: Well, I grew up largely overseas. So when I was very young, my parents moved us abroad to Hong Kong, and I lived there for about five and a half years. Starting in ‘96, then through the handover till about 2001, after Hong Kong, we moved to Bahrain in the Middle East. It was that you’re living in Bahrain, the experience of growing up there, which sort of interestingly led me to do this work when in 2011, of course, the Arab Spring started the big protests across the Middle East, and I found myself as a PhD student in UC Berkeley in the United States, working on something totally unrelated to cybersecurity, which was databases and cloud computing.

However, people I was in touch with back in Bahrain started getting these weird, dodgy emails that had odd-looking attachments that they thought might be something bad. They said, hey Bill, you’re a computer scientist. And I said, well, I’m not exactly that type of computer scientist, but I’ll take a look anyway. And it was sort of then that I started working in this area, and things just kind of snowballed from there.

Paul Jackson: Interesting. Very interesting. So, what is the goal or the mission statement, if you like, a Citizen lab?

Bill Marczak: Well, Citizen Lab is obviously a research organisation based at the University of Toronto. We study broadly the intersection between technology and human rights and kind of a mixed methods approach. We have people like me who are computer scientists on staff, we also have political scientists, people more immersed in legal and policy aspects of, sort of human rights and technology and the sort of work that I do, which we call “targeted threats”, is only one stream of research we have at the lab. We also study things like internet censorship, chat app censorship. We look at disinformation, things like this.

But these sort of targeted threats work that I work on is, I would say broadly defined as looking for and understanding and defending against targeted digital attacks against civil society. So journalists, dissidents, those sorts of targets.

Paul Jackson: That’s a very interesting field, because obviously, whenever major elections come around, the topic of online misinformation, propaganda, and interference with elections comes into play. Are you seeing, I mean I guess that’s something that’s high on your agenda, right? And I don’t know how much you can talk about it here on the podcast, but it surely it must be a fascinating area for you to be studying and analysing.

Bill Marczak: It is a very interesting area. Yeah. There’s always something new that’s going on. There’s always some new techniques that are being tried by influence operators to steer opinion. It’s often difficult to understand to what extent it works. To what extent is it swaying opinion? To what extent is it promoting division? Is promoting division the goal, rather than promoting a specific opinion, is often hard to say and hard to attribute?

It’s a very kind of a murky world. I much prefer looking into things like cyber espionage, where there’s often a clearer answer. You can say, it’s likely this government with tools purchased from this vendor, spying on these targets.

Paul Jackson: Interesting. You certainly operate in a fascinating world. You piqued my interest strongly at a conference earlier this year, where you spoke about the perception of cybercrime. We’re guided by, obviously, a lot of what we read in Western media, which tends to focus on adversaries of the West, for obvious reasons. And yet this is not the full story. Your presentation was very interesting because you did flip the coin a little bit and present the other side. Do you want to explain a little bit more about that?

Bill Marczak: Yeah, so if you look at what essentially what reports get published by the industry, by academia about cyber incidents or cyber attackers, there’s often a focus on adversaries of “the West” I would say. So, we see a lot of reports about activity conducted by China, by Iran, by Russia, these sorts of operators. There’s less reporting on other actors.

We know that a lot of different actors, a lot of different governments for example are conducting operations for not only hacking and spying and espionage, but also disinformation and other things too. We see a little bit, we don’t see a whole lot of this focused on activity coming out of the United States or Europe or other Western countries. To some extent, it makes sense, like who would be investigating this activity? Maybe companies in Russia, companies in China, companies in Iran, but if you look at, for instance, the Chinese cybersecurity ecosystem and the reporting they publish, well, there’s often not a whole lot that is public that, you know, you can sort of wrap your head around.

Recently we have seen some Chinese companies, Chinese entities publish, detail saying, well the US has hacked us. Here are some IP addresses associated with the hacking that we’ve partially redacted. If you’re kind of an independent observer looking at this, it’s really hard to understand are they right? Did they make a mistake?

What are they really talking about right now? Sometimes you do get a really interesting glimmer of what’s going on. A pretty interesting report a couple of years ago from I believe it’s called CVERC or C V E R C, a Chinese organisation that tracks these sorts of attacks. They published, actually, some real indicators of a US-based attack, which was interesting, but that’s sort of a rarity.

You don’t really have this very robust culture of publishing reports like you do, perhaps more so in the Western cybersecurity industry. Perhaps it’s partially a cultural difference, maybe a difference with government control or linkage. The coupling between government and the cybersecurity industry, which might be tighter in the context of China, for instance, versus in the West.

Paul Jackson: You’re absolutely right. And the types of conferences that we attend, we tend to only hear one side of the story, which is why your presentation was a little bit rare. Did you find anybody you know was a bit miffed presenting in that way? Do you ever feel any pressure? You know, that should perhaps toe the line a little bit more?

Bill Marczak:  It’s interesting. No one’s ever really said that to me. No, I don’t think anyone’s been super annoyed about it. I mean, I think one of the things that I kind of have going for me in that respect is the stuff that I tend to investigate and the stuff indeed that the little glimmers that the Chinese and other adversaries tend to publish is often very old. So it’s not as if the stuff when I give one of these talks, I’m not saying oh and last week the US government hacked X, Y and Z, right? It’s sort of more like, well, ten years ago, the stuff that “CVERC” published or whatever, this happened, and we can link it to this other thing.

So, there’s part of that which factors into it, but also one of the reactions is sort of you kind of look at and again, this is not necessarily a cross-cutting representative statement necessarily. But in these operations that do get published on the little tidbits that you see published out of China, it’s clear that the tradecraft employed by the Western attackers, at least in these cases, is sort of subpar.

One of the reactions I get is like, I can’t believe they did that, why did they do that? Or why did they do things that way? There’s also the sort of notion or the reaction, I think that, it’s not like you’re breaking a huge sweat trying to dig into this stuff. It is just sort of out there for you to find.

Paul Jackson: Yeah, it’s a really difficult balance to strike because the company I now work for, THEOS, we pride ourselves on being Asia-focused, but it’s a difficult game to play because we have to balance geopolitics. We have US clients, we have clients in the region of course.

Cyber is such a hard topic to disconnect from politics or geopolitics. It can sometimes be extremely challenging to navigate those, especially when allegations are made about nation-state interference, which isn’t always true. Sometimes companies who get breached would rather point the finger at some sophisticated nation-state type attacker to make themselves look like, well it’s not my fault. How could we defend ourselves versus it being  a kid in his basement? Who’s the one who’s actually really responsible? But yeah, no joking aside, navigating these things is very difficult. I’m sure it’s no different from you, right?

Bill Marczak:  Yeah. Certainly, as you say the cyber security space is deeply intertwined in a sense with geopolitics. That sort of makes it interesting, I think, to investigate for people who are kind of interested in international relations and things like that, but it also does introduce certain challenges.

The sort of reporting that we do can sometimes be seen, you know the reporting that Citizen Lab does can sometimes be seen by governments or others, I think in a very national security mindset, rather than the sort of way that I think we intend the reports to be seen, which is are we’re highlighting cases of abuse. So it’s not that we’re “going after” any government, we’re just kind of highlighting this is happening, this is an abuse of this espionage platform, this hacking, and this is a problem.

Paul Jackson: Yeah. I think both of us obviously clearly have the best interests of all clients, albeit very different kinds of clients, I guess. But at heart, in other words, we we’re try to help them and protect them rather than thinking politically. Let’s face it, cyber problems, cybersecurity issues are the same all over the world. The threats are the same. It’s just a matter of who is getting attacked and by whom, and how to help them protect themselves.

So I’d like to before closing up because we keep these conversations within around 30 minutes, I want to switch back to the mobile phones a little bit because folks listening are probably going, well, should I be going back to my old Nokia right, my burner phones and everything. But the reality is there is we’ve got to give sensible advice to folks on how to best protect themselves and what would your sort of key takeaways, what would your advice be to those who may have concerns and may want to better protect themselves.

Bill Marczak: Yes, a good question. I would say that there’s sort of multiple levels to this, right at the at a very basic level, what we often refer to as digital hygiene. Things like ensuring that you’re not using an “end of life” Android phone, like your phone is still receiving updates. It’s still getting the security updates. You’re installing them in a timely fashion. So that’s sort of a basic piece of advice, ensure that you’re up to date if you want to take things further, if you feel that you might be at elevated risk. So not, you know, just sort of an average person, not doing much that might attract the ire or interest of spies.

If you feel that you’re kind of above average risk, maybe you want to take additional precautions. So I mentioned earlier, there’s a lockdown mode for iPhone or advanced protection for Android. If you’re using Android 16 or above. These are optional features; you actually have to turn them on in the security settings of the phone, but they will disable certain features. You might notice a few differences. You can try them out if they work for you; keep them on. If they don’t work for you, you can always turn them off later, it is not committing yourself to anything by turning it on necessarily. But if it does work for you and you do feel like you face elevated risk, then use it.

We have seen that it does block a lot of these sophisticated attacks. I think also, yes we talk a lot about these very sophisticated attacks, but they’re not all that. There are some types of attacks, some things that users might notice, as you sort of alluded to earlier, information that was discussed in confidence becoming public. You don’t understand how that happened, things like that, maybe even things you notice on your phone like, I got a really weird message that has like political content and it’s got like a strange looking link in it. Maybe that is worth investigating further. In that case, there are resources. If you’re a member of civil society that you can avail yourself of to help investigate these sorts of cases.

So, for instance, we collaborate often with an organisation called Access Now who has a digital helpline. If you were a member of civil society, you can contact this helpline, you can just Google or search for access to our digital helpline. They operate around the clock and dozens of different languages. They’ll help you with any sort of digital security incidents you may face, whether it’s strange, politically themed messages with weird links, whether it’s receiving a notification from Apple or Google that they periodically send these notifications, or hey, we’ve detected a sophisticated attack on your device.

So that is a good resource, I think, for civil society specifically. But definitely a lot of this stuff starts with sort of the basic hygiene. Make sure your phone is receiving updates, make sure you’re installing those updates, and if you’re at heightened risk, turning on the locked-on mode, turning on data, that’s protection, right?

Paul Jackson: So I’ll just repeat that one more time. That’s access now, digital helpline. Yeah. For those who want to get it or maybe concerned, but I think there’s also one important point to raise because in our region, a lot of people buy these cheap Android phones online. We’ve obviously heard about and seen it’s been pretty widely publicised. The Lemon Group, I think.

Well, one of the groups that were attributed to have infiltrated the supply chain for these cheap phones and embedded spyware, malware already on these phones before they even hit the market. We see in our region on Lazada and other sort of sites where you can buy these cheap phones. And I think that’s fraught with risk, right?

Bill Marczak: Certainly. I mean, you get what you pay for at some level. If you’re saving money on the purchase price, it might be because there’s some tracking or additional things built into the device that the manufacturer can monetise or sell. So that is something to be wary of. Obviously, not everyone can afford the super duper top of the line iPhone, for instance, but making sure that the phone is, you know, from a reputable manufacturer, let’s say. You can check the manufacturers will often say, we will provide security updates for X years after the phone is released, after the purchase of the phone. So making sure that you’re comfortable with that lifetime of the device.

Paul Jackson: Yeah. I think this also corporates should be aware of this because most companies nowadays they don’t provide phones for their employees. In the past, we saw that they would actually provide phones nowadays with sandboxing technologies etc. they tend to allow your personal devices to be used. But if your personal devices are weak and they have flaws in them, then of course that brings vulnerabilities into a corporate environment as well. So it’s something that needs to be looked at.

Make sure that in the corporate world you only allow established phone brands, you know your Samsung, Sony’s or whatever of this world. Apple, you know, to be permitted

Bill Marczak: It can definitely be tricky, especially with, you know, work from home, work-life balance, things like this work might bleed over onto personal devices, even if the company does provide work devices, and attackers view the target holistically. They don’t think, oh gosh, we got a target to work phone like we can’t go after the personal phone. No, of course not, they’re going to target the personal phone, the personal computer that it’s all part of. The same individual. The same person. Right?

Paul Jackson: Yeah, so a lot to think about, really and you, because we wind up this conversation, you know, and Bill Marczak. I can’t thank you enough for taking the time out to join me today. It’s a really important topic, but I always close out these podcasts because I’m a music lover, all right? And, it’s my way of unwinding. I do enjoy my vinyl collection. I’m an old guy, so I like the old-style music. But I always say I’m always intrigued by what my guests currently have on their playlist. So what are you listening to currently?

Bill Marczak: Well, I will say I have a two-year-old son, so he is very into a couple of specific songs. I’m not quite sure why. One of them is American Pie by Don McLean. So we’ve been playing that a lot, and he really likes songs about trains and railroads. He’s also a big fan of the Amazon Alexa device. We don’t have one at home, but we were visiting some friends who had one, and he would just kind of go up to the Alexa and say, “Alexa, play a song about a choo choo train or play a railroad song”. So I’ve been listening to a lot of, all aboard, the choo choo choo train and things like that.

Paul Jackson: Fantastic, yeah, it was funny. I had a guest a couple of weeks ago who had a similar thing, talking about the wheels on the bus. Look, Bill fantastic to have you on this episode and some great information and great advice for our audience.

Please remember to hit that like and subscribe button that helps us to get these important messages out to a wider audience. Bill, thank you so much for joining me here today, and enjoy the rest of your time at this conference.

Bill Marczak: Thanks for having me.