Dozens of countries, including France, the UK and the US, as well as a coalition of technology companies including Google, MDSec, Meta and Microsoft, have signed a joint agreement to curb the misuse of commercial spyware in ways that lead to human rights violations.
The initiative, called the Pall Mall Process, aims to combat the proliferation and irresponsible use of commercial cyber-attack tools by establishing guiding principles and policy options for states, industry and civil society on the development, facilitation, purchase and use of commercial cyber-attack tools.
The statement noted that the “uncontrolled spread” of spyware offerings contributes to “unintentional escalation in cyberspace”, posing risks to cyber stability, human rights, national security and digital security.
“Where these tools are used maliciously, attacks can access victims’ devices, intercept calls, take photos and remotely operate a camera and microphone via ‘zero-click’ spyware, meaning no user interaction is required,” the UK government said.
According to the National Cyber Security Centre (NCSC), it is estimated that thousands of people worldwide are the target of spyware campaigns each year.
At the UK-France Proliferation of Cyber Weapons conference, Dowden said.
“As the commercial market for these tools grows, so will the number and severity of cyber attacks that compromise our devices and digital systems, causing increasingly expensive damage and making it more difficult than ever for our cyber defences to protect public institutions and services.
“Notably missing from the list of countries participating in the event is Israel, which hosts a number of private sector attack actors (PSOAs) or commercial surveillance providers (CSVs), such as Candiru, Intellexa (Cytrox), NSO Group and QuaDream,” said Deputy Prime Minister Oliver.
Recorded Future News reports that Hungary, Mexico, Spain and Thailand, which have been associated with spyware abuses in the past, have not signed the pledge.
The multi-stakeholder action coincides with the US State Department’s announcement that it will deny visas to individuals it believes are implicated in the misuse of dodgy spyware technology.
On the one hand, spyware such as Chrysaor and Pegasus are licensed to government customers for use in law enforcement and counter-terrorism. On the other hand, they are routinely exploited by repressive regimes to target journalists, activists, lawyers, human rights defenders, dissidents, political opponents and other members of civil society.
Such intrusions utilise zero-click (or one-click) attacks to surreptitiously deliver surveillance software to the target’s Google Android and Apple iOS devices to collect sensitive information.
However, ongoing efforts to combat and contain the spyware ecosystem have been a kind of whack-a-mole, highlighting the difficulty of fending off recurring and lesser-known players that provide or have found similar cyber weapons.
This also includes the fact that CSVs continue to strive to develop new exploit chains as companies like Apple, Google and others discover and close zero-day vulnerabilities.
“As long as there is demand for surveillance capabilities, there will be incentives for CSVs to continue developing and selling tools, perpetuating an industry that harms high-risk users and society at large,” Google’s Threat Analysis Group (TAG) said.
A comprehensive report released by TAG this week revealed that the company has tracked nearly 40 commercial spyware companies selling their products to government agencies, 11 of which have been linked to 74 zero-day exploits on Google Chrome (24), Android (20), iOS (16), Windows (6), Adobe (2) and Mozilla Firefox (1).
For example, unknown state-sponsored actors exploited three flaws in iOS (CVE-2023-28205, CVE-2023-28206 and CVE-2023-28206 and CVE-2023-32409) as zero days last year to infect victims with spyware developed by Barcelona.
The flaws were fixed by Apple in April and May 2023.
The campaign, discovered in March 2023, targeted iPhones located in Indonesia running iOS versions 16.3.0 and 16.3.1, providing a link via SMS to distribute BridgeHead spyware implantation via the Heliconia exploit framework. Variston’s weaponisation is a high-level security flaw in Qualcomm chips (CVE-2023-33063), which first appeared in October 2023.
The full list of zero-day vulnerabilities in Apple iOS and Google Chrome discovered in 2023 and associated with specific spyware vendors is as follows:
Zero-day Exploit | Associated Spyware Vendor |
CVE-2023-28205 and CVE-2023-28206 (Apple iOS) | Variston (BridgeHead) |
CVE-2023-2033 (Google Chrome) | Intellexa/Cytrox (Predator) |
CVE-2023-2136 (Google Chrome) | Intellexa/Cytrox (Predator) |
CVE-2023-32409 (Apple iOS) | Variston (BridgeHead) |
CVE-2023-3079 (Google Chrome) | Intellexa/Cytrox (Predator) |
CVE-2023-41061 and CVE-2023-41064 (Apple iOS) | NSO Group (Pegasus) |
CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 (Apple iOS) | Intellexa/Cytrox (Predator) |
CVE-2023-5217 (Google Chrome) | Candiru (DevilsTongue) |
CVE-2023-4211 (Arm Mali GPU) | Cy4Gate (Epeius) |
CVE-2023-33063 (Qualcomm Adreno GPU) | Variston (BridgeHead) |
CVE-2023-33106 and CVE-2023-33107 (Qualcomm Adreno GPU) | Cy4Gate (Epeius) |
CVE-2023-42916 and CVE-2023-42917 (Apple iOS) | PARS Defense |
CVE-2023-7024 (Google Chrome) | NSO Group (Pegasus) |
“Private sector firms have been in the business of discovering and selling vulnerabilities for many years, but the rise of turnkey spying solutions is a more recent phenomenon,” the tech giant said.