Blog entry by Les Bell

Les Bell
by Les Bell - Friday, April 14, 2023, 3:53 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


It's World Quantum Day!

April 14th is World Quantum Day - an annual celebration promoting public understanding of quantum science and technology around the world. The World Quantum Day web site at https://worldquantumday.org lists 200 events in over 193 cities and 44 countries, so there's bound to be something for everyone.

For cybersecurity and infosec wonks, this is as good a day as any, and better than most, to once again push the need for cryptographic agility - that is, the need to design and implement our systems so that we will be able to replace those public-key crypto algorithms which may (or already have) fallen due to the ability of quantum computers to break them in polynomial time. That's essentially all of the currently-utilised algorithms based on trapdoor problems in involving factorization or the computation of logarithms in a finite field: RSA, ElGamal, Diffie-Hellman Key Agreement, DSA, and their elliptic curve derivatives.

Bear in mind that if somebody already has a quantum computer, they are not going to reveal that fact as it confers a tremendous advantage. And even if "they" don't yet have a quantum crypto-breaking capability, "they" can store away intercepted traffic until they do, at which point they will be able to retrospectively read encrypted traffic, some of which will still be valuable (in so-called "harvest now, decrypt later" (HNDL) schemes. So the only prudent course of action is to assume this is going to be a problem sooner rather than later, and start switching to post-quantum, or quantum-resistant, cryptographic algorithms.

The US Government is already pushing this, with the Quantum Computing Cybersecurity Preparedness Act, which mandates the migration of Federal Government systems to post-quantum crypto algorithms. And the longer we leave it, the faster the change will have to be accomplished - hence the plea for cryptographic agility, which at least lays the groundwork.

Clancy, Charles and Teresa H. Shea, Why the US Needs Quantum-Safe Cryptography Deployed Now, Dark Reading, 14 April 2023. Available online at https://www.darkreading.com/dr-tech/why-the-us-needs-quantum-safe-cryptography-deployed-now.

More Israeli Implants Revealed by Citizen Lab

The Citizen Lab researchers at the University of Toronto's Munk School of Global Affairs and Public Policy have a long track record of sterling work in revealing the activities of state-sponsored and other actors who conduct surveillance and other attacks on journalists and civil rights campaigners. In their latest report, they describe the exploits developed by Israeli spyware vendor QuaDream.

Smartphones are an excellent platform for secure (encrypted, confidential and sometimes anonymized) communications by journalists, civil rights campaigners and NGO workers. Because the traffic generated by smartphone messaging applications are encrypted, usually with reasonably well-designed key exchange protocols, it is effectively impossible for the traditional wire-tapping schemes to work - the traffic can be intercepted but not decrypted, leaving only traffic analysis as a means of attack (and sometimes, not even that).

The only way to intercept communications therefore is by means of an implant - essentially a software keystroke or other logger which is able to capture communications before it is encrypted or after it is decrypted. And so a number of firms - primarily Israeli, for some reason (most notably NSO Group) - specialize in developing such implants which can hook into the iOS and Android mobile OS's in undetectable ways. They also develop exploits which can either trick a victim into installing them - a big hurdle when the targets are sensibly paranoid and security aware - or, better still, infect a system with no user interaction at all: so-called zero-click exploits.

One such company is QuaDream, which markets its "Reign" spyware to government clients, including Singapore, Saudi Arabia, Mexico and Ghana. The company maintains an exceptionally low profile, with no web site and essentially no press coverage. It it wasn't embroiled in a legal dispute with its international marketing partner InReach, requiring the lodging of documents with a court in Cyprus, the company would be essentially invisible.

Microsoft Threat Intelligence recently captured two samples of iOS spyware which they call KingsPawn and attribute, with high confidence, to QuaDream. They passed these samples to Citizen Lab, who analysed them and determined that the first was a loader, intended to exfiltrate basic device information and then download and execute a second payload. The second sample appears to be a full featured spyware payload. The two share common code, indicating they come from the same development team.

The spyware payload has a wide range of surveillance functionality:

  • Record audio from calls
  • Record from the microphone ("hot mic")
  • Take pictures using front & back cameras
  • Exfiltrate and remove keychain items
  • Generate iCloud 2FA passwords
  • Search through device files and databases
  • Clean up its own traces
  • Track location

Detailed analysis also led to QuaDream's iOS 14 zero-day, zero-click exploit, called ENDOFDAYS. Citizen Lab identified two cases where this was used against targets in North America and Central Asia. It appears that the ENDOFDAYS exploit works by using an XML escape vulnerability in the iCloud calendar; if this is correct, it only requires the attacker to add a calendar event which injects XML data into the target's phone.

Citizen Lab were also able to devise fingerprints and identify over 600 command and control servers and 200 domain names which appear to have been linked to QuaDream's spyware between late 2021 and early 2023, and in several cases trace them back to their operators, suggesting that these systems were operated from the following countries:

  • Bulgaria
  • Czech Republic
  • Hungary
  • Ghana
  • Israel
  • Mexico
  • Romania
  • Singapore
  • United Arab Emirates (UAE)
  • Uzbekistan

Several of these countries have what can at best be described as a patchy track record with respect to surveillance of citizens, especially human rights advocates and journalists.

Marczak, Bill, et. al., Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers, technical report, 11 April 2023. Available online at https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: