Technical specifications and marketing material from surveillance vendors is often kept secret. The resulting information asymmetry prevents defenders in the cybersecurity industry and at-risk civil society groups from understanding the full scope of threats that they face. The aim of this research is to provide concrete information about surveillance capabilities available from one vendor in the commercial surveillance market. We hope that this report can be a resource for the cybersecurity community and major mobile device and technology vendors.
Surveillance Industry Glossary
| Term | Definition |
| Spyware | Spyware is software which enables an operator to gain covert access to information from a target computer system or device. |
| Highly-invasive spyware | Highly-invasive spyware is spyware which can gain complete access to all data on a targeted device and whose functionality is not limited to accommodate the need for proportionality, or spyware who’s use cannot be independently audited or verified in case of abuse. |
| Commercial spyware | Commercial or mercenary spyware are surveillance products developed and sold by corporate actors to governments to conduct surveillance operations. So called “end-to-end” commercial spyware systems provide a full system for device infection and data collection. Components of these systems include the exploits used to install the spyware, a spyware agent which runs on the target device after infection and backend systems to gather and analyse the collected surveillance data. |
| Spyware agent | A spyware agent (or implant) is the final software code installed on a computer or phone after it has been successfully infected. The agent is responsible for collecting data from the device, activating sensors such as microphones and cameras, and uploading this data to the spyware operator. |
| Software vulnerability | A software vulnerability is a technical flaw or weakness in a software component or piece of code which can be exploited by an attacker to bypass security defences. |
| Exploit | An exploit is a piece of software or code which takes advantage of (or exploits) one or more software vulnerabilities to gain access to a device. On modern mobile devices exploits must bypass numerous layered security defences and can be highly complex. A full exploit chain targeting latest device versions can sell for millions of euros. |
| Baseband | A mobile baseband is the hardware and software components in a mobile phone which are responsible for communicating over a radio interface with a mobile phone cell tower or base station. |
| Zero-day | A zero-day vulnerability is a software flaw which is not known to the original software developer and for which a software fix is not available. A zero-day exploit taking advantage of this flaw can successfully target even fully patched and updated devices. |
| Vector | Vector is a surveillance industry term for the different pathways or techniques which can be used to deliver an exploit to a target device. These include so called 1-click and zero-click vectors. |
| One-Click | A one-click attack requires action from the target to enable the infection of their device, typically by opening a malicious link. Various social engineering techniques are used to trick the target into opening the link, including spoofing legitimate websites or news articles. If clicked on, the attack link loads an exploit chain to first compromise the web browser and ultimately install the spyware agent on the target device. |
| Zero-click | A zero-click attack is a surveillance industry marketing term for any vector which can infect a device without requiring a user action, such as clicking on a link. Fully remote zero-click attacks allow infection over the internet, often by exploiting flaws in popular messaging apps such as iMessage or WhatsApp. Non-remote or tactical zero-click attacks can silently infect devices where the attacker has privileged network access or is in physical proximity to the target. |
| Network injection | Network injection is a technique where internet data packets are injected in the internet traffic of a target to block, intercept or manipulate their traffic. |
| Man-in-the-middle (MiTM) | A man-in-the-middle is an attacker who can read, modify, and block the network traffic from a target. A MiTM capability can be used to censor the target or perform network injection attacks. |
| Man-on-the-side (MOTS) | A man-on-the-side is an attacker who can read and monitor network traffic but is not able to directly block or modify the traffic. This situation is common when an attacker has access to a copy or mirror of traffic sent over a fibre optic link. Network injection attacks can also be performed from this network position. |
| Tactical infection | A tactical infection vector allows an attacker to attack devices in close physical proximity. Malicious Wi-Fi networks and mobile base stations can be used to silently redirect a nearby target to an exploit link. Attackers can also exploit vulnerabilities in cellular baseband software and Wi-Fi interfaces to infect nearby devices using radio packets sent over the air. |
| Strategic infection | Strategic infection is a marketing term referring to network injection systems deployed at an ISP (internet service provider) or national internet gateway which can be used to deliver spyware. These systems can intercept unencrypted requests sent by a target and silently redirect their device to an exploit link. |
| SS7 | Signaling System Number 7 is a set of signalling protocols and standards used in telephone networks to perform actions such as call-establishment, routing, and roaming between national and international mobile phone providers. The protocol was designed without modern security defences and has been exploited by commercial surveillance vendors to enable various attacks including location tracking and communications interception. |
| Distributed Denial of Service (DDoS) | A Distributed Denial of Service is an attack aimed at disrupting a website or network by overloading the system with too much traffic or too many requests. This attack can result in a website being unavailable to legitimate visitors. |
| Avatar | An Avatar is a fake identity or online account which is used to gather information from online platforms or to interact with a targeted user. These seemingly real profiles can be used to send targeted attack links or to spread information online through social media or messaging services. |