ICE Partners with Israeli Phone Hacking Spyware

technology but also by chilling speech. I'm Garrison Davis, and this past week, news has swept the Internet that ICE is using software from an Israeli company called Paragon, which allows ICE or DHS to secretly hack into any smartphone, break encryption, access messages, track real time location, and turn your iPhone or Android into a walking listening device, all of which sounds very scary, and some of which is true, though some of these class are exaggerated or even likely

false based on what we can currently infer from published research. Due to legitimate fears, we live in a world of surveillance paranoia, which can lead to surveillance myths. This is a core function of the Panopticon. People should take ICE's new enhanced smartphone surveillance capacity seriously, but to adequately do so requires an accurate understanding of the threat model, which we will get into later this episode with some help

from the Electronic Frontier Foundation. But first let's address the newsworthy aspect of this story. What has actually changed recently. DHS first contracted with the US branch of Paragon in September of twenty twenty four, or two million dollars, but later that October, the contract was put on hold thanks to a Biden executive order restricting a government use of foreign spyware, and ever since then the contract has been frozen pending a compliance review. But then on September first,

twenty twenty five. Just last week, investigative journalist Jack Paulson reported that the stop work order affecting the Paragon contract had quietly been lifted, allowing Ice to follow through on the contract and start using Paragon's spyware technology, most likely including their flagship product, Graphite. What is Graphite? Great question one that I felt underqualified to fully answer myself, so I spoke with an expert, Cooper Quinton, of the Digital

Rights group the Electronic Frontier Foundation. You'll hear from him throughout the episode.

That is the main capability that it has. According to the reporting published by Citizen Lab, its main job is to hook into WhatsApp and into other encrypted chat apps and just read the messages in those apps, like in the messages you've already sent and any future messages that you send. That's really it's the that's the meat of Graphite.

smartphone and internet surveillance solutions. The company applies strict moral restrictions on itself, limiting its extraction of information from targeted devices to conversations on chat apps. Paragon works solely with police forces and intelligence agencies that meet the standards of an enlightened democracy, which includes only thirty nine countries unquote.

One of Paragon's senior executives told Forbes in twenty twenty one that they would only sell their technology to governments that quote unquote abide by international norms and respect fundamental rights and freedoms, and that quote authoritarian or non democratic regimes would never be customers. Unfortunately, Paragon was not pressed on what their definition of authoritarian regimes includes. In recent reporting, there's been a lot of misconceptions about the capabilities of

Paragon's main product, Graphite. The Guardian wrote, quote, by essentially taking control of the mobile phone ice can not only track in individuals whereabouts, read their messages, look at their photographs, but also open and read information held on encrypted applications like WhatsApp or signal. Spyware like Graphite can also be used as a listening device through manipulation of the phone's

recorder unquote. But research into Graphite by the surveillance watchdog group Citizen Lab has not indicated that Graphite has all these capabilities or tries to quote unquote take control of the entire device, But other tech journalists have since parroted The Guardian's unfounded class that Graphite fully takes over a phone and can record audio through the microphone.

a hot mic, to do all these other things. And this seems as far as as far as Citizen Lab has reported to not be present within the Graphite malware, and I think this is because Paragon has presented themselves as kind of being the quote unquote responsible malware manufacturer, right, and they're like like trying to minimize the amount of data they collect. It doesn't mean they couldn't add this stuff in the future, but that's the that's the gist of it. It's actually, you know, kind of a very

stripped down malware. I don't want to minimize like how impactful it would be for this mawur to get all of your messages. That could have a huge impact for people. But we don't need to make up capabilities that our adversary has, especially under fascism, right, Like we can we can just work with the capabilities that we know they have.

similar to guardians claims about Graphite. But by forcing this comparison, people might be inadvertently boosting Paragon's brand with free marketing by making their product out to be something that I'm sure Paragon would like to have people think it is, but doesn't actually equate their realistic threat model, similar to how predictions of an evil superintelligent AI actually currently serve to boost the stock price of AI companies.

mawere the GRAPHI mawere right, Like, yeah, it's it's not good, but you know it's not magical, right, it's not omniscient. It's not able to you know, I don't know, go eat the fridge out of your food and you know, beat up your dad or something like.

on Signal or WhatsApp. Instead, Paragon tries to circumvent and encryption by trying to gain access to content on a targeted device once it's been unencrypted by an application like WhatsApp for the user to read similar to how if you have push notifications on for an application like Signal, if the police seize your phone and push notifications display messages from Signal, that doesn't mean the police have quote

unquote broken signals encryption. Now, in order for Graphit to extract messages from your phone, it needs to get onto your phone in the first place. Graphite is just the implanted code that can read and extract your messages. First, it needs to get onto your phone via what's called an exploit, which is usually a message sent to a phone number or a WhatsApp account that attacks a vulnerability in your phone's code to gain permissions to load the

Graphight onto the messaging apps. Graphight and the exploit are two separate programs that work together, but exploits need to be frequently changed to keep up with soft where security updates, and that's expensive. You need different exploits for Android and iOS. Paragon has been using zero click exploits, meaning the owner of the phone doesn't have to manually click a link or intentionally download a file for the exploit to try to gain permissions on the device. You don't have to

click or do anything. You just have to receive the message and then the spyware gets to work, which is very scary. But this technology cannot be deployed en mass because of how expensive and specific it needs to be in order to work.

of exploit. If your phone is up to date and fully passed, this will have to be a zero day exploit, which means it's an exploit that has had zero days for Apple or Google or whoever to fix it because it is un known to them, and these exploits cost

millions of dollars right now. Paragon is not going to pay that millions of dollars for each person they're exploiting, but there is a large per person cost to Ice for each person they're going to exploit, because Paragon doesn't want to blow their zero day, which costs them millions of dollars to either buy or develop themselves.

Other Paragon co founders are also ex Israeli intelligence. The startup got early financing from a Televiv investment fund called Red Dot Capital, though Paragon also received backing from American venture capital. In twenty twenty one, Forbes reported that the Boston based Battery Ventures had invested between five to ten million in Paragon. Bloomberg Capital has also supported the company.

In twenty twenty two, Paragon launched a U S subsidiary and started recruiting former US Feds to help break into the American market. The New York Times reported that the DEA has used graphite as far back as twenty twenty two. Former CIA assistant director John Finbar Fleming became the executive chairman of Paragon US in January of twenty twenty four, according to his LinkedIn. In December of twenty twenty four, Paragon was acquired by AE Industrial Partners for nine hundred

million dollars. AE Industrial Partners is a Florida based private equity fund with a specialized security portfolio. Once they bought Paragon, emerged with another a asset, this cybersecurity company, red Lattice. Back in twenty twenty one, Paragon had about fifty employees, now it has over five hundred. In June of twenty twenty five, they were hiring one hundred and fifty more.

Just a week ago, executive chairman John Finbar Fleming shared a recruitment post that red Lattice was hiring quote emerging and offensive cyber engineers unquote. Next, let's discuss the biggest case study of Graphite being deployed that we know of. On January thirty first, twenty twenty five, Meta's encrypted messaging app WhatsApp sent a notification to ninety accounts that their smartphones were suspected of being targeted by spyware, which has

since been traced to the Paragon product Graphite. People targeted were journalists, human rights activists, and members of civil society across Europe and the Mediterranean, but Timer based out of Italy. This was a zero day and zero click exploit, meaning it both attacked to previously unknown vulnerability and required zero

user interaction to infect the device. At first, the Italian government denied knowledge, but Paragon canceled two contracts with customers in Italy, and a parliamentary oversight committee later confirmed the Italian government was using Paragon technology for spyware attacks against c migration activists. One thing that's interesting to me is that we talk about this technology is being very expensive,

very individual, they have to individually target you. But then you see, you know, ninety people on WhatsApp, and you're like, that's that's a lot of people. So you can talk about how this attack was like structured and what we've learned from it.

But as soon as that malicious PDF was received by their WhatsApp app, but by their WhatsApp client, WhatsApp client processed the PDF and it contained code which exploited WhatsApp and allowed Graphite to start running. So Graphie doesn't actually install anything. To get a little bit technical, Graphie only runs in memory of the phone, right, It only runs in the like temporary RAM so to speak. Okay, Right, So rebooting the phone would have cleared out of the

Graphite infection and they would have had to reinfect the person. Interesting, right in this case. Yeah, it's possible that in the future Paragon will find a way to make Graphite persistent.

But it does make it more stealthy, It makes it harder to detect, It makes it harder to forensically analyze for people like citizen Lab and like eff if it just runs in memory, sure, right, so it kind of makes sense that they would want to keep running it in memory, even though rebooting it would clear out the infection because you can just reinfect the.

Citizen Lab was able to analyze the devices of a prominent European journalist who requested to remain anonymous, and an Italian journalist linked to the previous cluster of attacks in Italy. iPhone is slightly harder to target than your average Android, but certainly not impervious to this sort of attack, as we've seen from these examples in Europe. To date, citizen Lab has also identified suspected Paragon deployments in Australia, Canada, Cyprus, Denmark, Israel,

and Singapore. Though the encrypted messaging app Signal is not mentioned in the citizen Lab reporting, their analysis did find that graph Fight had the capability of going after several different messaging apps, and it's probably safe to assume that Signal would be one of the apps that Paragon would

want to extract messages from. We don't have much information about this spyware targeting Signal, possibly because Signal does not have as large of an international user base compared to other apps like WhatsApp, I Message or Telegram, despite Signal being much more secure. So what can you do? Though Graphite might not be the total phone hijacking super spy away that the Guardian and others claim it to be, it still poses a significant security threat. Some basic digital

security precautions apply here. Get into a habit of regular digital cleaning. Remove unnecessary content from your device, save space. Old photos can be uploaded to an external encrypted hard drive in question. If you really need years of messages stored on your phone, use an encrypted chat app like Signal, which has disappearing messages so that there isn't a large backlog of communications that could be suddenly accessed by a

hostile actor. Be very wary of cloud backups. They are often one of the least secure aspects of your digital life, especially if they are unencrypted, and though it won't deter zero click exploits, it's still best practice to avoid clicking mysterious links or downloading files and photos is sent to your phone. Another tip is to regularly reboot your phone. Contrary to claims that once your phone been targeted by graphites,

now compromised forever something called malware persistence. To our current knowledge, rebooting can wipe Paragon's exploits. It does not appear that Paragon spyware is at the moment reboot persistent, and it seems that rebooting would actually remove it from the phone.

go buy another one. Like, no, you can you know, if you don't feel safe, just rebooting it, right, like a factory reset, that would be the next step, right, I think that would that would most likely get rid of any persistence mechanisms that were installed. I'm not familiar with any iOS mower certainly that would survive a factory reset.

company already knows about them. An exploit loses basically all of its value as soon as you know the company knows about it, and it's patched. Right, So, if you have out of date software on your phone, if you have out of data software in a computer, it changes the entire economics of attacking. Right, It's basically free for me to exploit your phone at this point, and I you know, I will exploit it as many times as I want. And I don't care if that exploit is burned.

I don't care if you find it, because again it's free, right. Zero A exploits for especially for Apple, for like you know, Android pixel phones, for graphene, the alternative Android OS not graphite is giving me real problems lately. Zero D explots meaning explicit that the manufacturer does not know about and has not had a chance to patch, cost millions of dollars for these platforms and a zero click exploit where

where the victim doesn't have to interact with it at all. Right, I don't have to click a link, I don't have to do something. You just send me, you know, a PDF, an infected PDF or a magic file, right or something, and my phone is infected. Those are the most expensive above all, Right, those those are sort of the those are the golden ticket for malwaur companies, right a million.

These cost millions of dollars and if you burn it, right, if it gets caught, like like you know what happened with WhatsApp and citizen lab in Italy, Right, that's millions of dollars down the drain for para con. You know they're going to pass that on to the Italian government

to ice to whoever their contractors are. Right, So keeping your phone up to date really changes the economics of running a malware attack against you, right, Like anybody can run you know out of their office old you know end day, right, more than zero day malware attacks against any me, right Like, those are cheap. But if your stuff is patched now, it's good, it's it's it totally changes the entire game. And you've got to be doing really good work for ICE to want to burn that much money on you.

higher risk? Journalists who report on ICE and immigration, people who work for immigration advocacy organizations, immigration lawyers, as well as high profile activists. It goes without saying that anything you do on your phone or on the Internet carries a level of inherent risk. We'll close this episode with a longer segment from my interview with Cooper discussing who's at the most risk of ICE using Paragon software and

more of Cooper's recommended surveillance mitigation practices. This is not something that can be deployed at a protest and sweep up you know, thousands of people. This this does go after like individuals because of its cost and the way that it needs to be deployed. Who are the people that you would say are most at risk of this? Like is this here like your local like you know, food not Bombs organizer, or like an immigration lawyer?

be under HSI investigation. Right, people who you know have been threatened by the president or by Pam BONDI you know specifically, right, like had their name called out specifically, right, people who are you know, very loud, very active, right, Like the sort of leaders what's the term tall poppies, Right, Like the people that are really have their head sticking out right in a way that's like very public and

very well known. If you have risen to the level where like Tom Homan knows your name personally, right, that makes it a pretty good chance that you know, you might become a target of this, right, Like, that's that's who we're talking about.

The journalists might have information about like other people besides the journalists on their phone, and they may be targeting through the journalists, but trying to get after other people who they're talking to, same thing with like immigration lawyers, and like, there is real concern about harm spreading from

those factors. And I think that's why if you are in those sorts of like roles that like like a human rights organization, a journalist, or a lawyer, you need to be like extra careful about keeping your phone updated regularly, engaging in like digital hygiene, having disappearing messages, maybe putting on lockdown mode onto your iPhone, be very wary of

being added to mysterious group chats. These are just general practices that are I think worthwhile to like engage in, whether or not you're actually going to get to target by.

there's no way to recover those, right, You're minimizing your footprint. Right, yep, go delete old chats right like if you if you get a second right, like we've all Google has trained us to all be digital hoarders, right and keep depending. How will you are twenty years of email, ten years or whatever?

nation of state or by state sponsored maware. But if you do get one of those notifications, take it very seriously, you know, reach out to access Now or to e f F or to Citizen Lab and let us know, right, and we will help figure out what's going on, right, Like this is this is the number one indicator, right because like this mallory is usually fairly stealthy, right, Like it's not it's not actually, but you know, I don't know flashing you're infected on your screen, right. But yeah,

Citizen Lab is always doing amazing work. I'm a fellow there, so I get to work with them sometimes, which is very exciting. They are based out of the Monks School of Global Affairs at the University of Toronto and their website is Citizen Lab dot org, where you can find a lot of really excellent research on the types of threats that target civil society.

civil liberties as they intersect with technology. So a lot of a lot of free speech work, a lot of you know, privacy and Fourth Amendment work, and we also have a really excellent set of guides called the Surveillance Self Defense Guides, which are at s SD dot e f F dot org, which I highly recommend people go and check out. It's the most sort of evergreen guide

for finding yourself online. A lot of the problem with the online security guys that they get out of date very quickly, and we have a totally whole, full time person dedicated to making sure that our guides stay up to date.