Site icon Easy Prey Podcast

Stalkerware with Eva Galperin

Easy Prey
“Personal trackers that are meant for people to keep track of their belongings are essentially a gift to stalkers.” - Eva Galperin Click To Tweet

If you’ve ever had the feeling that someone is eavesdropping on your calls, reading your messages or emails, and even knows where you’ve been going, you just might be right. Abusers often utilize stalkerware to control and manipulate their targets. Being educated on what it is, how it got there, how to clean it off your devices, and where to go for help can make a world of difference.

Today’s guest is Eva Galperin. Eva is the Director of Cybersecurity at The Electronic Frontier Foundation. She has worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations. She has applied the combination of her poli-sci and technical backgrounds to everything including organizing EFF’s TOR relay challenge to writing privacy and security training manuals. Those include Surveillance Self-Defense and The Digital First Aid Kit.

“Software that allows you to do this without notifying the user, that deliberately circumvents consent, that hides from the person who is using it so that they do not know that they are being watched is in and of itself abusive.” -… Click To Tweet

Show Notes:

“If you think someone has compromised your device or somebody has compromised your account, you should go into your account settings and look for the page that lists devices and IP addresses that have logged into your account.” -… Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Can you give me a little background? First of all, how you came to be at EFF—Electronic Frontier Foundation—and then how you got involved in addressing stalkerware?

I ended up at the Electronic Frontier Foundation because I was sort of kidnapped on my way to law school. I had been working in tech. Tech suffered one of its periodic explosions when there were no jobs. I went back to school and said that I was going to go become a lawyer.

In the year between finishing school and starting law school, I took this job at the Electronic Frontier Foundation. It just wouldn’t let me leave. They shut the door, so I did legal intake. I worked on the activism team. I worked on the international team. I’m currently working on the tech team. I head up our threat lab. I have seen nearly every part of the organization at this point.

I can imagine you’ve been there more than a day. Was stalkware something that you ran across there, or did you run across it somewhere else, as far as the concept?

I was already familiar with stalkerware because I had been working in tech since I was a teenager. But specifically, the reason why I started the Coalition Against Stalkerware, and started in my stalkerware research, was that the person with whom I was doing research on nation-state spying—in order to protect journalists and activists from being spied on by governments—turned out to be a serial rapist. His survivors were really, really scared that he was going to install spyware on their computers and on their phones. That was one of the reasons why a lot of them took so long to come forward.

I was so angry about this that I essentially started a project in which I was helping out people who are concerned about their devices being spied on. That sort of branched out into research about what stalkerware is and how prevalent it is. That became the Coalition Against Stalkerware, which works to eradicate stalkerware from the landscape entirely.

I have listened to a few of your presentations. The first thing that went through my mind initially was, “Shouldn’t antivirus and malware catch stalkerware?”

Does anti-virus software protect against stalkerware?

That was also my thought back in 2018. I thought, “Isn’t there an entire class of apps that are designed specifically to see whether or not there’s something you don’t want on your phone or on your computer?” So I tested them out to see how good they were at finding the latest stalkerware for both phones and desktops. I discovered they weren’t very good at all. The results that I got were abysmal.

There were a bunch of different reasons for this, and different companies had all kinds of different justifications for why they thought that they might classify stalkerware being a kind of, sort of legitimate use because you can use it to track your children or your employees, or maybe it’s actually OK to try to track your partner because that bitch is cheating on you. There was some pushback in this area.

I essentially started with one company, pushed them to start keeping track of the entire stalkerware market, and doing a much better job of not just identifying stalkerware but to send up a specific message that you get when you run their AV product that tells you there is stalkerware on your device, and gives you the opportunity to remove it if you want.

Now, it’s not going to remove it automatically and the reason for that is that the survivor should really be left with the choice. The survivor usually has a very good idea of who their abuser is and how they’re likely to react if they remove the stalkerware. Some abusers, if they are faced with this kind of action, might escalate their abuse, including escalating to violence. So I really want to leave the power in the hands of the users whenever I can.

I know that you started that a number of years ago and the results were particularly poor. Has it gotten better?

Yes, it has. That’s actually one of the things that I’m really excited about. There’s a company called AV-Comparatives. They have put out their research year-by-year on the stalkerware market and how detection is going among the various AV companies. It’s definitely gone up over the last three years, and pretty consistently. Companies like Kaspersky and Malwarebytes also put out reports, specifically about stalkerware, in which they talk about how much stalkerware they’re detecting, and the amount of stalkerware that they’re detecting is also going up.

Now, this could be for a number of reasons. One, this could be because use of stalkerware is going up, so that would be bad. But it could also just be that we’re better at finding it. When we’re better at finding it we can get better at removing it, and we can have more people who are aware that they are being spied on and can do something about it.

That’s good. I think from your previous presentations I saw back in 2018–2019, it was maybe 5%–10% of stalkerware was being caught by antivirus products. What kind of percentages is it now?

It really depends on the AV product, but the most recent report from AV-Comparatives indicates that, I think, the lowest rate of detection among the AV products that they tested was something like 60% and the highest with something like 95%.

That’s awesome. It's amazing that it’s gone up so much and that they’re taking it seriously. That’s absolutely amazing. In most of those cases, how’s the stalkerware getting on the device? Is it remote hacking or physical access?
In domestic abuse cases, it’s common for the abuser to have physical access to the survivor’s phone rather than remote. -Eva Galperin Click To Tweet

Furthermore, they would not just have physical access, they often also have the password. They often have the Apple ID if it’s an iPhone. They can unlock it themselves and install whatever the hell they want, and there’s no reason to remotely hack a phone when you can just pick it up and install the spyware while your victim is in the other room. It takes less than a minute.

And that’s if someone has the unlock code for the phone. It’s pretty much administrative root access to the device in effect.

It’s certainly sufficient access to install stalkerware, and that’s very troubling. One of the big problems that I had convincing AV companies that this kind of software was malicious was they would tell me the only way to install it on somebody’s device is to have physical access to the device. If a person has physical access to the device, and the username and the password, that’s legitimate access to the device. I had to tell them, “I have news for you about how abuse works.”

I think in a corporate environment, that thought makes sense. Of course, only people who have the username and password have physical access to the device. Why would anyone else have that? My wife has my password, I have her password, we can unlock each other’s phones. Thankfully, I’m not stalking her—hopefully she’s not stalking me—but it seems to me that that use case or that situation is extremely common, is that significant others very frequently would have access to passwords, passcodes, and whatnot.

It’s very common in modern relationships and it is nearly 100% common in abusive relationships.

And I assume it goes down the lines of, “Well, if you really loved me and you really trusted me, of course you would give me your password.” Now, it puts the survivor in a negative light for not providing that information.


An interesting aspect of abuse power dynamics is that the abuser has full access to the survivor’s phone but not vice versa. -Eva Galperin Click To Tweet

Yeah, I want full access to your phone, but you can’t have full access to my phone.

No, no. You can’t know where I am and what I’m doing.

That right there should be a red flag. We talked about device compromise. How other than running a good antivirus, which has a good reputation for catching stalkerware, other ways that people can find the stalkerware on their device or signs that might give an indication that something is installed on their device?

When it comes to Android, I strongly recommend just installing an antivirus program and running it on its highest setting, and the chances that it will detect your stalkerware are fairly high. Stalkerware on iPhones works rather differently, and that’s because of the way that the iPhone restricts certain powers from people who are running apps. Apple really reserves a lot of power for themselves. You can’t get root on your iPhone without jailbreaking it.

If your iPhone is not jailbroken, then the easiest way for people to see what is happening on your phone and to spy on you is to use software that will simply scrape your iCloud Backup. You don’t even need physical access to the phone. All you need is somebody’s Apple ID and password, turn on iCloud Backups, and then there is software that will essentially download a full copy of that backup once a day. That doesn’t give you real-time access to see what somebody is doing, but a full snapshot of somebody’s phone once a day is still very revealing.

Yeah, and I’m sure it gives a fair amount of history of activity, and that’s enough to put someone in an uncomfortable position.

It is certainly not information I would want my abuser to have.

I think people less frequently have desktops these days or laptops, but is it the same comparison between Windows and MacOS?

No. Both Windows and MacOS essentially host the same vague types of stalkerware, often installed directly on the machine. That’s the sort of thing that you can usually address with a good AV product.

Got you. So it’s the same thing, whether it’s Windows or Mac. It’s fairly easy to install something surreptitiously and have it running in the background the person doesn’t see.

Absolutely, especially since our laptops and our desktop machines are often sitting there in our homes, waiting to be accessed by anybody who is there. People frequently share desktop machines, so it’s not uncommon for everybody in the household to share the same login and to install whatever they want.

I’m often approached by people who think their device has been compromised. Obviously, if I’m responding to a support ticket online, there’s no way for me to know sitting halfway across the country, halfway around the world, whether their device has actually been compromised or not. But once they start telling me what they see happening, it’s more like their Facebook account has been compromised or maybe someone’s gotten into their Gmail account, which of course, they used their Gmail account password for everything and everything is laid bare. For people, how would they normally tell the difference between a device compromise and an account compromise?

Frequently, when people come to me and they’re concerned about account compromise, they don’t really understand what an indicator of compromise for account compromise versus device compromise means because for most people, it’s not entirely clear what’s an account, what’s the device, and what data lives where. But most of the time when people come to me with a problem, it’s almost always account compromise.

How do you know if you are compromised?

I have had people come to me with compromised Apple IDs, with compromised Facebook accounts, with Instagram accounts, Twitter accounts, TikTok accounts. I’ve been doing this for long enough that I had to learn what TikTok was. Basically, if it had a login, I have seen it compromised. Compromising somebody’s login is relatively easy, whereas installing stalkerware is harder than that, which is why account compromise is so incredibly common.

What I tell people when they have account compromise is that the solution is quite simple. It is very easy when somebody has stolen your keys to change your locks. What you do when you have an account compromise is you change your password. You change your password to something which is unique, that you’re not using for any other account, which is long so that other people cannot guess it.

You might want to use a program called a password manager to manage all of these passwords because trying to remember 100 long unique logins off the top of your head is impossible. In fact, if you can do this then probably there is a problem with your passwords.

Once you have your unique, strong, new password that is difficult to guess, the next thing that you need to do is you need to turn on two-factor authentication. There are a number of different types of two-factor authentication that you can turn on. Essentially, two-factor authentication is any login where it is not enough to have somebody’s password. You must also have a code that is sent to you on another device. Sometimes, that is sent to you by SMS. Sometimes, that code is sent to you in an app like Google Authenticator or Authy. Sometimes that code is sent to a special key that you can physically possess. So there’s absolutely no question: you either have it or you don’t have it.

The least secure version of two-factor authentication is SMS. The most secure is the actual physical key. -Eva Galperin Click To Tweet

Generally, what I recommend for people in terms of usability is something in the middle, to go ahead and use some form of authenticator app like Google Authenticator or Authy and have your 2FA send the code to that app.

And I suppose it really depends on the technological prowess of the person who’s using it. I wouldn’t probably ever give my mom a YubiKey and have her use that. “I’ve got one more key thing I’ve got to put on my keychain. I’ve got one more thing I’ve got to keep track of.”

I want to give people advice that they will actually use because if I give people complicated and confusing advice, then they simply tune out. Then I haven’t done anything but make myself feel good for having given advice, and then just put a cape on and flown away like a superhero. That doesn’t actually do any good.

No, it doesn’t. Everyone likes it when Superman’s there, but as soon as he flies off somewhere he’s not really helping you anymore. I know a lot of the people that I end up talking to are looking in the account settings for their Facebook account. They’re saying, “Hey, I see all these IP addresses. I see these other devices that have logged into my account. How reliable is that information? How useful is that information?”

It depends. This is the least satisfying thing about security advice, is that it always starts with an engineer looking off into the distance and going, “Well, it depends.” But I do recommend if you think that somebody has compromised your device or somebody has compromised your account, that you should go into your account settings and you should look for the page that tells you about the devices that have logged into your account, the IP addresses, and often something about the browser being used to log into the account. If you see things that are unfamiliar and that do not make sense to you, then often the smartest thing to do, again, is change your locks and turn on 2FA.

If you have changed your locks and turned on 2FA, and you still see this sort of thing, then there’s a very good chance that you are looking at device compromise. That’s when you start to break out the antivirus.

Got you. If you only have an iPhone and you see that there’s an Android phone logged into your Facebook account somewhere, different state, different country, that’s a good indicator that someone else has gotten your password.

Absolutely.

I know a number of platforms have a way to forcibly log out other devices from that, but that’s only really useful in conjunction with changing your password, I assume, because if you force them to log out and they have your password, they can still get back in.

Yes. Always do both.

So it’s a combination of doing both.

Yes. First, kick the attacker out of the house, then change your locks.

There’s this new—I guess technically it’s really not new. There’s kind of this not your phone compromised, not an account compromise, but you’re now starting to see kind of personal tracking devices. I want to make sure that if I lose my backpack, I can find it. Or if my luggage disappears at the airport, I can find it. My mind immediately went to, “I could just slip this into someone else’s backpack, or drop it in someone else’s car, and I now know where they are, possibly in real-time all day long, every day.

Yes. These personal trackers that are meant for people to keep track of lost items are essentially a gift to stalkers.  That’s because the personal tracker such as the Tile and the AirTag are very small, they’re easy to hide, and often they either have very weak mitigations against their use for stalking.

”Personal Click To Tweet that are meant for people to keep track of lost items are essentially a gift to stalkers. -Eva Galperin” username=”easypreypodcast”]

Apple’s mitigations, for example, really only work if you are an iPhone user, and their version of an alert, if you are not an iPhone user, is essentially a beep that happens after three days, and that beep is very quiet, so it’s extremely easy to get around. Tile basically just doesn’t have any mitigations at all. We’re definitely starting to see them being used as a tool of abuse.

One of the reasons for that is because the organizations that work with survivors of abuse are extremely familiar with abuse on phones, with abuse on devices. One of the things that they do when you go into a domestic abuse shelter is they take all of your devices. They assume from the very beginning that they are compromised. But if an abuser wants to keep track of their victim and they understand that they are going to be handing over their phone, then these kinds of personal trackers suddenly become really useful.

I get a lot of pushback from people who say, “What am I supposed to do in order to keep track of my wallet, or my keys, or my bicycle if some jerk steals it?” I tell them that I actually care more about violence to victims of intimate partner abuse and I care more about stalking than I do about your bike. It is impossible to build a tool that will track a thief that will not also be excellent for tracking an abuser because they’re both predicated on the notion that you should be able to track somebody’s location when they’re holding an item and they should not know about it.

Yeah, it really ties around the permission—whether it’s permission to install an app, permission to stick something in someone’s backpack without them knowing, or a parent installing something on their kid’s phone without them knowing. It’s really about permission and communication.

I get a lot of people asking me, “Isn’t it OK for me to do this to my kids? Shouldn’t I be able to track where my kids are located, see all of their text messages, and listen to their calls?” I tell them, “Listen I’m not going to tell you how to raise your kids, for the most part. I have a few opinions, but for the most part, I’m not going to tell you how to raise your kids. What I will tell you is that software that allows you to do this without notifying the user, that deliberately circumvents consent, that hides from the person who is using it so that they don’t know that they are being watched, is in and of itself abusive. Installing this stuff is abuse.”

Let your children know that you have the ability to see where they go.

If you want to watch your kids, if you want to watch your employees—even if you want to watch your spouse—there is equivalent software that doesn’t hide. It tells you when it’s working. It tells you exactly what it does. If you are sharing this information with your spouse, or your child, or whoever, then they should know about it. They should be fully aware of what you can and cannot see, what you do or do not know, because it’s the part where you don’t have their consent and where you’re tricking them that makes it abusive.

I get those emails from people saying, “Hey I think my spouse is cheating on me. I want to get into their device.” I’m like, “If you think they’re cheating on you, go talk to a divorce lawyer. Tracking them, even without their permission, is probably illegal in almost every jurisdiction around the world. If you don’t trust them enough, you feel the need to install something on their phone without their permission, you’ve got bigger problems. Whether or not you can get something onto their phone without them knowing is not the issue. You’ve got issues outside of that.”

And it’s really terrible. Sometimes, even people who have been abused feel like the only way that they can take back power is to become abusers themselves. That’s simply not true. If you feel that you have to spy on someone, if you feel like you have to do this to somebody, your relationship is already done and what you should do is to walk away.

If you feel that you have to spy on someone, your relationship is already done and you should walk away. -Eva Galperin Click To Tweet

That’s very much the case. I was just kind of looking through my notes here. You had talked about doing forensic analysis on people’s phones and to see what’s on there. People have often ask me, “Can you look at my phone and tell me?” How much work does it take to actually be able to determine whether there’s something surreptitiously installed on the phone?

A lot. That was one of the reasons why I went to the AV companies because personally taking a look at everybody’s phone by myself is not a scalable solution. It takes a really long time, it takes specialized equipment, it takes specialized knowledge, and even then you won’t necessarily find the thing. This is not a good way of going about it. It’s where I started, but the whole reason I started the Coalition Against Stalkerware was because I have scale.

Is resetting a device to factory settings enough to get around a device compromise?

It depends. For an iPhone, for most forms of compromise, resetting the device to factory settings is sufficient. In fact, for most forms of compromise even just rebooting the phone is sufficient, depending on what sort of things this particular piece of software is taking advantage of. But you also really need to change your Apple ID password and possibly also take a look at your iCloud, maybe disable your iCloud backups. There are a lot of things that you need to do.

For an Android, it is less likely. There are still ways of getting around permissions on Android. One of the reasons for that is because the Android ecosystem does not lock the people who build apps out of root access quite as diligently as Apple does. As a hacker, I love that because you have the freedom to make the device do whatever you want. As a security person, I hate that because you have the freedom to make the device do whatever you want.

It’s that open source versus walled garden discussion.

Absolutely. In my personal life, I’m very pro-open source. I think that if you buy it, you should be able to break it. But when I am giving advice to other people who are not technical, who are not going to be taking advantage of this, who will not be breaking it, and who are primarily concerned about their safety and security, sometimes I will recommend the walled garden.

It’s a means to an end even if you want to hack the device. Sometimes, depending on your circumstances, it may not be the best place to be.

And that’s just another example of meeting people where they are, and not where I think they should be, not in doing what I do but doing the thing that specifically works for them, instead of what I think they should be doing.

Covering cameras and microphones useful? Not useful?

If your camera is compromised, then covering it will definitely keep the person from seeing what it is that you are doing in front of the camera. So yes. If that is the thing that you are concerned about, that is a legitimate way of dealing with it. Covering microphones is a little bit trickier because actually turning off the microphone is really hard, so the chances that covering the microphone will do much is much lower.

There was a rash of cases of hackers targeting teenage girls, breaking in, and compromising their webcams. I think this was back in 2011–2012 before everybody had a camera in their phone. But when people started getting webcams and laptops, what they did was they would turn on the webcam without turning on the little light and spy on these girls. They would do a couple of different things. First, they would distribute the pictures. Sometimes, they would just turn around and send the pictures back to the girl and use that as blackmail, which is a particularly despicable thing to do.

There’s also a really popular sort of sextortion scam going around. Say you open your email, you get an email from a stranger saying, “I have compromised your computer, I turned on your camera, and I have seen you masturbating. I know what nasty porn you watch, and unless you want me to send this information to all of your friends and relatives, please send me Bitcoin.” Sometimes, in order to show you that they’re very serious, they will tell you your password is such-and-such.

This is a scam. This is a complete waste of time. Give them no money. They have not compromised jack shit. They often get your username and password from an existing data leak. So you go to something like Have I Been Pwned, you enter your email address, and you check to see which accounts have appeared in password dumps, because that’s what the attacker is doing. The other thing that the attacker is doing is essentially just working on your guilt, and combining those two things in order to make a sort of sextortion scam.

I have received that email, and I was surprised at how old the password was. I was like, “Wow, that must be from a really old data breach because I’ve been using a password manager for a long time and that’s pre-password manager days. Wow, that’s old.”

I get messages from people who have gotten these emails all the time, and from people who take them very seriously, because if you don’t know about the scam, this looks very legitimate and scary.

And I’ve talked to a number of those people. I’ve talked to people who are particularly confused. They see the password and know that it’s their password, so they’re freaked out because of that—“But my computer doesn’t have a camera. How did they get a hidden camera into my house?”

If someone bought your information, they may know an old password…

Then they’re saying, “But I don’t even go to sites like that.” They’re really confused and that password is that one piece of “proof” that they’ve actually done what they’ve claimed to have done. It’s been really hard to convince people that, “No, it’s a scam. You don’t need to figure out how to buy Bitcoin. You don’t need to figure out how to send Bitcoin. Just delete the email.”

Yes. It’s actually one of the more satisfying things I do, is people sending me panicked emails about the scam. I tell them, “This is a scam. Ignore it. Delete it. Absolutely nothing will happen to you.”

I wish more people would believe me when I tell them that, but that’s the whole reason for the podcast. What I want to be very sensitive and real about is that domestic violence is very real. The stalker situations could very much escalate to violence and abuse. For people in the US who are looking for support, is there a particular place that they can go to?

There are two organizations that I usually recommend. One is the NNEDV—the National Network to End Domestic Violence. The other is Operation Safe Escape. If you’re looking for more information about stalkerware, I recommend checking out the Coalition Against Stalkerware, which both NNEDV and Operation Safe Escape are part of. We are at stopstalkerware.org.

And we will make sure to link all of those in the show notes. I think stopstalkerware.org has a resources page for resources outside the US as well, am I correct?

Yes, we are also working with organizations in Uganda, in India, organizations that are based in Europe. This sort of stalking is not limited to the United States by any stretch of the imagination. It’s not even limited to what we popularly think of “the Western world,” because it is becoming much more common for everyone to own a phone and for that phone to be a smartphone. Once everybody has a smartphone, then it becomes easier to track people using their smartphones.

I assume probably in economically challenged countries the likelihood of having the newest phone with the latest firmware and the latest OS is probably a lot lower, and older phones, older firmwares, older OSes are going to be more likely to be easier to get this type of software on it and hide. Just so we have it in the show notes—for anyone listening the US—National Domestic Violence Hotline is 1-800-799-7233, and that’s also available at thehotline.org.

If people want to be able to find you online, where can they find you and know more about what you’re doing?

You can find out more about what EFF is up to by going to www.eff.org, you can find me by sending me an email to eva@eff.org—I have the world’s shortest email address—and if you are looking for my thoughts and complaints about malware, you can find me on Twitter where I am @evacide.

Great. Eva, thank you so much for coming on the Easy Prey Podcast today.

Exit mobile version