Commercial spyware poses a threat to enterprises as well as individuals and civil society, according to an expert panel at Infosecurity Europe 2024.
Security researchers have identified 16 different spyware strains from 11 companies or spyware groups. However, this total masks a wider range of both malicious applications and legitimate software that is at risk of being misused.
This includes both “one click” and “zero click” spyware, targeting smartphones in particular, as well as so-called “stalkerware” and even open source tools that can be used by intelligence agencies, law enforcement or cybersecurity teams as well as criminal hackers to monitor devices and harvest sensitive data.
“Spyware can mean a whole lot of things,” said Brian Honan, CEO of BH Consulting. “There is ‘stalkerware,’ which are apps you can buy to monitor a partner or children’s activities and are sold as tools to help manage their safety, but in the wrong hands can be abused. And we have cybercriminals using information stealers and spyware to infiltrate networks.”
Commercial spyware, for its part, has a more limited market due in part to its high cost.
“There are companies set up to write software to steal information and monitor activity and phone calls,” said Honan. Such software could even turn on microphones and cameras to spy on meetings.
Dual Use Spyware
According to Aude Gery, senior researcher at GEODE, dealing with spyware is made harder still by the “dual use” nature of the technology, and because spyware development exists in a legal grey area. Writing the software itself is legal, but its use could breach human rights laws as well as data privacy legislation.
“There is no prohibition on development of spyware, but it doesn’t mean there is a legal vacuum,” Gery explained. “There are rules that apply that constrain the way governments use these tools.”
These rules include an individual’s right to privacy, which while not absolute, does require any interference to be proportionate and in pursuit of a legitimate objective. Legal experts suggest that harvesting all the data from a smart phone is not proportionate.
“The fact that these tools are being used by law enforcement is a mismatch between the two,” said Gery.
Human Rights and Cybersecurity
Some states are moving to restrict the development and use of spyware, notably the United States, France and the UK. But, as Honan warned, some developers are also operating openly within the EU, giving them both access to the EU market and association with the bloc’s strong privacy policies. “If you are in the EU you have that legitimacy: the EU has GDPR and you must be aligned with it,” he said. But this is not the case.
Honan warned that, as long as spyware is in circulation, cybersecurity teams need to defend against it. Even if a firm is not the target of spyware, an employee might be, perhaps because they used a work device during a protest.
“Talk to your vendor and ask them does their software detect and protect against spyware,” he advised. “If they don’t, talk to one that does.”