How do we address state-sponsored spyware / non-state espionage firms that uses ads as an attack vector?

According to a Haaretz article, Israeli cyber firms have developed the technology to deliver very advanced spyware through commercial, very-targeted advertising (Revealed: Israeli Cyber Firms Have Developed an 'Insane' New Spyware Tool. No Defense Exists - Israel News - Haaretz.com) (https://archive.ph/Vkxt1). Also see restoreprivacy’s article at State Spyware Extensively Using Ads as Distribution Channel | RestorePrivacy.

With this technology, they can target people with very specific characteristics. An example from the article-
“However, these technologies can also be used for security aims, such as for surveilling suspected targets, even without knowing personal information about them. One can imagine, for example, an advertising campaign that is geared toward an audience of nuclear scientists of Iranian origin between the ages of 35 and 65 who passed through the airport in Tehran over the past year. After these individuals are profiled and receive the first ads, they can continue to be targeted over time; the technology can pinpoint where they traveled and when.”

If it is possible to do that, is it also possible for them to detect people using the tor browser and send advertisements with spyware crafted specifically to infect anyone who is viewing via the tor browser?

With millions of people using the tor browser every day, such ad-based malware could be used to deanonymize a lot of people. And the targets would never know, since they cannot tell a relatively benign ad on a webpage from a malicious one. A threat actor like Insanet or NSO Group could collect a lot of intelligence that way, as could a state-sponsored threat actor who may or may not have purchased their tools.

How can we protect against this attack? We can set noscript to the safest privacy level, but a large amount of websites do not work at the safest privacy level. This forum does not work well without javascript, for example. The archive website requires tor uses to pass a captcha that requires javascript as well. But without the safest privacy level, tor browser does not block advertisements. The theory is that adding an adblock extension like ublock origin could result in browser fingerprinting. But without something like ublock origin, how do we defend against this attack when we visit a website that requires javascript? For all we know, Google is already cooperating with the NSA to send malicious ads to anyone that it detects as a tor user, allowing the NSA to hack their computers or at least deanonymize them. If they are not doing that, they could very well do that in the future, especially given how obedient big tech is to the government.

Is this new threat enough justification to add ublock origin in addition to noscript to the default tor browser configuration? Perhaps ublock origin could be modified so that the user cannot choose their filter lists or change their ublock origin settings, so that everyone’s settings are identical. Would that result in identical fingerprints between tor users, while still allowing for some degree of protection against this type of attack? Or is that still not a good idea?

How can we solve this problem?

2 Likes

Are you sure that this is what will happen??? Or are you assuming that will happen. Does that “Insane” spyware actually exist??? I know I’m here to educate myself and learn what the dynamics are. It is common respect to not get into other peoples business or try to spy on them or whatever the anterior motive that one is paranoid about. You may just be overthinking and that “Spyware” hasn’t even thought about engaging in that behavior

In Tails, this appears to be what the devs have done. I cannot add/update the lists in uBO, there are a few preselected I assume by the Tails devs.

Perhaps others could better answer the other questions you have.

Thank you for your comment.

1 Like

Thank you for your comment. Please read the accompanying articles in my original post.

If tails does this, why does the regular tor browser not do this?