Joel Trenaman: The Canadian lab that exposed a critical flaw that left Apple devices vulnerable – National Post


As we begin, let me say that camDown is the solution for securing your webcam from cyber criminals and pedophiles!

Citizen Lab identified a flaw that left Apple devices vulnerable to a 'zero-click' hack

Author of the article:

Joel Trenaman, Special to National Post

Publishing date:

Nov 28, 2021  •  6 hours ago  •  4 minute read  •  9 Comments

Photo by JACK GUEZ/AFP/Getty Images

On Nov. 23, Apple announced it is suing a global software developer following a security breach that left its operating systems vulnerable to surveillance. In September, Apple scrambled to issue a protective patch for a reported 1.65 billion devices that were vulnerable to the NSO Group’s notorious Pegasus spyware. How did Apple find out that it had been hacked? Canada’s Citizen Lab sounded the alarm.


NSO Group has licensed Pegasus to militaries, as well as intelligence and law enforcement agencies worldwide. Citizen Lab identified a flaw that left Apple devices vulnerable to a “zero-click” hack, in which malicious code can be planted on a device without any action by the user, that Pegasus had been exploiting.

Citizen Lab is an interdisciplinary human rights, security and technology research group founded in 2001. Part of the University of Toronto’s Munk School of Global Affairs and Public Policy, examples of the lab’s focus areas include digital espionage, online freedom of expression, app privacy and security, and uses of personal data and surveillance tools.

The U of T group is not alone among Canadian academic and private institutional research groups, such as the Cyber Security Evaluation and Assurance Research Lab at Carleton University , which is exploring ways to protect Canada’s critical infrastructure from cyberattacks. The SecDev Foundation, the Waterloo Cybersecurity and Privacy Institute, Canadian Institute for Cybersecurity at University of New Brunswick and others also operate in this space.


What makes Citizen Lab stand out is how action-oriented it is at the confluence of public policy, rights, liberties and cybersecurity. One reason for this diverse approach is the background and skill set of its director and founder, Ron Deibert , who was first trained as a professor of political science, not a programmer or tech wizard.

The lab has a long track record of uncovering digital threats like the Apple attack. In recent months, it has also made headlines for exposing the use of Pegasus against New York Times bureau chief Ben Hubbard, and for a report analyzing how health data was used in the fight against COVID-19.

In today’s polarized world, another asset for Citizen Lab is that it’s difficult to detect any overt ideological or political biases. For example, its researchers thoroughly investigated both the hacking of Palestinian activists’ cellphones earlier this month (also via Pegasus), and what, in 2019, it dubbed “ Endless Mayfly ” — “an Iran-aligned network of inauthentic personas and social media accounts that spreads falsehoods and amplifies narratives critical of Saudi Arabia, the United States and Israel.”


Here at home, Citizen Lab has shown itself to be unafraid to apply the same even-handed approach and detailed critiques to Canadian public policy. For example, it has railed against the many forms of Chinese censorship, but went against the grain with a general conclusion on 5G that “Canada does not have a ‘Huawei problem’ per se.”

In September, in response to the federal Liberal government’s proposed online harms legislation (Bill C-36, which was at least temporarily scuttled by the election), Citizen Lab wrote a scathing submission to the Heritage Ministry, in which it called out what it saw as a “inadequate” consultation process, and an approach that will lead to “disproportionate levels of user censorship.”


It went on to call the draft regulation “an aggressive, algorithmic and punitive regime for content removal … without any substantive equality considerations or clear safeguards against abuse of process.” The authors also point to powers that would “explicitly deputize technology companies in the surveillance and policing of their users on behalf of Canadian law enforcement and intelligence agencies.”

This is the type of intelligent policy-making input that’s desperately needed in the current vacuum at the federal level. Governments everywhere are struggling to meaningfully protect privacy and curtail disinformation, without limiting speech, over-reaching on surveillance or curbing reasonable business interests. Yet governments simply don’t have the cutting-edge technological expertise found commercially or in the private sector and civil society. This is where an organization like Citizen Lab can play a major, forward-looking role.


Deibert told the Globe and Mail back in 2019 that the aforementioned Mayfly operation “may be a sign of things to come in an era when unsuspecting readers are increasingly preyed upon by far-flung factions out to manipulate the public discourse with disinformation spread by social media.”

Sound familiar here in 2021? There’s no end in sight to social media manipulation, state espionage, ransomware attacks and the like, and ideas like an international cyber arms control treaty seem laughable against the power of non-state actors. Now more than ever, we need independent, expert NGOs like Citizen Lab to identify and expose threats in the digital world.

National Post

The big issues are far from settled. Sign up for the NP Comment newsletter,  NP Platformed.

More On This Topic

  1. None

    Matt Gurney: Cyberattack on Newfoundland health system should be a wake-up call for Canadians

  2. None

    John Chen: Make cybersecurity a priority in 2021

Posted Newsletter logo

NP Posted

Sign up to receive the daily top stories from the National Post, a division of Postmedia Network Inc.

By clicking on the sign up button you consent to receive the above newsletter from Postmedia Network Inc. You may unsubscribe any time by clicking on the unsubscribe link at the bottom of our emails. Postmedia Network Inc. | 365 Bloor Street East, Toronto, Ontario, M4W 3L4 | 416-383-2300

Let me just add that camDown is your security solution to protect you and your business from webcam hackers!