Skip to content

Numbers Station - Protecting journalists, politicians from hacks

How did your company get stated?

Numbers Station located in Ottawa has developed an app (Numbers Station for iOS, available on the App Store) to protect journalists and others at risk from threat actors like the NSO Group, Cytrox, etc. We're already working with a small number of Canadian investigative journalists (and some overseas) that are at high risk of attack from these groups, some have been attacked in the past, and we would like to make the cyber security community aware of how our app can protect other users as well. When was the last time an enterprise pen test had a compromised iOS device in scope for the test? It's assumed they won't be compromised, but as recent media coverage shows, for those at high risk from state sponsored attack, that cannot be assumed. A state sponsored threat actor could use a compromised mobile device as the initial access point to harvest passwords/tokens and to authenticate as the user even when 2FA/MFA is enabled (due to the device being used for 2FA/MFA auth).

You may have seen recent media coverage on Apple's emergency patch (iOS 16.6.1) resolving a vulnerability that the NSO Group was caught using to exploit a US based individual. This vulnerability is a good example of one that our app would have protected against, even before the exploit was discovered and a patch created. This vulnerability can be exploited through all messaging apps, including Signal, since they all use ImageIO for image processing for creating thumbnail images in new message notifications as well as within the app itself for displaying thumbnails and images in conversations. NSO just happened to be caught using iMessage, likely since more of their iOS targets use it than any other messenger app. There were likely thousands of global victims compromised via this exploit before it was discovered. Our app also protects against any vulnerabilities that could be successfully exploited even when Lockdown Mode for iOS is enabled.

Since these threat actors primarily attack victim's iOS devices using exploit chains delivered via messaging apps, we created a messaging app that quarantines inbound messages potentially containing these types of attacks without performing any processing at all on the payload of the message to avoid triggering an exploit chain. This makes it impossible for them to be used as a "zero-click" exploit. Our user will always be aware that a message arrived, who it came from (typically someone unknown if an attack) and have the option of opening it in a controlled way that limits their risk (text only, no image or attachment processing), opening it with text only and then saving images and attachments to an external device without any local processing to ensure the iOS device remains secure or just opening it all on the device and taking the risk. No matter which choice they make though, they are aware so a "zero-click" cannot happen. This is especially important for journalists and others that post their messaging app contact details in public places like their Twitter or LinkedIn bios to allow new sources or potential customers to contact them, with our app you can still receive messages from unknown and untrusted senders but in a way that does not put your device at risk.

Our quarantine system also makes it easy for any suspicious messages, images or attachments to be submitted to us by a user (it does not happen without a user initiating it) for automated analysis where ones that have the potential to be exploits are then manually reviewed. We would then inform the user if an attack is confirmed and provide the details to Apple for a patch to be created to protect all iOS users. Normally it is very difficult to analyze and obtain the exploit chain used against an iOS device even when a compromise is suspected and the device is provided to a forensics team. This is because after successful exploitation, threat actors clean up any evidence left behind to protect their exploit chains and avoid detection in general. Sometimes exploit chains partially fail so this clean up code is not executed leaving traces behind or attackers can be careless as well and not bother cleaning up. Numbers Station preserves the exploit for analysis in our app's quarantine zone ensuring rapid and easy analysis can be performed.

In addition to the above protection, we also offer protection against message extraction from a seized device by tools like Cellebrite or GrayKey (even when the device is unlocked by them). Our app uses end-to- end encryption for all messages, implemented using Apple's CryptoKit API (same encryption strength as other messaging apps like Signal), and also offers an optional layer of quantum-safe end-to-end encryption underneath the traditional layer (something no other app is offering). Importantly, the app also does not use phone numbers or e-mail addresses as identifiers or to login (we have zero information about our users, none at all!) and the app does NOT request access to your contacts, GPS/location, microphone, photos, etc., unlike other messaging apps that want access to all categories. Visit Numbers Station