To assist in safeguarding journalists from spyware on their devices, Reporters Without Borders (RSF) in Taipei provides journalists with a free service that checks devices for signs of compromise by using the open-source tool SpyGuard.
The use of spyware against journalists is on the rise, particularly for those reporting on authoritarian regimes. While digital security tools such as DangerZone can help mitigate the risk of opening files, spyware can be installed remotely and offline, and is a particular risk when a journalist’s devices are seized by law enforcement. Digital attacks often go unnoticed, so it is vital that journalists regularly check if their devices are compromised.
Free of charge security checks
The RSF Asia-Pacific Bureau in Taipei offers journalists the opportunity to have their devices physically analysed for signs of spyware using the open-source tool SpyGuard.
- SpyGuard checks for signs of spyware. By analysing the internet traffic going to and from the device, much like an Internet Service Provider (ISP) would, SpyGuard can detect suspicious connections and identify potential indicators of compromise by spyware and other network anomalies.
- Analysis takes at least 10 minutes. Any suspicious internet traffic going to and from the device in that time will be picked up by SpyGuard and flagged as a potential “Indicator of Compromise” (IOC). Ten minutes is considered sufficient to take a “picture” of the device’s internet traffic.
- No personal data is collected except the Wifi access points the device was connected to. The SpyGuard station only captures network traffic, much like an ISP, and does not collect any other personal data nor install any software on the device.
How to interpret the results
- Green: no obvious indicator of compromise detected. However, this does not guarantee by 100% the device is free of malware: very sophisticated spyware may evade detection by disguising itself as legitimate network activity.
- Orange: moderate indicator of compromise detected. In such cases, some indicators like IP addresses using suspicious network protocols need an advanced analysis in order to remove doubts. The produced report can be sent to RSF cyber experts and/or the RSF Digital Security Lab (DSL) for further investigation to confirm any suspicious activity or any false positives.
- Red: critical indicator of compromise detected. The device is likely compromised. Journalists are advised to immediately contact the RSF cyber experts and/or the RSF Digital Security Lab for investigation and cease using the device. Journalists should know that the DSL’s forensic analysis of their device will be much deeper and will also likely analyse their data and backups with the journalist’s consent.
Limitations of SpyGuard
- It can only detect malware that could be active during the analysis, based on a collection of Indicators of Compromise.
- It cannot detect if a journalist’s online accounts have been compromised, such as email and social media.
- SpyGuard is only a detection tool, it cannot remove a spyware spotted so journalists should consider other forensic analysis and support for an advanced assessment and potential remediation.
→ Contact us if you would like to schedule an appointment to analyse your device in Taipei.
Combined with Spyguard analysis, RSF Digital Security Lab’s analysis is highly recommended in order to remove doubts about advanced spyware infection.