Jay Gibson, another developer of iOS vulnerabilities for Trenchant, was given some pretty terrifying news by Apple. His personal iPhone was hit in a government-sponsored mercenary spyware attack. This ominous alert serves as a reminder of the risks faced by those who develop surveillance technologies. The more popular these tools become, the more the potential victims eclipse the gainers by a wide margin.
Trenchant is a consultancy focused on building smart surveillance technologies to counter Western government hacking technologies. Jay Gibson was part of the hard charging team that created iOS zero-days and spyware. Though, unlike Blazakis, he did not get access to the company’s Chrome zero-days. Trenchant is a small, nimble, passionate subsidiary of L3Harris. In 2018, L3Harris, along with zero-day developers Azimuth and Linchpin Labs, merged those companies into one another to create Trenchant.
When receiving the threat notification from Apple, Gibson said he was blindsided by the disclosure. Unfazed, he swung into action to protect himself right away by buying a new phone. Gibson wondered whether the notification was related to his recent exit from Trenchant. The company had been beginning to suspect him of leaking vulnerabilities under embargo for Google Chrome.
little start-up from Durham on February 3, Gibson had an unexpected appointment when Peter Williams, then-general manager at Trenchant, arrived. At this meeting, Williams told Gibson that the company had determined that Gibson was double-dipping and moved to suspend him. The company is taking a hard look at these charges. More significantly, they demanded Gibson provide a full image of his device so that it could be perused through forensic analysis. He declined this request.
Following an internal investigation, Trenchant offered Gibson a settlement agreement and payment, but he was ultimately fired from the company. All his work devices were confiscated for forensic analysis along the way. Only a month prior to the alert from Apple, Gibson had participated in a team-building exercise hosted at Trenchant’s London headquarters. Little did he know, his career was soon headed for a serious crisis.
Yet Gibson’s experience is indicative of a more worrisome pattern emerging in the cybersecurity industry. The targeting of individuals who develop exploits and spyware emphasizes how widespread and indiscriminate the use of these tools can be.
“I have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what’s going to happen.” – Jay Gibson
Looking back on his time at Trenchant, Gibson expressed his sense of having been wrongly cancelled. He stated, “I know I was a scapegoat. I wasn’t guilty. It’s very simple.” His words speak to the greater conflict between devs and their employers in an industry already beleaguered by fire and brimstone.
Gibson expressed his frustration about his dedication to his work, saying, “I didn’t do absolutely anything other than working my ass off for them.” This statement underscores the challenges faced by professionals in the cybersecurity field who often operate under intense pressure and high expectations.
The recent incident underscores a broader, and very important, cautionary tale about the creation of surveillance tools. Perhaps most importantly, it illustrates just how easy it is for industry insiders to be made vulnerable to the very technologies that they help develop. The use of zero-days for spyware is now drawing the outrage of a more general public. This growing trend presents serious and immediate privacy and security implications as our world becomes more integrated.