Time To Clip The Wings Of NSO And Its Pegasus Spyware

from The Observer

What’s the most problematic tech company in the world? Facebook? Google? Palantir? Nope. It’s a small, privately held Israeli company called NSO that most people have never heard of. On its website, it describes itself as “a world leader in precision cyberintelligence solutions”. Its software, sold only to “licensed government intelligence and law-enforcement agencies”, naturally, helps them to “lawfully address the most dangerous issues in today’s world. NSO’s technology has helped prevent terrorism, break up criminal operations, find missing people and assist search and rescue teams.”

So what is this magical stuff? It’s called Pegasus and it is ultra-sophisticated spyware that covertly penetrates and compromises smartphones. It’s particularly good with Apple phones, which is significant because these devices are generally more secure than Android ones. This is positively infuriating to Apple, which views protecting its users’ privacy as one of its USPs.

How does Pegasus work? Pay attention, iPhone users, journalists and heads of government: your cherished and trusted device will emit no beep or other sound when it’s being hijacked. But the intruder has gained entry and from then on everything on your phone becomes instantly accessible to whoever is running the spyware. Your camera can be secretly activated to take photographs, for example, and your microphone switched on at the whim of a distant watcher or listener. Everything you type on iMessage or WhatApp will be read and logged. And you will have no idea that this is happening. You’ve been “Pegasused”, as it were. And the perpetrator may well be a government, which is interesting if you happen to be a president like Emmanuel Macron or a prime minister like Imran Khan, but potentially fatal if you happen to be a journalist like Jamal Khashoggi. Those of us who follow these things have known about NSO for quite a while, mainly thanks to the Citizen Lab at the University of Toronto, which is the nearest thing civil society has to the National Security Agency. Its researchers have done sterling work tracing the ways in which journalists’ phones have been Pegasused by authoritarian regimes. In December last year, for example, the Lab published the report of an investigation that showed how Pegasus spyware had been used to hack into 36 personal phones belonging to journalists, producers, anchors and executives at Al Jazeera and a phone of a London-based journalist at Al Araby TV. The phones were compromised using an invisible zero-click exploit in iMessage. The hacking was done by four Pegasus customers, two of which appeared to be Saudi Arabia and the United Arab Emirates (UAE).

More here.

Posted in Privacy and tagged , , , , , , , , .

7 Comments

  1. I was drawn to this article because of its relevancy in today’s world. Almost every time I go to turn on the news, I’ll find that there is a new online information scandal, weather it be Facebook, Yahoo, etc. This idea that all of my personal information can be used to other people’s advantage is very scary, so naturally I stay away from “riskier” companies. This article, however, describes that the biggest threat to cybersecurity is from NSO, a small company that has developed a software called Pegasus. This spyware can tap into smartphones instantly and from anywhere. In addition it can control all smartphone functions and access all it’s information without leaving a trace. This ability has mainly been used by European governments to this point, but many people feel as if it will become unacceptable. Personally, I feel as if we should try to get rid of, if not limit the power of NFO because if if in the wrong hands, can be troublesome. Throughout history, whenever a country gains power, another will try to replicate that power. For example, once the atomic bomb was figured out, nations spent years trying to steal the “formula”. If the world gets to the point where a nations power is based on all of the illegal information it has, no one’s personal information will be safe as it will be used to generate more power for any given country. This is a very confusing yet intriguing topic, and I personally would not be surprised if NFO’s name is in the news for time to come.

  2. NSO, a small privately held Israeli company that claims their technology has helped prevent terrorist attacks, breakup criminal operations, and help find missing people and assist search and rescue teams is the same spyware that could be using your phone right now. The name of this “magic stuff” is called Pegasus which is an ultra-sophisticated spyware that covertly hacks into phones. More specifically iPhones, this next-level technology is able to hijack your phone without you having a clue. While the company claims to only send their technology to sovereign governments and is not responsible for what is done with their technology. They are often being compared to arms manufacturers because they are selling what many would consider high tech weapons. Many countries such as Mexico, Hungary, and India have been discovered to use/ have some connection to Pegasus. In my opinion this was bound to happen, eventually we would be fighting “mini-wars” with our smaller and smarter electronic devices. As just about everyone either has an iPhone or at least knows someone who does, the power of Pegasus is off the charts. Even some of the most important people in our legal system use iPhones everyday and who knows what important information could be on their phones. Coming from my perspective I am not too worried about the data on my phone being attacked because I make sure to ensure that all important information is not on the web. Yet, with Apple trying to make the world digital with their new tracking keychain and the use of apple wallet, people’s money and goods are at risk. The next question is how the US can stop this as it is hard to deal with these sovereign countries as seen today. The question that comes to my mind from a legal standpoint is whether this is the duty of the government or the apple company to combat. It is the job of apple to ensure that peoples information stays protected and that they have no fear of their phone being used as a spy device. In this day and age hackers are becoming more and more of an issue, and I believe it is the governments job to step in and stop them.

  3. The services and products that are made available by the Israeli technology firm that is known as the NSO Group have allowed governments and potentially other customers to remotely infiltrate and spy on the electronic devices of whomever they choose. Their Pegasus spyware is so newsworthy because it can affect iPhones directly. Exploits for computers running Windows and Mac OS are far more common, even phones running Android have been vulnerable to hacks in the past. Apple’s iPhone, however, runs an operating system known as iOS. The big difference between iOS and these other systems is that iOS is a closed system. Closed systems have historically made device security a lot easier, although there have been ways around this in the past.
    Information exists in multiple locations, phone records are an example of that. The government has been able to subpoena phone records from the carriers like Verizon and AT&T without warrants, but with the existence of tools like Pegasus, they don’t even need to bother going through the phone carriers. They are able to access the phone directly and take every bit of information without going through a third party. Pegasus is able to do this by relying on exploits known as “zero-days”. Zero-day refers to the fact that the exploit is unknown to the creator of the software, therefore they can not prevent it. NSO finds ways to exploit software and uses those exploits to allow its tools like Pegasus to infiltrate phones. NSO isn’t the only one interested in finding these zero-day exploits, companies like Apple offer up to six-figure and seven-figure rewards to researchers who can demonstrate these exploits to them. This allows them to develop new software that can fix the problem before it can be used by companies like NSO or others with malicious intent.
    NSO is obviously good at finding these exploits, and it’s obvious why they don’t submit them to Apple. Their annual revenue, which is made possible by granting governments licenses to these exploits, is a lot more than the money they could make by selling the exploits to Apple. Microsoft called this business model “dangerous” and also worried that because NSO is a private company, their surveillance tools would not be subject to the same laws that government agencies supposedly follow when spying on people. Tech companies are mainly the ones joining legal battles against NSO, it makes sense because they are the ones whose products are affected by this so they have a vested interest in protecting their products. They want to let their customers know that their information is protected.
    I think that companies like NSO might eventually face legal repercussions that prevent them from licensing this spyware, but even if they did, I don’t think that it wouldn’t prevent governments from picking up employees who work at firms like NSO and developing spy tools in-house. Technology will keep evolving and the laws that regulate it will need to keep up.

  4. Similar to the topic I have chosen for research, corporate espionage or corporate spying is the topic of NSO, a private company with headquarters in Israel that sells sophisticated spy software called Pegasus. While NSO states on its website that the software is sold “only to licensed government intelligence and law-enforcement agencies,” Pegasus is being used by NSO’s clients to hack people’s phones. Once an intruder has hijacked a cell phone or an iPhone, they have gained access to everything on the phone including the camera, microphone, texts, etc. The Pegasus Project, launched by Amnesty International in collaboration with the Organized Crime and Corruption Reporting Project and 16 other media organizations, has uncovered 50,000 phone numbers that were entered into a system used for targeting by Pegasus. Apple is disgusted with these discoveries since they are a company that values customer privacy.

    Whether it’s stealing trade secrets or hacking into phones to gain access to all the information there is to know about someone, cybersecurity is a huge issue everywhere. Spying is also a violation of the constitutional right to privacy recognized in 1965 in the Griswold v. Connecticut case. The Bill of Rights says that everyone has the right to not have the privacy of their communications infringed. What NSO is doing is enabling hackers to violate this right without alerting their victims.

    According to the Business and Human Rights Resource Centre, “WhatsApp filed suit in California state court against NSO Group, an Israeli spyware vendor, alleging that the company had hacked the WhatsApp server to plant Pegasus spyware on 1,400 user devices worldwide, targeting journalists, lawyers, religious leaders, and political dissidents. Plaintiffs argue that this is in violation of the U.S. Computer Fraud and Abuse Act (CFAA) and California Comprehensive Data Access and Fraud Act and seek damages as well as an injunction to prevent NSO Group from accessing its computer system.”

    It makes sense that the case would be filed in California being that they are one of the only states in the U.S. that have these types of protection laws. Since big data has been developed and technology has grown more prominent, legal and ethical consumer privacy cases have been arising. I am hoping that cases like this will be taken into consideration by all of the other states in the U.S. since software like Pegasus can be used to collect private information about citizens and use it to steal their identity, frame them for crimes, or anything else that a hacker wants to do with it. It is a scary and realistic fear.

    https://www.business-humanrights.org/en/latest-news/nso-group-lawsuit-re-hacking-whatsapp-users/

  5. With the advent of modern technology, for a long time, there has been a long-standing privacy concern around the world: can we be monitored inside of our own homes? Publicly, the answer to this has been no. Corporations and governments have always told us how they would never breach privacy to spy on customers/citizens. Dozens of movies, books, and other forms of media have depicted what the world may be like if we lived in a dystopian total surveillance government. Take 1984 for instance; although its focus is more on the authoritarian mind-control side of an omnipresent government, it still displays the impacts that surveillance and monitoring could have on society. The information provided in the article only confirms the decade-old conspiracies that have circulated the internet: the government wants to see what we’re up to, at home or otherwise. Despite NSO championing itself as a company that “helps prevent” issues of terrorism and organized crime, it is apparent that the technology they provide can be, and likely has been, used to privately monitor innocent civilians. Even if we were to disregard the loaded implication of this software for a moment, the ability for a corporation to legally distribute this kind of tech is absurd. Sure, they publicly admitted which countries have bought their product, but who knows who else could gain access to it. Government breaches have long been an issue, and to pretend that couldn’t happen to Pegasus is baffling. Having access to that form of information could be incredibly powerful for military tactics and propaganda. Imagine if a terrorist group, or even a bigoted government, were somehow to gain access to the personal information of hundreds of individuals, seeing their social media posts, their private conversations, and even what they do in their own homes. There are a number of governments and groups around the world that could cause mass havoc with this kind of information: Extremist Middle-Eastern countries could more effectively hunt down gay individuals to execute them for their sins; the Chinese government could find defectors or protestors, like what we saw in Hong Kong, to further their agenda; the situation in North Korea could be exacerbated; journalists could be silenced. The list of possibilities is endless. This form of tech should not be available for any market. It should not be sold, distributed, or even manufactured. There is no leadership in this world that could be trusted with maintaining and controlling this technology, and it should be globally outlawed, just as we had done with nuclear weaponry.

  6. I always try to be informed about the devices I use, from my computers to my phone. Especially because of the data leaks from companies like Facebook that pose a threat to myself and other people who value their privacy. After reading this article, I was surprised how NSO, an Israeli Company can use its Pegausu spyware to tap into phones and steal all the information without you even having the slightest idea that your phone is being hijacked. The article claims that the technology has been used to prevent terrorism and locate missing people, but I don’t think people will use the spyware to that degree. What’s even worse is that NSO sells its technology to governments, but will not be held responsible for any harm done to the victims of its spyware. In most cases, a warrant needs to be presented to a phone carrier to access an individual’s private info, but now this technology allows that step of the law to be bypassed. If I had a huge tech company like Apple, I would also be outraged at how easily this company can access my customer’s info. I have also read some time ago that Apple pays anyone who can find an exploit in regards to their security system. I don’t see NSO planning on doing it anytime soon. Growing up in my household, my parents always feared using any type of credit or debit card online because of how easily information can be stolen through the internet. Most of the time, my parents would pay my older sister in cash, and order anything they needed with her information, but now we use our card information casually while avoiding sketchy websites. I would like to see how legal battles play out against NSO and if tech companies, especially Apple, can patch up these exploits and reassure customer’s privacy.

  7. With the knowledge I’ve gained throughout writing my research project regarding companies invading consumers’ data privacy, it does not surprise me that governments can have even deeper access to civilians’ phones. In this digital age, police often do not need to show probable cause of a crime when they want to find out details about civilians’ lives that they used to find in homes. Instead, they’re able to get private files from corporations that store people’s records on their computers. Your everyday businesses/corporations already have access to what millions of smartphone users confess to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users’ body weight, blood pressure, menstrual cycles, or pregnancy status. Unbeknown to most people, in many cases that data is being shared with someone else.

    That reminded me of the spyware introduced in this article by NSO called Pegasus which can remarkably exploit Apple phones which are notorious for their security and user privacy. The justification for companies’ access to consumers’ data is to yield insights for advertisers so they can segment and better target their audience and eventually turn people into repeat customers. Conversely, the justification for Pegasus is to help “licensed government intelligence and law-enforcement agencies lawfully address the most dangerous issues in today’s world. NSO’s technology has helped prevent terrorism, break up criminal operations, find missing people and assist search and rescue teams.” I believe the NSO’s reasoning is rational as it relates to the safety of innocent people. Being that the spyware is not accessible to anyone is relieving as opposed to if anyone was able to gain entry to everything on our phones. I do believe that there should be restrictions. Those with access to Pegasus should not be able to search anyone’s phone at their discretion, there should be probable cause and approval from the head of the agency before hijacking anyone’s phone.

    As consumers learn and become more informed about their data rights and how businesses are using their data, pleas from consumers to have their data adequately secured and protected are happening now and have been for several years. Relatively, when civilians learn that they could possibly be one of the “more than 50,000 phone numbers allegedly entered into a system used for targeting by Pegasus” found by journalists, that may result in some retaliation. Additionally, consumers seeking fool-proof phones may now be discouraged from buying an iPhone (which is generally more secure than Androids) once they learn that Pegasus is capable of penetrating it.

Leave a Reply

Your email address will not be published. Required fields are marked *