The world’s most sophisticated commercially-available spyware may be being abused, according to an investigation by 17 media organisations in ten countries. Intelligence leaks and forensic phone analysis suggests the surveillance software, called Pegasus, has been used to target and spy on the phones of human rights activists, investigative journalists, politicians, researchers and academics.
NSO Group, the Israeli cyber intelligence firm behind Pegasus, insists that it only licenses its spyware to vetted government clients in the name of combating transnational crime and terrorism. It has labelled reports from investigative journalists a “vicious and slanderous campaign” upon which it will no longer comment.
Yet the founder and chief executive of NSO Group previously admitted that “in some circumstances, our customers might misuse the system”. Given that the group has sold its spyware to a reported 40 countries, including some with poor records of corruption and human rights violations, it is alleged that Pegasus has been significantly misused, undermining the freedom of the press, freedom of thought and free and open democracies.
These revelations are the latest indication that the spyware industry is out of control, with licensed customers free to spy on political and civilian targets as well as suspected criminals. We may be heading to a world in which no phone is safe from such attacks.
How Pegasus works
Pegasus is regarded as the most advanced spyware on the market. It can infiltrate victims’ devices without their even having to click a malicious link – a so-called “zero-click attack”. Once inside, the power Pegasus possesses to transform a phone into a surveillance beacon is astounding.
It immediately sets to work copying messages, pictures, videos and downloaded content to send to the attacker. As if that is not insidious enough, Pegasus can record calls and track a target’s location while independently and secretly activating a phone’s camera and microphone.
With this capability, an infected phone acts like a fly on the wall, seeing, hearing and reporting back the intimate and sensitive conversations that it watches continuously.
There is previous evidence of Pegasus misuse. It was implicated in the alleged hacking of Jeff Bezos’ phone by the crown prince of Saudi Arabia in 2018. The following year, it was revealed that several Indian lawyers and activists had been targeted by a Pegasus attack via WhatsApp.
The new revelations suggest that Pegasus was used to watch Mexico’s president, Andres Manuel Lopez, and 50 members of his inner circle – including friends, family, doctors and aides – when he was an opposition politician. Pegasus has also been linked to the surveillance of Rahul Gandhi, the current political rival to Prime minister Narendra Modi.
A Pegasus infiltration has also now been found among phones belonging to the family and friends of murdered journalist Jamal Khashoggi, and there are indications that Pegasus may also have been used by a Mexican NSO client to target the Mexican journalist Cecilio Pineda Birto, who was murdered in 2017.
Although the power of Pegasus is shocking, spyware in its various forms is far from a new phenomenon. Basic spyware can be traced back to the early 1990s. Now it is a booming industry with thousands of eager buyers.
At the base of the spyware industry are the lesser snooping tools, sold for as little as $70 on the dark web, which can remotely access webcams, log computer keystrokes and harvest location data. The use of such spyware by stalkers and abusive partners is a growing, concerning issue.
Then of course there’s the global surveillance estate that Edward Snowden lifted the curtain on in 2013. His leaks revealed how surveillance tools were being used to amass a volume of citizens’ personal data that seemed to go well beyond the brief of the intelligence agencies using them.
In 2017, we also learned how a secret team of elite programmers at the US National Security Agency had developed an advanced cyber-espionage weapon called Eternal Blue, only for it to be stolen by the hacker collective Shadow Brokers and sold on the dark web. It was this spyware that would later be used as the backbone of the infamous 2017 Wannacry ransomware attack, which targeted the NHS and hundreds of other organisations.
Why Pegasus is different
When the Snowden leaks were published, many were shocked to learn of the scale of surveillance that digital technologies had enabled. But this mass spying was at least developed and conducted within state intelligence agencies, who had some legitimacy as agents of espionage.
We are no longer debating the right of the state to violate our own rights to privacy. The Pegasus revelations show we have arrived in a new, uncomfortable reality where highly sophisticated spyware tools are sold on an open market.
To be under no illusion, we’re referring here to an industry of for-profit malware developers creating and selling the same types of tools – and sometimes the very same tools – used by “bad hackers” to bring businesses and government organisations to their knees.
In the wake of the Pegasus revelations, Edward Snowden has called for an international spyware ban, stating that we are moving towards a world where no device is safe. That will certainly be the case if Pegasus meets the same fate as Eternal Blue, with its source code finding its way onto the dark web for use by criminal hackers.
We have only just begun to fully contemplate the full implications of Pegasus on our collective privacy and democracy. Without transparency, we have no sense of how and under what circumstances Pegasus is licensed, who has the authorisation to use Pegasus once it’s licensed, under what circumstances a license may be revoked, or what international regulations are in place to police against its abuse.
Evidence suggests that Pegasus has been misused and greater accountability and oversight is needed. We must also seek to rekindle important debates around enforceable controls on the creation and sale of corporate spyware. Without this, the threat that Pegasus and future spyware tools pose to privacy will not be limited to the high-profile targets that have so far been revealed but will be a threat to us all.
Christian Kemp is a Lecturer, Criminology at the Anglia Ruskin University. Courtesy: The Conversation.
❈ ❈ ❈
Another article published by David Pegg and Paul Lewis and reproduced in The Wire – “Edward Snowden Calls For a Global Moratorium on Spyware Trade” – gives extracts from an interview of Edward Snowden given to the Guardian. Extracts from the article:
Governments must impose a global moratorium on the international spyware trade or face a world in which no mobile phone is safe from state-sponsored hackers, Edward Snowden has warned in the wake of revelations about the clients of NSO Group.
Speaking in an interview with the Guardian, Snowden said the consortium’s findings illustrated how commercial malware had made it possible for repressive regimes to place vastly more people under the most invasive types of surveillance.
For traditional police operations to plant bugs or wiretap a suspect’s phone, law enforcement would need to “break into somebody’s house, or go to their car, or go to their office, and we’d like to think they’ll probably get a warrant”, he said.
But commercial spyware made it cost-efficient for targeted surveillance against vastly more people. “If they can do the same thing from a distance, with little cost and no risk, they begin to do it all the time, against everyone who’s even marginally of interest,” he said.
If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.
Part of the problem arose from the fact that different people’s mobile phones were functionally identical to one another, he said.
When we’re talking about something like an iPhone, they’re all running the same software around the world. So if they find a way to hack one iPhone, they’ve found a way to hack all of them.
He compared companies commercialising vulnerabilities in widely used mobile phone models to an industry of “infectioneers” deliberately trying to develop new strains of disease.
“It’s like an industry where the only thing they did was create custom variants of Covid to dodge vaccines,” he said.
Their only products are infection vectors. They’re not security products. They’re not providing any kind of protection, any kind of prophylactic. They don’t make vaccines–the only thing they sell is the virus.
Snowden said commercial malware such as Pegasus was so powerful that ordinary people could in effect do nothing to stop it. Asked how people could protect themselves, he said:
What can people do to protect themselves from nuclear weapons?
There are certain industries, certain sectors, from which there is no protection, and that’s why we try to limit the proliferation of these technologies. We don’t allow a commercial market in nuclear weapons.
He said the only viable solution to the threat of commercial malware was an international moratorium on its sale. “What the Pegasus project reveals is the NSO Group is really representative of a new malware market, where this is a for-profit business,” he said.
The only reason NSO is doing this is not to save the world, it’s to make money.
He said a global ban on the trade in infection vectors would prevent commercial abuse of vulnerabilities in mobile phones, while still allowing researchers to identify and fix them.
“The solution here for ordinary people is to work collectively. This is not a problem that we want to try and solve individually, because it’s you versus a billion dollar company,” he said.
If you want to protect yourself you have to change the game, and the way we do that is by ending this trade.