Reports that the NSO Group’s Pegasus spyware was used by governments to spy on Apple iPhones used by journalists, activists, government officials and business executives is becoming a global controversy for NSO, Apple and a number of governments at the center of the scandal.
Amnesty International and Forbidden Stories – a Paris-based nonprofit media group that works with journalists – said earlier this week that users of the Israeli-developed spyware were able to hack into iPhone 11 and iPhone 12 devices, as well as Android devices, of tens of thousands of people – including a number of world leaders. The software has even been linked to the disappearance of the United Arab Emirates’ Princess Latifa.
The software is designed to enable users to remotely extract data – emails, messages and photos – from the devices as well as record calls and activate microphones and cameras. They also can grab conversations that occur on such social media apps as WhatsApp. NSO Group has argued for years that Pegasus is meant to help governments and law enforcement agencies fight back against global threats like crime and terrorism, but it’s becoming apparent that the software has been weaponized by hostile parties too.
Journalists, Government Officials Targeted
As first reported in The Guardian, a large data leak unveiled a list of more than 50,000 phone numbers of people that were in the crosshairs of NSO customers dating back to 2016, including more than 180 journalists worldwide. The revelations suggest that some Pegasus users, such as authoritarian governments, were using the spyware to track people who weren’t criminals or terrorists.
That has included such people as French President Emmanuel Macron and hundreds of other state leaders and government officials, whose phone numbers were on the list obtained by Amnesty International and Forbidden Stories as part of the Pegasus Project. The Israeli government reportedly has created a group to oversee damage control while other governments in such places as Hungary and Saudi Arabia are under fire for using the spyware.
The impact of the burgeoning scandal continues to ripple. Top public cloud provider Amazon Web Services (AWS) disabled all accounts linked to the Israeli company.
Apple Under Fire
Apple, which for years has loudly touted the security of its iPhones, is coming under pressure to work more closely with other device makers to push back against technology like Pegasus.
In a statement to journalists, Apple officials argued that the company has worked with security experts outside of the company, which has resulted in the iPhone being “the safest, most secure consumer mobile device on the market.” They also looked to tamp down concern that the Pegasus situation is a widespread problem.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals,” the Apple statement said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
However, Danna Ingleton, deputy director of Amnesty Tech, said in a statement that “Apple prides itself on its security and privacy features, but NSO Group has ripped these apart. Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised. … This is a global concern. Anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.”
Mobile Security, Privacy at Issue
Oliver Tavakoli, CTO at cybersecurity firm Vectra, told eSecurity Planet that “it’s clear that the iOS iMessage service is a bit of a mess from a security perspective.”
“Apple has added more and more functionality to it and every piece of functionality comes with the potential for exploitable vulnerabilities,” Tavakoli said. “Also, the fact that iMessage does not distinguish how it handles inbound messages from known contacts vs. perfect strangers opens phones up to exploitation from anywhere. Accepting processing messages from anyone is the equivalent of running a network connected to the internet with no firewall.”
To Setu Kulkarni, vice president of strategy at NTT Application Security, this is a moment to rally around tech companies as they push back against software like Pegasus, adding that the “the line between acceptable surveillance (if any) and privacy intrusion is very thin.”
“For Apple and other manufactures, this is a moment of reckoning to get further entrenched with the governments to create more checks and balances while they make their platform more impenetrable for bad actors,” Kulkarni told eSecurity Planet. “For lawmakers, this is a moment of reckoning as well to create consequences for misuse of such utilities.”
NSO Group Pushes Back
NSO Group officials in a statement denied the accusations in the initial report by Forbidden Stories, saying it is based on “wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of sources.” The company claimed that data given the group is “based on misleading interpretation of data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customer targets of Pegasus or any other NSO products.”
These services are available to anyone at any time and are commonly used by governments, they said.
However, NSO Group has also been linked to other privacy scandals, including the hacking of Amazon founder Jeff Bezos and journalist Jamal Khashoggi, a U.S. resident murdered in the Saudi embassy in Turkey. Both incidents occurred in 2018. A year later Facebook sued the company in a case involving a zero-day vulnerability in WhatsApp that targeted devices used by journalists, political activists and others. Google, Microsoft and Cisco Systems filed briefs supporting the lawsuit.
In 2020, the FBI began investigating the company for possibly spying on citizens and groups in the United States.
Spyware is Evolving
Researchers at Lookout, a endpoint-to-cloud security company, have watched Pegasus evolve since first spotting it in 2016, according to Chief Strategy Officer Aaron Cockerill.
“It has advanced to the point of executing on the target’s mobile device without requiring any interaction by the user, which means the operator only has to send the malware to the device,” Cockerill told eSecurity Planet. “Considering the number of apps iOS and Android devices have with messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or dating apps.”
There is a trend where techniques used by the likes of NSO Group are being adopted by consumer-grade surveillance software and spyware vendors, which could lead to such powerful tools being put in the hands of many people. This is similar to the trend toward ransomware-as-a-service, which has made it possible for people with little experience to launch such attacks, he said.
“Mobile devices continue to be a primary attack vector for cyber criminals,” Cockerill said. “Mobile malware, surveillanceware and ransomware can take down infrastructure and track our every move as attackers target individuals where they are most vulnerable. Business executives with access to market data, technological research and infrastructure are highly valuable targets.”
As mobile devices like iOS and Android smartphones have become integral to daily life, “they need to be secured with as much – if not more – priority than any other device,” he said. “As smartphones continue to evolve, security continues to improve. However, so does the breadth and complexity of the existing software codebase, with millions of lines of code which need to be secured.”