Leak of Alleged Pegasus Target List Restokes Spyware DebatePegasus Spyware Critics See Shift to Mass Surveillance; Vendor NSO Group Disagrees
Allegations that commercially available spyware is being abused by countries to spy on dissidents, journalists, political rivals and business leaders are again in the spotlight.
The leaking of an alleged target list tied to users of Israel-based NSO Group's Pegasus spyware - built to infect even the latest, fully patched Apple and Android devices - has led to questions over the scale of such operations, if the use of Pegasus gets sufficiently policed and whether the sale of spyware to certain countries should be blocked.
The persistent surveillance concern: What if the digital devices that we rely on for everyday life - for managing family, relationships, friendships and work - get used against us?
The Pegasus Project - a collaboration among 17 media organizations investigating the use of Pegasus spyware - began publishing the results of months-long research into such spyware on Sunday. The research suggests that governments' use of off-the-shelf spyware tools may be much more widespread than previously believed.
"Pegasus is a remote access tool with spyware capabilities," which has previously been installed on target devices by exploiting zero-day vulnerabilities in browsers and apps - including WhatsApp and Facebook, says Jakub Vavra, a threat analyst at security firm Avast. Once installed, the spyware has access to GPS, photographs, contact lists, microphones and cameras and can take screenshots and perform keylogging.
"These features make it a dangerous tool that can be misused to spy on unwitting individuals," Vavra says.
How many individuals get spied on via tools such as Pegasus is far from clear. But researchers at French nonprofit journalism group Forbidden Stories and human rights group Amnesty International say "this investigation began with enormous leak of documents" to which they gained access, including a list of 50,000 individuals' contact details - across 50 countries - amassed by 10 Pegasus-using governments. How many of these apparent targets of interest were targeted with Pegasus spyware is not known.
(1) @AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.— Bill Marczak (@billmarczak) July 18, 2021
NSO Group has strongly dismissed the researchers' findings. It says the leaked information appears to be publicly available contact details - emails and phone numbers - and that it had nothing to do with the list. The number of individuals actually targeted with its software, it says, is much lower than 50,000.
The spyware vendor says that it investigates all allegations of misuse of its products - for example, to target dissidents, human rights advocates or journalists - and that its software cannot be sold outside Israel without an export license being obtained by the governments of Israel, Bulgaria or Cyprus. But the company has been allowed to sell to repressive governments, including Azerbaijan, Bahrain, Saudi Arabia and the United Arab Emirates.
The company also states that it has no insights into who gets targeted with its software.
"We would like to emphasize that NSO sells it technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data," it says in a statement released Monday in response to the Pegasus Project.
How, then, can it verify that its software is not used in a manner that abuses individuals' human rights?
Who Should Wield Spyware?
Such questions have long dogged NSO Group and others - such as Israel commercial spyware firm Candiru - who build and sell commercial spyware tools.
In the wrong hands, spyware can be used to enable unscrupulous businesses to spy on rivals, abusive partners to spy on spouses, criminals to steal passwords and bank account details and oppressive regimes to monitor or target critics for assassination.
But what, then, is an appropriate use for spyware?
Vendors of computer surveillance software, aka spyware, insist their wares play an important role in helping law enforcement and intelligence agencies disrupt human trafficking, child sexual abuse rings, the sale of illegal narcotics, criminal hacking and terrorist activity. Companies such as NSO Group operate at such a scale - and with such revenue from customers - that they appear to be able to buy the latest zero-day exploits. This gives spyware users the ability to exploit even the most recent makes and models of smartphones.
The implicit, if not overt, understanding is that such tools should be used only against those who are the subjects of a criminal investigation or are suspected of a crime. NSO Group says its tool is only for use by law enforcement and intelligence agencies.
But different countries' governments have different ideas about who they consider to be dangerous, as well as the steps they're willing to take to do something about that. Some have judicial systems and legislative oversight designed to ensure that law enforcement and intelligence agencies act in a manner that preserves human rights. Others have fewer such precautions.
UN investigators in 2020, for example, tied the 2018 hacking of the mobile phone of Jeff Bezos, then the CEO of Amazon, to spyware wielded by Saudi Arabia. "The forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group's Pegasus-3 malware, a product widely reported to have been purchased and deployed by Saudi officials," Agnes Callamard, then UN special rapporteur on summary executions and extrajudicial killings, and David Kaye, then UN special rapporteur on freedom of expression, said in a statement.
Later, Western intelligence agencies attributed the assassination of Jamal Khashoggi, a journalist who worked at the Washington Post, to the Saudis, saying he was murdered by a government hit team at the Saudi consulate in Turkey in October 2018. Security experts and privacy watchdogs determined that the Saudi government had been eavesdropping on dissidents, including Khashoggi, using Pegasus.
In May 2019, digital rights group Access Now wrote to NSO Group seeking more information about export licenses that were reportedly granted by Bulgarian authorities for exporting Pegasus. "Independent research has credibly attributed NSO Group's Pegasus spyware to attacks targeting a wide swath of civil society, including at least 24 human rights defenders, journalists and parliamentarians in Mexico, an Amnesty International employee, Omar Abdulaziz, Yahya Assiri, Ghanem Al-Masarir, award-winning human rights campaigner Ahmed Mansoor and allegedly, the targeting of assassinated journalist Jamal Khashoggi," Guillermo Beltrà, Access Now's policy director, wrote to NSO Group.
On Sunday, the Guardian reported that leaked documents obtained by the Pegasus Project suggest the government of Saudi Arabia didn't just infect Khashoggi's phone with Pegasus, but also infected the devices of those around him, including his family, before and after he was murdered.
But NSO Group says that it disproved reports that its software was used to target Khashoggi. "We can confirm that our technology was not used to listen, monitor, track or collect information regarding him or his family members mentioned in the inquiry," it says in its Monday statement. "We previously investigated this claim, which again, is being made without validation."
Surveillance at Scale
Previously, gaining the ability to monitor suspects in a law enforcement or intelligence investigation might have required conducting physical surveillance of a target, physically accessing their device to infect it with malware, or, in some cases, using a closely held zero-day vulnerability to remotely exploit a device.
But commercial spyware vendors lower the barrier to government surveillance by providing those capabilities to their customers. Suddenly, governments that don't have expertise on the level of the U.S. National Security Agency, Britain's GCHQ or other top-level signals intelligence agencies have a relatively inexpensive way to spy on individuals via their smartphones and other devices, potentially at scale.
"If they can do the same thing from a distance, with little cost and no risk, they begin to do it all the time, against everyone who’s even marginally of interest,” Edward Snowden, the whistleblower who exposed a massive NSA surveillance apparatus that didn't just spy on selected individuals, but every internet user, tells the Guardian. "If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect."
What can be done? "We're not going to be able to secure the internet until we deal with the companies that engage in the international cyber-arms trade," says cryptography expert Bruce Schneier, a lecturer in public policy at the Harvard Kennedy School.
Regulating the sale of such software is one obvious solution for helping to curtail the ability of commercial spyware vendors to operate at a scale that allows them to purchase the latest zero-day flaws - or at least restricting this buying power to companies with a strong record on human rights.
Calls for a crackdown on how such software gets used have continued. "The private surveillance industry is a free-for-all," Kaye, the former UN special rapporteur, said in June 2019. "It is time for governments and companies to recognize their responsibilities and impose rigorous requirements on this industry, with the goal of protecting human rights for all," he said, calling for a moratorium on exporting such software pending better controls. At a global level, this has yet to come to pass.
In the EU, however, next month new rules are set to come into effect for dual-use items - so called because they have both military and civilian uses - including spyware and other surveillance tools. Officials say that among other new requirements, the rules create "due diligence obligations for producers."
New Incentives for Reporting Flaws?
Increasing the incentives for security researchers to directly report zero-day flaws to operating system developers - or else attempting to outlaw their sale to anyone else - is another potential strategy.
Clearly, the NSO Group and similar companies are able to buy zero-day flaws to exploit the latest operating systems, whether it's Windows, Mac, Android or iOS. All of these operating systems' developers, however, have security teams - and bug bounty programs - aimed at helping to patch as quickly as possible.
"The best way to stay protected against such tools is to provide as much information on these cases as possible to related software and security vendors," says Dmitry Galov, a researcher at security firm Kaspersky. "Software developers will fix the vulnerabilities exploited by the attackers, and security vendors will take measures to detect and protect users from them."
Better Defenses Make Attacks Costlier
Apple has been in the headlines due to NSO Group having been able to exploit its latest mobile technology - including an iPhone 12 running iOS version 14.6. Matthew Green, an assistant professor who teaches applied cryptography at Johns Hopkins University, says that Apple obviously hasn't been standing still, but rather adding numerous security features to try and repel Pegasus types of attacks.
"Starting recently, Apple added a 'firewall' called Blastdoor to iMessage. This is supposed to prevent attacks like Pegasus. Obviously it doesn’t work, but it at least ups the cost of these exploits," he says via Twitter.
Another area that Apple has already stepped up their game is in logging. Apple power monitoring telemetry records information about weird process “hang” events, which can sometimes trip up exploits. There’s a privacy tradeoff here, but Apple should lean into this. 7/— Matthew Green (@matthew_d_green) July 20, 2021
Of course, this is a cat and mouse game, but blocking more attacks makes it more costly for others - be they nation-states or commercial spyware vendors - to remotely seize control of devices. "Even small improvements can make these exploit attempts risky - even just a little risky - by improving the chance that a whole exploit chain gets uncovered and patched," Green says. "That risk can be the difference between 10,000 targets and 100."