More than 50,000 people in 40 countries are potentially at risk due to Israel’s Pegasus spyware tool.
A report published by Amnesty International found that NSO Group is licensing its Pegasus spyware to governments across the world. The tool allows remote tracking and hijacking of a target’s phone.
NSO Group was developed by former members of the IDF’s Intelligence Corps. The occupying Israeli government approves all exports of the technology to foreign countries.
A joint investigation by 80 journalists across various media organisations found that the tool has been used to track fellow journalists by oppressive governments. More than fifty thousand numbers were found on the list of potential targets for attack.
What’s the risk to journalists?
Targets of attacks conducted using Pegasus spyware face tremendous risks. Attackers are given root access to a target’s phone, providing them with more access than the user has to their own devices.
Attackers, for example, governments, get access to everything on the target’s phone, from messages, call history and real-time location updates to camera and microphone access.
The consequences of such tracking costs journalists their freedom, liberty, and in some cases, their lives. Examples of these risks are demonstrated by recent human rights violations conducted by Saudi Arabia and the United Arab Emirates.
Following the murder of Jamal Khashoggi under the orders of Saudi Crown Prince Mohammed bin Salman, the the NSO Group constantly denied its involvement in the killing.
However, the collaborative investigation found that NSO surveillance tools were used on phones of those close to the Saudi journalist before and after he was killed. The Guardian reports that forensic analysis shows his wife’s phone was hacked months before his death.
Additionally, while an investigation into his murder was ongoing, Saudi Arabia used Pegasus spyware to target Khashoggi’s son, activist friends, and people opposing the Saudi regime.
Turkish investigators probing the Istanbul-based death were also found on the list, including the city’s chief prosecutor.
Khashoggi was not the only activist targeted by the Saudi regime. Prominent activist Loujain Al-Hathloul’s phone number also appeared in the leaked list of NSO targets. Al-Hathloul is known for publicly opposing the female driving ban and the male guardianship systems in Saudi Arabia.
It’s believed she was chosen as a target just a few weeks before she was captured in the UAE. She was then returned to Saudi Arabia and put in prison for three years before global calls for her release finally led to her freedom earlier this year.
United Arab Emirates
Saudi Arabia’s neighbour and key ally, the UAE, also engaged in similar tracking of activists using the Israeli spyware. Emirati activist Alaa Al-Siddiq, who recently died in a car crash in London, was also on the list of potential NSO targets.
Al-Siddiq was known for her precise criticism of the UAE’s human rights violations. She was granted asylum in the UK after escaping the Gulf state during a period of intense crackdown on free speech in the country. Her father, Mohammad Al-Siddiq, is a political activist too, though he’s been imprisoned by the regime since 2013.
Ahmad Mansoor, an Emirati human rights activist was also targeted by a similar attack. In 2016, he received a text message claiming to share information about how the UAE tortures its jailed detainees. Rather than clicking the link, he forwarded it to forensic researchers who identified that it originated from Pegasus.
The Emirati government also targeted 300 Lebanese activists, journalists and politicians, including former prime minister Saad Hariri.
Journalists at the Qatar-based media network Al Jazeera were also targeted by attacks using Pegasus. Citizen Lab concluded with “medium confidence” that some of these attacks were orchestrated by the Saudi and Emirati governments. Qatar’s beIN chief Nasser Al Khelaifi was also targeted by the Israeli spyware.
According to the investigation, Bahrain, Saudi Arabia and the UAE were among the ten most active clients of the Israeli NSO Group. The leaked data raises the question of how Israeli normalisation efforts may have been catalysed due to the dependency of those countries on NSO’s tools.
However, NSO claims its tools are only ever licensed to governments to help tackle “large crimes and terrorist attacks.”
How do the attacks work?
Pegasus software can run remotely using what is known as a “zero-click” attack. This is an extremely malicious method that allows hackers to inject code into a target’s device without requiring any interaction from the user.
For example, NSO’s software has previously taken advantage of a vulnerability in WhatsApp, allowing it to hijack a target device simply by making a WhatsApp call to it. The user does not even need to answer the call, instead, their devices are hacked as soon as the call is received. In response, WhatsApp sued the NSO, and the group was no longer allowed to use the messaging app to conduct its hacks.
These sorts of attacks are significantly more dangerous than previous methods which would require a user to tap a download link or interact with malicious content in order to gain access.
Zero-click attacks take advantage of “zero-day” exploits – bugs that the device manufacturer or app developer do not know of. Pegasus’ developers find exploits in popular apps such as iMessage and WhatsApp, allowing the company to reach as many devices as possible.
In essence, Pegasus can take control of someone’s phone without the person ever interacting with any malicious content.
Can journalists protect themselves from such attacks?
Unfortunately, the answer is they can’t. Using a burner phone with only encrypted messaging could potentially help, but Pegasus is designed to be discrete and autonomous.
It’s almost impossible to identify Pegasus software on a phone without conducting forensic analysis. This makes it hard for potential targets to verify the security of their devices.
Additionally, since no interaction is required from the user, the spyware can be installed on even the most cautious users’ phones.
When asked what can be done to protect someone from such attacks, Claudio Guarnieri, head of Amnesty International’s Security Label, said “the real honest answer is nothing.”
Paul Durov, the founder of the private messaging app Telegram, was also among those on the list. He released a statement on his Telegram channel on Wednesday, explaining that not much can be done to protect himself on a technical level.
“These tools can hack any iOS and Android phone, and there is no way to protect your device from it. It doesn’t matter which apps you use, because the system is breached on a deeper level,” he said.
He then went on to add what he does to protect himself – store nothing on his phone:
“Since 2011, when I was still living in Russia, I’ve gotten used to assuming that all my phones were compromised. Anyone who gains access to my private data will be utterly disappointed – they will have to go through thousands of concept designs for Telegram features and millions of messages related to our product development process. They won’t find any important information there,” he said.
Has NSO claimed responsibility?
Unsurprisingly, NSO referred to the allegations as “false claims”. It then insisted that a number existing on the list does not necessarily mean it was ever actually targeted.
“The fact that a number appears on that list is in no way indicative of whether that number was selected for surveillance using Pegasus,” NSO claimed.
The company also emphasised that its technology is intended to tackle terrorism, sex trafficking and other large-scale crimes. It went on to add that it’s “on a life-saving mission”.
Despite these claims, NSO’s lengthy response did not directly deny any of the findings of the report. Several governments have denied involvement with NSO, though Saudi Arabia, the UAE and Bahrain have remained silent and refused to comment.
Amnesty responded to NSO’s falsification, reaffirming that it stands by its findings:
“Amnesty International categorically stands by the findings of the Pegasus Project, and that the data is irrefutably linked to potential targets of NSO Group’s Pegasus spyware. The false rumours being pushed on social media are intended to distract from the widespread unlawful targeting of journalists, activists and others that the Pegasus Project has revealed.”
Most smartphone users aren’t directly affected by such hacking tools. However, the latest revelations paint a worrying picture of the general state of online security. We store most of our lives online, expecting some degree of privacy. Yet stories such as this demonstrate how vulnerable our digital lives really are.
Should the NSO Group be held accountable for the tools it builds? Let us know in the comments.