What the Pegasus Spyware Leak Means for Surveillance, Smartphones & Encryption Backdoors
A few months ago, we wrote about dual-use surveillance systems – that is, technology that can be used for both peaceful and military purposes. The post discussed some limited efforts by the EU to prevent such technologies from being abused. A major new leak of alleged targets of one of the leading spyware companies, the NSO Group, suggests that these tools are already being widely deployed against human rights defenders, political opponents, lawyers, diplomats, heads of state, and almost 200 journalists from nearly two dozen countries, notably in Azerbaijan, India, Hungary, Saudi Arabia, and the UK. The leak is in the form of a list of over 50,000 phone numbers that are believed to be people of interest to clients of NSO since 2016, and possible victims of its Pegasus spyware. Detailed analysis of them has now been carried out by the non-profit journalism organization Forbidden Stories, in conjunction with media companies around the world.
According to NSO’s literature, its Pegasus product provides “unlimited access to target’s mobile devices”; can “transparently monitor voice and VoIP calls in real-time”; can monitor applications such as Skype, WhatsApp, Viber, Facebook and Blackberry Messenger; track targets using GPS; monitor switching of virtual identities and replacement of SIM cards; and, perhaps most importantly, it can “Overcome encryption, SSL, proprietary protocols”. It is able to get around even the strongest encryption not by breaking it, but by monitoring unencrypted input and output using malware that has been installed on the phone. It achieves this through a variety of remote installation methods:
A push message is remotely and covertly sent to the mobile device. This messages triggers the device to download and install the agent on the device. During the entire installation process no cooperation or engagement of the target is required (e.g., clicking a link, opening a message) and no indication appears on the device. The installation is totally silent and invisible and cannot be prevented by the target.
These powerful capabilities are made possible through the use of flaws in software that is present on the target’s mobile phone. Exactly how Pegagus was loaded on at least some of the 50,000 phones in the leaked list is explained in great detail by Amnesty International’s Security Lab. The forensic methods of the Security Lab have been peer reviewed by the Canada-based Citizen Lab, which concludes “Amnesty International’s core forensic methods for analyzing devices to determine that they have been infected with NSO Group spyware are sound.” That’s significant, because NSO claims that installation “leaves no traces whatsoever on the device”. In a statement on the Forbidden Stories leak of alleged Pegasus targets, the company also says:
We would like to emphasize that NSO sells it technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data.
Of course, if NSO is unable to see what uses its Pegasus spyware is being put to, it’s is also unable to check whether its “vetted governments” are abusing its capabilities. That’s the core problem with “dual use” surveillance technologies: they can, indeed, be used to prevent crime and terror acts; but they can also be used to spy on innocent journalists, human rights defenders and political opponents. Independently of the details of what exactly happened here, there are several aspects of the Pegasus spyware leak that are highly relevant to privacy.
First, it is worth noting that this latest leak is in many ways complementary to the Snowden leaks of 2013. Not surprisingly, he has now called for the global spyware trade to be shut down. Snowden revealed the massive scale of government surveillance, notably by the US and UK, and the advanced techniques used to undermine the privacy of billions of people. The Pegasus leak, by contrast, is about highly-targeted surveillance of key individuals. It also differs from the government spy programs revealed by Snowden in that the Pegasus spyware is a commercial product that can be purchased relatively straightforwardly.
The NSA and GCHQ programs leaked by Snowden were able to attack digital communications infrastructure directly, either covertly, or by forcing companies to cooperate using national security legislation. Although government spying also exploited mobile phones, the Pegasus spyware differs in that it is directed exclusively at smartphones because of a key shift in recent years. Smartphones now play a uniquely important role in modern society: for many people, they are indispensable companions during waking hours. That makes them the perfect means to track and spy on every aspect of a person’s life. The fact that these tools were so thoroughly compromised has come as shock to journalists – especially the ones taking precautions to protect their security:
Many of the journalists who spoke with Forbidden Stories and its partner news organizations expressed dismay at having learned that despite the precautions they had taken to secure their devices – such as using encrypted messaging services and updating their phones regularly – their private information was still not secure.
Although that is indeed shocking news for many, it also what security experts – and this blog – have been saying for years. Governments do not need to mandate backdoors in encrypted communications, because there are already extremely effective alternative approaches. A previous post noted that the Germany authorities have been making use of malware to get around encryption, for years.
Finally, as the Guardian points out, the lazy argument of governments and intelligence agencies that the innocent have nothing to fear from surveillance, which will only ever be deployed against “bad people”, is completely demolished by this latest proof that it is just not true.
Featured image by Jastrow.