28 July 2021

Washington Post: “Private Israeli spyware used to hack cellphones of journalists, activists worldwide”

The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.

The media consortium, titled the Pegasus Project, analyzed the list through interviews and forensic analysis of the phones, and by comparing details with previously reported information about NSO. Amnesty’s Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration.


Pegasus is engineered to evade defenses on iPhones and Android devices and to leave few traces of its attack. Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.

There is just nothing from an encryption standpoint to protect against this, said Claudio Guarnieri, a.k.a. “Nex”, the Amnesty Security Lab’s 33-year-old Italian researcher who developed and performed the digital forensics on 37 smartphones that showed evidence of Pegasus attacks.

Dana Priest, Craig Timberg & Souad Mekhennet

Once you build and distribute surveillance tools, it becomes almost impossible to control how clients are using them. The list of 50,000 phone numbers mentioned in this investigative report includes, among others, three presidents, 10 prime ministers and a king, including French president Emmanuel Macron. French prosecutors already opened a probe based on this report, and Amazon Web Services has shut down infrastructure linked to Israeli surveillance vendor NSO Group.

The bigger issue of course are smartphone security features, and how easily they can be bypassed with these techniques. iPhones seem just as susceptible as Android devices, despite Apple’s constant public claims. But I suppose “We provide the best encryption against law enforcement, but hackers can sail right through” was not deemed an effective marketing strategy…

I find this part rather confusing: how are American phones supposed to be immune to the Pegasus spyware? Do Apple and Google ship different versions of iOS and Android outside the US, with fewer security protections? This seems highly unlikely – rather NSO is careful enough to sell its tools to clients that won’t go after American targets, because they would otherwise come into conflict with American intelligence services.

The numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks. The consortium could not perform forensic analysis on most of these phones. NSO has said for years that its product cannot be used to surveil American phones. The consortium did not find evidence of successful spyware penetration on phones with the U.S. country code.

We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers, the company said in its statement. It is technologically impossible and reaffirms the fact your sources’ claims have no merit.

Post a Comment