How Pegasus took spyware’s potency to a new level

Spyware is used by law enforcement and intelligence agencies to track criminals and terrorists. In the hands of repressive governments, it can be a tool used against enemies. Human rights groups accuse Israeli software maker NSO Group Ltd. and its Pegasus technology of enabling some governments to snoop on journalists, activists and business executives. While the company says it has controls in place to minimize such misuse, the latest revelations could jump-start a debate on standards for the industry.

A subset of malware -- the name given broadly to software that harms unsuspecting users -- spyware is designed to extract information such as internet browsing history or private communications from devices without the user's knowledge or consent. In its most sophisticated form, spyware can extract emails, phone calls and text messages. Some spyware is so advanced that it can turn on your phone's microphone, secretly record and even take pictures with the camera.

Spyware is sometimes installed via so-called phishing scams, in which the user is tricked into clicking a link to malicious software contained in a message. In other instances, an abusive spouse or boss may install it when they have physical access to a victim's device.

The Guardian reported that technological advancements mean that Pegasus infections can now be achieved through so-called zero-click attacks, "which do not require any interaction from the phone's owner in order to succeed." This means there is virtually no way to protect against NSO Group's spyware.

To a degree. End-to-end encryption, such as that used by WhatsApp, provides a lock on chats that only you and the recipients of messages have a key for. But Pegasus has the ability to record keystrokes and phone calls. That means once NSO's spyware is on your phone, you're no longer protected by encryption.

A coalition of media outlets and investigative journalists assembled by the nonprofit groups Forbidden Stories and Amnesty International published stories saying world leaders, government officials and at least 180 journalists were Pegasus targets. Phone numbers targeted by the spyware were said to include those of France's Emmanuel Macron, Pakistan's Imran Khan and South Africa's Cyril Ramaphosa. A research database from human rights groups linked the product to acts of violence including break-ins, harassment, intimidation and murder. Many of the details contained in the database have been aired before by human rights groups and media organizations.

The Citizen Lab at the University of Toronto has identified over 100 cases where spyware developed by NSO Group has been abused. A Saudi dissident sued NSO in 2018, alleging that his phone was hacked by Saudi Arabia's government using the company's spyware, in part to eavesdrop on communications between him and Washington Post journalist Jamal Khashoggi, who was later murdered by a Saudi assassination team. WhatsApp has filed a lawsuit against NSO Group, alleging that it violated its terms of service by using WhatsApp as a delivery mechanism for its spyware.

NSO said the Forbidden Stories reports are full of wrong assumptions and uncorroborated theories. It said its technology wasn't associated in any way with the murder of Khashoggi and that its product is sold to law enforcement and intelligence agencies of vetted governments. "NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds," it said. In June, the company said it refuses to sell its spyware to 55 countries and that 15% of potential Pegasus sales were rejected this past year due to human rights concerns.

Not too many, though activists are hoping that will change. Some countries, including the U.K., Germany, Austria and Italy, have laws governing hacking by law enforcement. A judicial warrant is required in the U.S. in most circumstances. But it's unclear which countries are engaging in this kind of hacking. And the private companies that develop these hacking tools typically go to great lengths to ensure that its customers are never revealed.

Disclaimer: This article first appeared on Bloomberg and is published under a special syndication arrangement