CNN: Jamal Khashoggi probably thought the messages he was sending to fellow Saudi dissident Omar Abdulaziz were hidden, cloaked in WhatsApp security. In reality they were compromised — along with the rest of Abdulaziz’s phone, which had allegedly been infected by Pegasus, a powerful piece of malware designed to spy on its users. Abdulaziz, as CNN reported last month, is suing the creators of Pegasus, Israel-based cyber company NSO Group, accusing them of violating international law by selling the software to oppressive regimes. NSO has denied any involvement in the death of Khashoggi, insisting its software is “only for use fighting terrorism and crime.” The company was condemned as “the worst of the worst” by NSA whistleblower Edward Snowden during a video conference with an Israeli audience last November.
“The NSO Group in today’s world, based on the evidence we have, they are the worst of the worst in selling these burglary tools that are being actively currently used to violate the human rights of dissidents, opposition figures, and activists,” Snowden said. I witnessed the power of Pegasus two years ago. Mobile security experts at Check Point, one of the world leaders in cyber security, showed me how they could hack a phone with one click, gaining complete access to its microphone, camera, keyboard, and data.
They say the malware they used was similar to Pegasus: An apparently innocent message appeared on my phone asking me to update my settings, and that was all they needed to access the phone.
Cyber security expert Michael Shaulov launched a cybersecurity startup in 2010, partly in response to what he saw as the potential threat of Pegasus.
“Even when [NSO Group sells] the software to specifically the law enforcement agency that specifically bought it, in the case that those guys want to go after what we call illegitimate targets, NSO has no control [over it],” he says. “They cannot really prevent it.”
NSO Group says it can monitor the usage of all of its software by all of its clients, but would need to actively check how clients were using their products before becoming aware of any possible misuse.
The company’s technology takes advantage of what is known as “zero days” — hidden vulnerabilities in operating systems and apps that grant elite hackers access to the inner workings of the phone. The term is derived from the fact that software developers have had no time to fix them.
Companies like NSO have teams of researchers continuously reverse-engineering Apple and Android operating systems to find bugs in the code they can then exploit, Shaulov says, describing the process of finding zero days as an “art” in the largely black and white world of cyber security.
NSO Group’s singular focus on mobile devices has made them the “alpha dog” in the market, Shaulov says.
Finding a zero day can take anywhere from a few months to more than a year, and there is little guarantee of its long-term effectiveness. But if the weakness isn’t fixed, it can be exploited repeatedly to hack phones. Software developers such as Apple and Google have teams devoted to finding and fixing vulnerabilities, but it’s no easier for them than it is for hackers to find the weak link. In addition, developers’ priorities may lie elsewhere, so even known bugs remain unfixed.
“Unless Apple or Google fixes that bug, that vulnerability … can stay for many, many years and NSO can continuously sell software that can go through those bugs in the software and infect those phones,” says Shaulov.
Researchers at the Toronto-based Citizen Lab have tracked the use of NSO Group’s Pegasus software to 45 countries where operators “may be conducting surveillance operations,” including at least 10 Pegasus operators who “appear to be actively engaged in cross-border surveillance.”
Our time is a news portal