Tuesday, September 6, 2016

The 11 Ghastly Things I Got out of NSO Group’s iPhone Hack

You have nothing left to hide.

NSO Group is so secretive it doesn’t even have a website. The malware company was founded in 2010 in Israel with $1.6 million in seed money. Its “most recently-known owner” – as Forbesput it – is private equity firm Francisco Partners in San Francisco which acquired a majority stake in 2014 for $120 million and then tried to sell that stake in November 2015 for $1 billion, “people familiar with the matter” told  Reuters at the time.
Reuters also said that the company “has since changed its name several times, most recently calling itself ‘Q.’”
I have not found any evidence that the sale actually happened. At the time, the valuations of unicorns were routinely taken out the back and slashed.
The company makes and sells surveillance malware called Pegasus that governments around the world, or anyone able to buy it and willing to pay the steep price, can use to target a specific user’s iPhone, Android, BlackBerry, or Symbian device.
An NSO proposal seen by the New York Times points out that the system gives “unlimited access to a target’s mobile devices” to “remotely and covertly collect information about your target’s relationships, location, phone calls, plans and activities — whenever and wherever they are.” And, “It leaves no traces whatsoever.”
It has a rich list of features and benefits, according to the New York Times:
Among the Pegasus system’s capabilities, NSO Group contracts assert, are the abilities to extract text messages, contact lists, calendar records, emails, instant messages and GPS locations. One capability that the NSO Group calls “room tap” can gather sounds in and around the room, using the phone’s own microphone.
Pegasus can use the camera to take snapshots or screen grabs. It can deny the phone access to certain websites and applications, and it can grab search histories or anything viewed with the phone’s web browser. And all of the data can be sent back to the agency’s server in real time.
In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.

So here are the 11 ghastly things I got out of it.

1. It gets expensive to spy on a lot of people. According to the New York Times, it starts with an installation fee of $500,000. It costs an additional $650,000 for 10 iPhones; $650,000 for 10 Android devices; $500,000 for 5 BlackBerry devices, and $300,000 for 5 Symbian devices. Quantity discounts apply: 10 additional targets for $150,000; 50 additional for $500,000; and 100 additional for $800,000.
2. Big Money backs this kind of technology, and it will go far. PE firm Francisco Partners has “nearly $10 billion of capital raised to date,” as it says. Venture Capital is chasing these technologies too. So this is just the beginning.
3. It worked and left “no traces whatsoever” – until someone used his brain.Ahmed Mansoor, a human rights activist in the United Arab Emirates received a text message on his iPhone that promised to reveal details about torture in UAE prisons. He didn’t click on the link but contacted Citizen Lab.
Citizen Lab, in conjunction with Lookout Mobile Security, then discovered three previously-unknown and unpatched Apple iOS vulnerabilities (called “zero days” because companies had zero days to patch them) that Pegasus exploited. Apple has since fixed the three vulnerabilities. Citizen Lab also discovered a second target, a journalist in Mexico who wrote about corruption.
4. The company publishes no performance metrics. So we don’t know on how many devices this software has been installed, but it would be an interesting metric to have, like Twitter’s rubbery “average monthly active users.”
5. And it’ll get a lot cheaper. NSO is among “dozens of digital spying outfits that track everything a target does on a smartphone,” according to the New York Times. “They aggressively market their services to governments and law enforcement agencies around the world.” As these technologies advance, and as more money piles in – given the big price tags and the 7.5 billion targets running around on the planet – commoditization will set in. And competition will force prices down, thus making these invaluable services a lot more cost-effective to deploy.
6. The corporate mission statement makes you laugh and gnash your teeth at the same time, because you can’t figure out if it is dark sarcasm, corporate speak gone awry, propaganda, or just an ad slogan designed by an unsupervised and unpaid intern as a practical joke. According to the New York Times, the NSO’s corporate mission statement is “Make the world a safe place.”
7. Encryption, no problem. Pegasus works its way around encryption by luring users into clicking on a link and by exploiting zero-day flaws.
8. Now you have nothing left to hide. The malware is all encompassing. Once installed, Pegasus is “hoovering up all communications and locations of the targeted iPhones,” according toForbes. “That includes iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype communications, amongst other data. It can collect Wi-Fi passwords too.” It can record what’s going on in the room and take photos of surroundings. So, unless you want to share this sort of thing, it’s advisable to not ever keep your smartphone in the same room where you have sex.
9. But you have no idea what they’re grabbing, or what they grabbed last year, and who is doing the grabbing. You might never find out why you suddenly got fired or lost a contract or were disappeared from the face of the earth.
10. This is for your own good. The industry and its investors, and governments that use this type of malware, or other forms of spying, incessantly argue that this spying is essential to keep us safe by tracking terrorists, kidnappers, drug traffickers, wayward bloggers, concerned citizens, human rights activists, journalists, and others – and to keep facts in the dark (such as corruption) and hang on to power.
11. Spying is big business, coming and going. If you can create this kind of malware and make a ton of money with it, why not also create defenses against it and make a ton of money with it too. So Forbes noted that the founder of NSO and his “co-entrepreneurs” started up a new outfit, Kaymera, “designed to solve the exact problems NSO created: a super-secure phone for government officials.” Ka-ching.

No comments:

Post a Comment