Clipping the wings of Pegasus – surveillance and WhatsApp

Israeli spyware company NSO Group has been heavily featured in the news recently, and for good reason. Facebook-owned WhatsApp is suing NSO Group after the phones of some WhatsApp users were breached by exploiting an audio calling vulnerability in the application. Whilst NSO Group has distanced itself from any involvement in the actual hacking of devices, the truth of the matter is somewhat cloudy.

Are you being watched?

The NSO Group’s flagship tool is a surveillance application called Pegasus. It’s described by the company as a  “world-leading cyber intelligence solution that enables law enforcement and intelligence agencies to remotely and covertly extract valuable intelligence from virtually any mobile device.” On numerous occasions, the NSO Group has stated that it only sells this spyware to government clients and is used to assist governments in lawful investigations into crime and terrorism. The NSO Group also claims to have strict controls and oversight mechanisms in place to prevent any abuse by users. Despite these claims, several human rights organisations have tracked the use of this technology and identified many cases in which they believe that journalists, human rights activists, lawyers and political opposition groups or dissidents have been targeted by Pegasus.

Digging deeper into Pegasus

Concerns around the misuse of Pegasus are driven by the fact that the spyware provides what can only be described as total surveillance of a device. A significantly dated version of the Pegasus product description manual, which was released as part of the “Hacking Team” leak in 2015, provides details of the key capabilities of Pegasus as can be seen in the list below:

  • Unlimited access to target’s mobile devices: Remotely and covertly collect information about your target’s relationships, location, phone calls, plans and activities – whenever and wherever they are
  • Intercept calls: Transparently monitor voice and VoIP calls in real-time
  • Bridge intelligence gaps: Collect unique and new types of information (e.g., contacts, files, environmental wiretap, passwords, etc.) to deliver the most accurate and complete intelligence
  • Handle encrypted content and devices: Overcome encryption, SSL, proprietary protocols and any hurdle introduced by the complex communications world
  • Application monitoring: Monitor a multitude of applications including Skype, WhatsApp, Viber, Facebook and Blackberry Messenger (BBM)
  • Pinpoint targets: Track targets and get accurate positioning information using GPS
  • Service provider independence: No cooperation with local Mobile Network Operators (MNO) is needed
  • Discover virtual identities: Constantly monitor the device without worrying about frequent switching of virtual identities and replacement of SIM cards
  • Avoid unnecessary risks: Eliminate the need for physical proximity to the target or device at any phase

Too much power?

The above set of features have likely advanced in the five or so years since the document was leaked. However, the capabilities of the tool, together with various installation methods (both remote and local and usually invisible to the victim), and the ability to remotely uninstall without leaving a trace or self-destruct in certain scenarios make for a powerful cyber weapon.

To further enhance the stealth capabilities that Pegasus prides itself on, agent connections are routed via the Pegasus Anonymizing Transmission Network (PATN). This is a network of anonymisers deployed globally to prevent traces back to the source organisation and ensure that the communicating parties’ identities are obscured. As an indication of how the capabilities of Pegasus have advanced, a recent report in the Financial Times claimed that Pegasus can now copy the authentication keys of a number of cloud services, thus allowing a remote server to impersonate the phone. This then provides ongoing access to data uploaded to the cloud service from any device, even bypassing 2FA verification, whether or not Pegasus remains on the initial target device. The NSO Group deny having or promoting this capability. Yet the Financial Times article states the information comes from documents shared with its journalists and descriptions of a recent product demonstration.

Privacy versus surveillance – when lines get blurred

Returning to the WhatsApp lawsuit against NSO Group, this serves to put Facebook in the unlikely position of having the moral high ground when it comes to privacy issues. Whilst the decision to sue NSO Group may be no more than a publicity stunt to some – perhaps to deflect attention from some of Facebook’s own privacy challenges – it does serve to draw attention to, and shed light on, the private spyware market and whether stricter regulations are required.

The lawsuit in question claims that around 1,400 mobile devices were compromised across various geographical locations over a two-week period. At least 100 of these devices allegedly belonged to human rights defenders, journalists and other members of civil society. Whether the lawsuit will be successful remains to be seen.  To some extent, it relies on the Computer Fraud and Abuse Act, which does make it illegal to access a computer without authorisation. However, the compromised devices did not belong to WhatsApp. WhatsApp does claim that NSO Group used its own signalling and relay servers without authorisation. This in itself is still very tenuous an argument, as the same could be said of anyone sending a message to, or calling a WhatsApp user.

The danger with backdoors

Whether the lawsuit is successful or not could also be considered moot. But at the very least, it will help to raise awareness and bring attention to the pressure exerted on companies to build backdoors into their applications and services and the potential for those same backdoors to be abused.

The overall fallout of this incident and the ensuing lawsuit will likely have no effect on the average person in the street. The massive costs involved with initially developing the required exploits and then purchasing and subsequently deploying these kinds of tools or cyber weapons mean they must be used proportionately. Therefore, they are not likely to be used as a form of mass surveillance. However, everybody should be aware that these tools are being used, and it would appear in many cases abused, and as such should be a little more vigilant.

  • Share