It isn’t the first case of electronic spying, but it’s a doozy. Security researchers found evidence of attempted or successful installation of Pegasus, software made by an Israeli cybersecurity company, on 37 phones of activists, journalists, and businesspeople who appear to have been the targets of potentially intense secret surveillance. The phones were on a list of more than 50,000 phone numbers for politicians, judges, lawyers, teachers and others.
Made by NSO Group, the software is the latest example of how vulnerable we all are to digital prying. Our most personal information — photos, text messages and emails — is stored on our phones. Spyware can bypass the encryption that protects data sent over the internet.
The 50,000 phone numbers are connected to phones around the world, though NSO disputes the link between the list and actual phones targeted by Pegasus. The devices of dozens of people close to Mexican President Andrés Manuel López Obrador were infected, as were those belonging to CNN, Associated Press, New York Times and Wall Street Journal reporters. But phones from several on the list, including Claude Mangin, the French wife of a political activist jailed in Morocco, were infected or attacked.
Here’s what you need to know about Pegasus.
What is NSO Group?
It’s an Israel-based company that licenses surveillance software to government agencies. The company says its Pegasus software provides a valuable service because encryption technology means criminals and terrorists have “gone dark.” The software runs secretly on smartphones, shedding light on what the owners are doing.
Chief Executive Shalev Hulio co-founded the company in 2010. The company also offers other tools that locate where a phone is being used, defend against drones and mine law enforcement data to spot patterns.
NSO Group has been implicated by previous reports and lawsuits in other hacks, including a reported hack of Amazon founder Jeff Bezos in 2018. A Saudi dissident sued the company in 2018 for its alleged role in hacking a device belonging to journalist Jamal Khashoggi, who had been murdered inside the Saudi embassy in Turkey that year.
What is Pegasus?
Pegasus is NSO’s best known product. It can be installed remotely without a surveillance target ever having to open a document or website link, according to the Washington Post. Pegasus reveals all to the NSO customers who control it — text messages, photos, emails, videos, contact lists — and can record phone calls. It can also secretly turn on a phone’s microphone and cameras to create new recordings, the Washington Post said.
General security practices like updating your software and using two-factor authentication can help keep mainstream hackers at bay, but protection is really hard when expert, well-funded attackers concentrate their resources on an individual.
Pegasus isn’t supposed to be used to go after activists, journalists and politicians. “NSO Group licenses its products only to government intelligence and law enforcement agencies for the sole purpose of preventing and investigating terror and serious crime,” the company says on its website. “Our vetting process goes beyond legal and regulatory requirements to ensure the lawful use of our technology as designed.”
Human rights group Amnesty International, however, documents in detail how it traced compromised smartphones to NSO Group. Citizen Lab, a Canadian security organization at the University of Toronto, said it independently validated Amnesty International’s conclusions after examining phone backup data.
Why is Pegasus in the news now?
Forbidden Stories, a Paris journalism nonprofit, and Amnesty International, a human rights group, shared with 17 news organizations a list of more than 50,000 phone numbers for people believed to be of interest to NSO customers.
The news sites confirmed the identities of many of the individuals on the list and infections on their phones. Of data from 67 phones on the list, showed 37 exhibited signs of Pegasus installation or attempted installation, according to The Washington Post. Of the 37, 34 were Apple iPhones.
What does NSO have to say about this?
NSO acknowledges its software can be misused. It cut off two customers in the last 12 months because of concerns about human rights abuses, according to The Washington Post. “To date, NSO has rejected over US $300 million in sales opportunities as a result of its human rights review processes,” the company said in a June transparency report.
However, NSO strongly challenges any link to the list of phone numbers. “There is no link between the 50,000 numbers to NSO Group or Pegasus,” the company said in a statement.
“Every allegation about misuse of the system is concerning me,” Hulio told The Post. “It violates the trust that we give customers. We are investigating every allegation.”
In a statement, NSO denied “false claims” about Pegasus that it said were “based on misleading interpretation of leaked data.” Pegasus “cannot be used to conduct cybersurveillance within the United States,” the company added.
How can I tell if my phone has been infected?
Amnesty International released an open source utility called MVT (Mobile Verification Toolkit) it built that’s designed to detect traces of Pegasus. The software runs on a personal computer and analyzes data including backup files exported from an iPhone or Android phone.