Forget China, or the worst excesses of the most sophisticated surveillance agencies such as the US's Central Intelligence Agency and National Security Agency or the UK's Government Communications Headquarters.
What we’ve learned this week from the collective global investigative journalism initiative called the Pegasus Project is that we have vastly underestimated the breathtakingly invasive scope already available to a surveillance-intent government, agency, or private surveillance client with the money to buy Pegasus spyware from the controversial Israeli software company NSO.
The Pegasus Project involves reporters from 80 media companies across 17 media organisations in 10 countries, co-ordinated by Paris-based media non-profit Forbidden Stories, with the technical support of Amnesty International.
Technical examination of hacked phones by the project indicates that once the Pegasus software is on a phone, it is able to obtain a mind-boggling degree of access to the phone’s data and secretly surveil the phone’s owner by activating the microphone and camera. According to Amnesty, Pegasus can gain access to messages, emails, and photographs, and record your calls. It can use the phone to track a person’s location and thus, where a person has been and whom they’ve met.
Compromised numbers
A leaked document obtained by the project lists 50,000 potentially compromised numbers for Android and Apple handsets. Some numbers are for international leaders such as French president Emmanuel Macron, South African president Cyril Ramaphosa and Pakistan prime minister Imran Khan, though the presence of a number on the list does not indicate a hack was attempted or successful.
NSO claims the phone list has nothing to do with client targets, but the Guardian, one of the project’s partner organisations, says “the list is believed to be indicative of individuals identified as persons of interest by government clients of NSO”.
Already, previous investigations in recent years have demonstrated that Pegasus was used to compromise the handsets of human rights activists, lawyers and journalists, including the fiancee of murdered Saudi Arabian journalist Jamal Khashoggi.
The Pegasus Project has initiated a major international fallout with numerous states furious at the possibility that leaders, their wider circles, and other individuals may have been compromised.
Many of the exploits examined by Amnesty indicate phones were infiltrated using weaknesses in Apple iPhone’s iMessage application, raising serious questions for Apple, which has claimed its app is more secure than many others. In addition, Amnesty notes that once on a handset, Pegasus can access encrypted apps such as Signal, WhatsApp, Telegraph and others commonly utilised by vulnerable human rights activists.
In the past, a successful hack required an unsuspecting handset user to click on a malicious “spear-phishing” link to install the software. But Amnesty’s technical analysis showed that the current version potentially can hack a phone via a “zero-click” attack requiring no interaction at all from the phone’s owner.
Amnesty Ireland told me that researchers so far have not found any Irish targets of the software, neither have they seen any Irish NSO clients that might have purchased the software, but noted the leaked database is huge and still being examined.
Irish-based human rights organisation Front Line Defenders told me that they have been aware of Pegasus being used to compromise phones of human rights defenders and lawyers for several years, both from direct contact with affected individuals and from work done by Amnesty and technical forensics experts Citizen Lab in Toronto.
But the risks are there for all of us, and not only because of the alarming possibility that a government with access to such software would have access to an easy and shockingly detailed method of surveilling an entire population.
‘Global concern’
“This is a global concern – anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand,” says deputy director of Amnesty Tech Danna Ingleton.
Front Line Defenders' technical expert Wojtek Bogusz says "it makes everyone more vulnerable", that commercial companies working in spying and surveillance services "can use vulnerabilities in the software used by billions of people to create spying tools, sell those tools to others and benefit from that, instead of reporting those vulnerabilities to developers of the [hacked] software like Apple, Microsoft, Google, or Mozilla so those can be fixed as soon as possible."
He adds: “We have learned from previous experiences that knowledge of those vulnerabilities, if not fixed, eventually makes its way to dictators and criminal circles” and are then used against activists, businesses and ordinary citizens.”
The insistence of commercial spyware vendors that they only sell their spying software to “good” people, to go after criminals or terrorists, “is naive and dangerous,” insists Bogusz. “This type of business, and software like Pegasus, should be forbidden. There is no way to keep software like this, or any intentionally-created ‘backdoors’ [intentionally-encoded access for security services] in software limited to only good use.”
The sector remains largely unregulated. We must insist the work of the Pegasus Project changes this appalling situation.