Senator demands deep probe into spyware-for-cops after NSO Group touts hacking toolkit to American plod
'Aggressive oversight' needed, Congress urged
Updated A prominent senator has called for “aggressive oversight” into the sale of hacking-and-spying tools to police forces in America.
Senator Ron Wyden (D-OR) was reacting to Vice's discovery of a brochure by Westbridge Technologies – the US sales wing of the controversial NSO Group – which pitched NSO's Pegasus technology, rebadged as Phantom, to a police force in San Diego, California. This is despite NSO claiming in court filings two weeks ago that it had no US presence.
“Government hacking is among the most invasive forms of surveillance – tracking someone’s movements, turning on their webcam and microphone, or accessing photos and other sensitive data on a phone or computer,” Wyden said in a statement to The Register.
“These tools are ripe for abuse, for example, by a law enforcement officer to spy on an ex. Congress must conduct aggressive oversight into the proliferation of these spying technologies and their use by state and local agencies.”
The reference to spying on an ex-partner relates to claims that an employee of NSO Group who was caught using the firm’s technology to spy on a woman they were interested in romantically. The employee was fired.
Spyware slinger NSO to Facebook: Pretty funny you're suing us in California when we have no US presence and use no American IT services...READ MORE
NSO Group has become synonymous with state-sponsored spying thanks to its software being used by a number of authoritarian governments to stamp out dissent. The Pegasus/Phantom tool was reportedly used by Saudi Arabia to target and ultimately murder journalist Jamal Khashoggi. It may also have been used to hack the phone of Amazon CEO Jeff Bezos.
Now only use it for good things, ok?
NSO says its spyware should only be used to combat terrorism or serious crime, but it has repeatedly been discovered on the phone of journalists, activists, and political dissidents across the globe. Facebook is also suing the Israeli company for targeting users of its WhatsApp messaging service.
Typically, a device is infected with the surveillance-ware via a software vulnerability exploit. For example, a booby-trapped message, when opened on a phone, exploits a weakness in the device's applications or operating system to trigger the execution of code smuggled inside the message, leading to the installation of the malware.
In the case of Jeff Bezos, a WhatsApp chat message from the Crown Prince of Saudi Arabia, Mohammad bin Salman, with a video that he said was some kind of promotional video for telecommunications is suspected to be the route by which the spyware was downloaded onto his phone.
Once Pegasus/Phantom is on a phone or computer, it can track location, read texts, emails and social media posts, download videos and photos held on the device and turn on its camera and microphone. The risk posed by the software is such that the United Nations representatives have repeatedly condemned its use.
The fact that NSO Group is now specifically peddling its wares to US police forces – albeit through a different company and product name – is alarming given the enormous resources often available to America's cops and limited oversight and accountability.
A US police force should require a warrant to use the software, especially given recent Supreme Court decisions over the contents of mobile phones, but, again there is little or no insight into whether that is happening and what uses the technology is being put to.
There have been numerous examples of where local police forces have used computer tools made available to them in highly inappropriate ways, the most memorable perhaps being when police in Maryland used controversial cellphone-tracking technology that is intended only for the most serious crimes to track down a man who stole $50 of chicken wings. ®
Updated to add
NSO Group has been in touch to split hairs over whether Westbridge is its American sales wing or not. NSO claims it has no control over Westbridge, though it noted Westbridge is a stablemate of NSO under a parent company.
We note that Westbridge and NSO executives have close ties, and that Westbridge described itself as NSO's "North American branch" in its marketing brochure.
"Westbridge Technologies shares a parent company with NSO but is neither NSO’s subsidiary nor its 'arm.' NSO exercises no control over Westbridge Technologies," a spokesperson for NSO told us. As for touting surveillance-ware to police officers, the spokesperson continued:
There are significant legal and contractual constraints concerning our ability to comment on whether a particular government agency has licensed, or considered licensing NSO's products. NSO offers its technology only to verified and authorized government agencies, and we are incredibly proud of our products’ record of helping governments save lives, prevent terror and serious crime worldwide.
We stand by previous statements that NSO Group products sold to foreign sovereigns cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology which enables targeting phones with US numbers.
This article was also updated to make clear Senator Wyden was calling for congressional oversight into all spyware offered to police, not just malware made by NSO Group.
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust