Amnesty International and French journalism advocacy organisation Forbidden Stories say they've acquired a leaked list of individuals targeted by users of Israeli spyware-for-law-enforcement operator NSO Group, and that Heads of State, academics, diplomats, human rights advocates, and media figures are among those targeted.
The two organisations say the list includes records of phone numbers targeted by NSO users since 2016, and that the wide range of vocations targeted makes a mockery of NSO's claims that it tightly controls how its wares are used to prevent egregious invasions of privacy.
Perhaps the most explosive claim is that NSO products were used to target family members of Saudi journalist Jamal Khashoggi in the days before he was murdered in Istanbul.
NSO group makes a product called Pegasus that promises to make mobile devices an open book, and styles itself "the world leader in precision cyber intelligence solutions for the sole use of vetted-and-approved, state-administered intelligence and law enforcement agencies".
The company claims that it is "committed to the proper use of (its) technology" and acts to "investigate any credible allegation of product misuse". In a Transparency and Responsibility Report [PDF] published on June 30th, 2021, the NSO Group stated that it requires Pegasus "is used only where there is a legitimate law enforcement or intelligence-driven reason connected to a specific, pre-identified phone number".
The report adds that NSO Group only allows use after a court or other independent decision-maker allows its product's deployment.
"Its use against law-abiding citizens is prohibited, and customers, a majority of which are in the EU or OECD, commit that they will use our products responsibly," the report states.
Amnesty and Forbidden Stories allege, based on the leaked list of people targeted by Pegasus, that those statements aren't worth the PDF they were encoded into.
Agnès Callamard, the Secretary General of Amnesty International, wrote that the leaked document and subsequent investigation "blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology.
"While the company claims its spyware is only used for legitimate criminal and terror investigations, it's clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations."
The coming week's stories about the global hacking of phones identical to the one in your pocket, by for-profit companies, make it clear that export controls have failed as a means to regulate this industry.— Edward Snowden (@Snowden) July 18, 2021
Only a comprehensive moratorium on sales can remove the profit motive.
Forbidden Stories focussed on the 180-plus journalists listed, claiming that many were persecuted based on information about their work secured by using Pegasus. The organisation decries the chilling effect on public interest journalism that flowed from the use of the software.
Amnesty International has also published an analysis of how Pegasus penetrates devices and offered forensic analysis techniques to detect the presence of Pegasus on a device.
Among that report's revelations is a zero-day flaw that left iPhones susceptible to Pegasus in the current version 14.6 of iOS, thanks to flaws in iMessage.
Amnesty and Forbidden Stories have worked with several international media outlets, and all promise many more days of coverage on NSO Group and how its wares were used to surveil inappropriate targets.
NSO Group has disputed the allegations made by Amnesty and Forbidden Stories.
The core of the company's response is that conclusions of rampant misuse are "based on misleading interpretation of data from accessible and overt basic information, such as [Home Location Register lookup] HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products".
HLR Lookups are freely available as a service, and allow users to determine whether a phone is connected to a network, and the country in which a SIM card is registered.
- Israeli spyware maker NSO channels Hollywood spy thrillers in appeal for legal immunity in WhatsApp battle
- Mobile spyware fan Saudi Crown Prince accused by US intel of Khashoggi death
- Researchers unmask Indian 'infosec' firm to reveal hacker-for-hire op that targeted pretty much anyone clients wanted
- Senator demands deep probe into spyware-for-cops after NSO Group touts hacking toolkit to American plod
The Register expects that Amnesty, Forbidden Stories, and the other participants in what's been dubbed "The Pegasus Project" have more revelations to come. Whether that new information makes a lie of NSO Group's position remains to be seen.
For now, we can say that the surveillance-ware industry is under fire. Just last week another outfit called "Candiru" was named as the source of an espionage toolkit and Microsoft fixed the flaws it exploited with a patch. NSO itself already faces a lawsuit from Facebook, after its wares used a flaw in WhatsApp to go about its business. ®