Pegasus has been a politically explosive issue that’s put Israel under pressure from activists and from governments worried about misuse of the software. France and the US earlier raised concerns, and NSO has suspended some countries’ Pegasus privileges. Earlier in November, the US federal government took much stronger action, blocking sale of US technology to NSO by putting the company on the government’s Entity List.
Now Apple has sued NSO Group, seeking to bar the company’s software from being used on Apple devices, require NSO to locate and delete any private data its app collected, and disclose the profits from the operations. “Private companies developing state-sponsored spyware have become even more dangerous,” Apple’s software chief, Craig Federighi, said in a release Tuesday.
The phones were on an activist organization’s list of more than 50,000 phone numbers for politicians, judges, lawyers, teachers and others. Also on that list are 10 prime ministers, three presidents and a king, according to an international investigation released in mid-July by The Washington Post and other media outlets, though there’s no proof that being on the list means an attack was attempted or successful.
It’s a company that licenses surveillance software to government agencies. The company says its Pegasus software provides a valuable service because encryption technology has allowed criminals and terrorists to go “dark.” The software runs secretly on smartphones, shedding light on what their owners are doing. Other companies provide similar software. Chief Executive Shalev Hulio co-founded the company in 2010. NSO also offers other tools that locate where a phone is being used, defend against drones and mine law enforcement data to spot patterns. NSO has been implicated by previous reports and lawsuits in other hacks, including a reported hack of Amazon founder Jeff Bezos in 2018. A Saudi dissident sued the company in 2018 for its alleged role in hacking a device belonging to journalist Jamal Khashoggi, who had been murdered inside the Saudi embassy in Turkey that year.
Pegasus is the latest example of how vulnerable we all are to digital prying. Our phones store our most personal information, including photos, text messages and emails. Spyware can reveal directly what’s going on in our lives, bypassing the encryption that protects data sent over the internet. The 50,000 phone numbers are connected to phones around the world, though NSO disputes the link between the list and actual phones targeted by Pegasus. The devices of dozens of people close to Mexican President Andrés Manuel López Obrador were on the list, as were those belonging to reporters at CNN, the Associated Press, The New York Times and The Wall Street Journal. Several phones on the list, including one belonging to Claude Mangin, the French wife of a political activist jailed in Morocco, were infected or attacked. Other cases of Pegasus infection have emerged since the initial revelations.
Pegasus is NSO’s best-known product. It can be installed remotely without a surveillance target ever having to open a document or website link, according to The Washington Post. Pegasus reveals all to the NSO customers who control it — text messages, photos, emails, videos, contact lists — and can record phone calls. It can also secretly turn on a phone’s microphone and cameras to create new recordings, The Washington Post said.
General security practices like updating your software and using two-factor authentication can help keep mainstream hackers at bay, but protection is really hard when expert, well-funded attackers concentrate their resources on an individual. Pegasus isn’t supposed to be used to go after activists, journalists and politicians. “NSO Group licenses its products only to government intelligence and law enforcement agencies for the sole purpose of preventing and investigating terror and serious crime,” the company says on its website. “Our vetting process goes beyond legal and regulatory requirements to ensure the lawful use of our technology as designed.”
Human rights group Amnesty International, however, documents in detail how it traced compromised smartphones to NSO Group. Citizen Lab, a Canadian security organization at the University of Toronto, said it independently validated Amnesty International’s conclusions after examining phone backup data. In September, though, Apple fixed a security hole that Pegasus exploited for installation on iPhones. Malware often uses collections of such vulnerabilities to gain a foothold on a device and then expand privileges to become more powerful. NSO Group’s software also runs on Android phones.