Recently, Amnesty International and Forbidden Stories, a nonprofit organization of French journalism, obtained a list of 50,000 phone numbers that were potentially targeted by Pegasus, the now infamous spy created by NSO Group, an Israeli technology firm. Amnesty and Forbidden Stories shared that list with a group of 17 news organizations, and reporters then began tracking down who the numbers belonged to. They identified about 1,000 people with the phone number and more than 60 agreed to submit their phones for forensic examination. Of those phones, 37 showed some evidence of an attempted or successful attack. They belonged to journalists, human rights activists, two women who were very close to Jamal Khashoggi, the slain Washington Post columnist. The original list of 50,000 and we do not know if these people have been hacked including numbers belonging to French President Emmanuel Macron as well as Rahul Gandhi, a very prominent opponent of the Prime Minister of India.

On Friday, the episode of What Next: TBD, I talked to him John Scott-Railtona researcher at the University of Toronto Citizen Lab who has been following the NSO since 2016 about the risks of the NSO Group, the weaknesses in our technology and what, if anything, can be done to protect it.

Lizzie OLeary: How would you describe what NSO does?



John Scott-Railton: At its core, the spyware mercenary industry comes at a high altitude to governments. And they say, look, there are people you want to target, but more and more are using encryption. You still want to know what they say. So we have a solution for you. Use our product and hack their phones. And then you can see everything they can say, you can do everything they can do on their phones. And moreover, you can do it in silence. Without knowing your victims about it.

And this, it turns out, is the cedar of the dictator. The industry covers itself in fig leaf saying they sell to pursue terror and criminals. But what they do know, and what we all know now, is that their growth pattern involves selling in authoritarian regimes, not surprising any fair turn around and abusing this technology to target their perceived enemies , critics, their family members, anyone who bothers Mr. Strong man on a Tuesday afternoon.

The NSO is pretty frivolous to its clients. What do we know about those who are?

The NSO customer base, at this point, is a kind of well-known group: Gulf countries, UAE, Saudi Arabia. But also, some small places quite random. For example, there are many NSO targets in Togo that happen to be critical of the government. Morocco also seems to be an agile user. It seems they have tried to sell in different places in West Africa. What is interesting about this customer base is that its mostly authoritarian regimes.

If your phones are infected with Pegasus, what can someone watching you see?

Once your phone is infected, the Pegasus operator can see everything you see. They can see your encrypted conversations. They can see the messages you send. They can see the pictures you take of your friends and yourself. They can read your notes about yourself, look at your web browsing. They can even turn on the camera and microphone and listen, from your pocket, to the room you are in. His highly invasive items.

Given the recent news that found 50,000 phones were targeted at the potential of Pegasus software, do you feel proven that you have been warning about these things for years? Or was the purpose of this beyond what your research has implied?

This is the terrible thing we have tried to warn people about. Here it is. This is exactly what you can expect.

It is common for government clients of spyware companies to use this not as a criminal investigative tool, but as a step up in the intelligence game. It should come as no surprise. Everyone wants to be able to do some sort of signal intelligence. It’s just that many states can’t. I like to call this intelligence guerrilla signals. It is no surprise that heads of state and other powerful prominent people are being targeted. It would be a bigger surprise if they they were not.

There are obvious reasons that an autocratic government might want to hack a phone. To follow the critics, look at what they are saying, spy on them. But is there anything more inviolable than just fear of tracking can insert?

Most authoritarians and strong rulers use fear and censorship as glue to hold together their Mad Max constructions of states. And I really believe that spyware and threat from him, the threat of being able to dig deep into the personal lives of some people and go through it for something that harms them, is a new tool for authoritarians. And everyone loves it. They love the idea of ​​being able to threaten people across borders with this opportunity.

One thing that is quite surprising to me in this report is how vulnerable people were to phones, including iPhones. Apple has made such a big deal about security and privacy protection. I mean, that’s kind of the way they trade themselves. I wonder what it tells you how safe those devices actually are.

There is an endless arms race between people trying to find their way and platforms and operating system developers and companies like Apple trying to shut them down. What makes players like NSO so tricky is that they spend a lot of time, effort, money and resources, simply looking for the next hole in an iPhone or an Android device. If companies are not really actively pursuing these groups, these groups will always have a way around whatever the most current security protections are.

We need to nurse our conversation about security away from the idea that there is a device you can buy that will be completely safe and that will isolate you from this kind of attack, and towards something that looks more, okay , so when a Company learns of a bad thing being done to their users, what do they do about it? What is interesting is that in recent years, WhatsApp, Facebook, Microsoft, Google have become more and more muscular and public in the way that they not only call some of the mercenary groups that are doing this, but in the case of WhatsApp and Facebook, actually going after them in US courts. They are suing them. And, to me, it’s a really good signal that the spyware industry has broken a lot of lines at this point, and great technology sees them as a threat to their business and as a threat to the privacy of their users and their reputation. .

How then, even if you are a user, do you know fighters for an attack where you do not have to click on something? Here, we were talking about things where phones are attacked without user knowledge.

Nothing There is nothing you can do. You can be perfect and still be hacked. What is interesting about Pegasus and the NSO and the whole industry is that they are really heading towards a model where they can compromise a phone without any behavior required by the victim. And it simply means that users are there, naked and twisted in the digital age. And now, it’s a situation that affects everyone. Which means unlike the situation that is often true with cyber security, where only people who do not pay for certain types of support are vulnerable, here, 10 prime ministers, three presidents and a king cannot go wrong. Everyone seems to be vulnerable now.

Well, if there’s one thing I can’t do that will fix this, is there anything Apple or Google can do about their security level?

Yes. One of the problems that technology always has is when a threat actor is in a country where they are not sensitive to the usual consequences, like Russia or Iran, you need to understand another way to limit the harm this group does to your users and for your safety. In this case, the NSO, for a long time, seems to have a fairly free hand and is basically passing without any consequences.

I think the other half of this is that companies need to put their research where their mouth is. If they are going to promise security to their users, they should be able to say, yes, they were investing a lot of money, we have people spending their days thinking about nothing but what the spyware trading industry is doing and trying to predict their future moves, and protecting our users from it. It also means that those companies need to work regularly with the government and say, look, we have a problem, we need to use your channels, or help us find some responsibility or use diplomatic channels to stop this . Because now it is totally out of control.

Why should the average person care about Pegasus and the spyware mercenary industry in general?



It is difficult to explain, in simple ways, certain types of damage. And it’s hard to tell them. Like climate change, right? People want Look she And one of the things that is powerful about this Forbidden Stories / Amnesty Act is that they see harm. They see people who are victims. They see people being targeted. Now, it may be the case that they see people they do not know, right? Most people will not personally recognize any of these intentions. But the question is, you do not know if this will be true tomorrow. The holy grail of the NSO and spyware mercenary industry is to enter the US market. And I do not mean just selling to the FBI. I mean the sale to the local cops.

Does their technology work on American phones?

They have said their technology does not allow foreign customers to target US phone numbers. They have also spent years dumping their technology in US police departments. Apparently there is only one key they can move, right? If they are going to sell this to a US police department, they are definitely going to sell them the capacity to target a US number. There is no magic in Pegasus DNA that prevents it.

Ten years ago, people had just started reporting on the industry. And it was hard to get people to care. Because the victims did not look like them, and they did not live in their places. With each cycle of this, the victims look more and more like them, and more and more likely to be in their place. This shocking wave of oversight will end, literally, on our collective thresholds. And we need to understand how to slow down this industry before it gets done.

