Are You at Risk from the NSO Group?
So you get your shiny new iPhone. You love the camera on it, appreciate how easily it retrieves all of your data from your old phone, and dig how Siri seems even more intuitive than ever to your requests.
And you don’t even bat an eye when you see the security update prompts; I mean it’s good when your online equipment stays on top of security vulnerabilities and threats, right? Trust, install and forget.
Well, not so fast. All of that supposed protection might very well be an illusion, particularly if you are a strong social presence with alternative opinions from the Big Brother Status Quo.
Infringement vs. Ideals
So who, exactly, is breaking into personal cell phones and devices? We have all heard about the “hackers” and “hacker groups” who are stealing what they can for economic gain or their version of the moral high ground. But what about governments, who are aggressively increasing/expanding their terrorist and/or subversive hunting tactics?
This new Orwellian reality begs many questions. Which governments are doing it? Who, what and why are they targeting? What is their benchmark and how deep do they go? Are you at risk of being spied on if someone sends you a controversial .jpeg or a text with a trigger word? Who determines this? Who is watch-dogging the whole situation? And most importantly, how are they getting in?
Enter Pegasus and the NSO
Pegasus, which was publicly outed back in 2016, is spyware developed by an Israeli cyberarms firm known as the NSO Group. Pegasus can be covertly installed on mobile phones (and other devices) running iOS and Android, including the most recent versions of these platforms.
Once embedded on a device, Pegasus stealthily collects the user’s private and personal information, can intercept calls and messages and can even turn a mobile phone into a remote listening device. Thought of as perhaps the most sophisticated smartphone attack ever, this was the first time that a malicious remote exploit used jailbreaking to gain unrestricted access to an iPhone.
The intent of the NSO Group, according to their released publications, is to allow the usage of Pegasus only by licensed law enforcement agencies in an effort to target criminals and terrorists. While this is all fine and dandy in theory, an ethical problem arises when governments determine threats with their own agendas, such as using the spyware to target journalists, lawyers and human rights activists around the world who may not share the government’s point of view.
Despite Pegasus being exposed in 2016 to world-wide outrage, denials and allegations, it didn’t go away; its usage didn’t stop. As reported by the Citizen Lab (and myriad media outlets), as late as July of 2021, Pegasus was reputedly still being widely used against high-profile targets by several authoritarian states such as Bahrain, Saudi Arabia, Rwanda, the United Arab Emirates and Mexico, though NSO has repeatedly declined to name or confirm its dozens of customers, citing nondisclosure agreements.
Perhaps even more frightening, reports infer that Pegasus has the ability to infect all modern iOS versions including the iOS 14.6, released May 2021, through a zero-click (meaning no user interaction is required to infect the targeted device) iMessage exploit dubbed “FORCEDENTRY”, the latest in a string of zero-click exploits linked to NSO Group. It is suspected to have been developed to circumvent Apple’s “Blastdoor” mitigation for their iOS14, a security patch speculated to have been created in part to combat the earlier KISMET zero-click iMessage exploit (which was rumored to have been used on more than 1400 phones in 2019 via WhatsApp). Round and round it goes, where it stops no one knows.
There is backed evidence that FORCEDENTRY uses a weakness in Apple’s iMessage function to silently send corrupt files to a phone that appear to be GIF extensions, but are actually Adobe PDF files containing malicious code that target Apple’s image rendering library. It works against Safari, Photos, Apple Music, and iMessage, as well as Apple iOS, MacOS and WatchOS devices.
For the tech savvy, here is a breakdown of known affected software configurations, provided by NIST:
What is Apple Doing About This?
Well, suing, of course; it’s the American way. According to CNBC and AppleInsider, as of November 23, Apple filed a permanent injunction to ban NSO Group from using Apple software, services, or devices. It’s also seeking damages over $75,000.
They are poised to hold NSO Group accountable for its surveillance of some Apple users. Along with the filing, Apple has said it will also be contributing $10 million and damages from the lawsuit to organizations related to cybersurveillance research and advocacy.
Credit is due to Apple for at least going public with the FORCEDENTRY exploit instead of trying to hide it and sweep it under the rug, a more-common-than-we-know practice by many big tech companies, even if it is the typical corporate white-washed boilerplate statement.
Back in July, Apple’s head of security engineering and architecture Ivan Krstic stated, “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place … Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
In November, Apple SVP of Software Engineering Craig Federighi released the following statement:
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change… Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous.”
“While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously,” Federighi continued, “and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”
NSO is also encountering backlash from other big tech companies and governing agencies. For example, the U.S. Commerce Department recently blacklisted NSO Group, prohibiting it from using American technology in its operations. Meta (formerly known as Facebook) subsidiary WhatsApp is also separately suing NSO Group, a move supported by Microsoft and Google. This, on the surface, seems to signal a conjoined effort to “curb invasive spyware by governments.”
So are we at risk and what can we do?
Apple stresses that while its servers were “misused to deliver” the data, the servers themselves were not hacked or compromised by the attacks. They also clarified that the attacks were only targeted at a small number of customers, and said they will inform iPhone users that may have been targeted by Pegasus malware.
Apple continued its reassurances by stating they patched the flaws that, “enabled the NSO Group software to access private data on iPhones using ‘zero-click’ attacks where the malware is delivered through a text message and leaves little trace of infection.”
While lip service is generally pleasurable, let’s get to the crux of the matter: how does Pegasus and certainly other future (and yet undiscovered past) exploits affect the general user and should we be worried about it? How can the layperson be assured that every site they visit, every text and .jpeg they send and receive isn’t being recorded, filed and scrutinized.
For users, keeping your iPhones (and any devices that have connectivity to the Internet) up-to-date is always good mitigation. Apple has provided this security update and urges all users to engage it as soon as possible.
But more due diligence is required. While doing security and firmware updates on devices is good — essential — practice, users should take a pause and dig into what’s actually going on with the update and why. Most times the updates involve performance upgrades and bug fixes, but when they’re flagged as a security patch on a vulnerability, take heed, do some online searching from reputable sources and find out what’s going on. Say to yourself as a habit, “What is being patched and why?”
Additionally, consider configuring your messenger apps to not accept messages and/or media from both unknown entities and people not on your contact list. If you do access message threads from unknown or new contacts, be very cautious before you do so.
For tech companies and app-making companies alike, the securing of popular messaging apps must be seriously addressed. It is apparent that chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them. In their present state, many of the popular chat apps have become an irresistible target for those with malicious intent. Let’s do away with new cameras and emoticons and shift the focus to true device security.
Of course, there’s a much bigger picture here. The very fact that rogue spyware companies invest substantial resources into identifying software vulnerabilities on widely used applications and then package those exploits to eager government clients is morally murky no matter which lens it is viewed through.
But it’s a seller’s market and the fault can’t be entirely laid at the feet of the companies that are creating this spyware. When unaccountable government security agencies are purchasing these products for ANY use, far beyond just the reckless violation of international human rights law, regulation is desperately needed. Just who will be responsible for this, what the responsibilities will be and how they base these responsibilities will be something we as a whole should be watching vigilantly for the foreseeable future. An ancient Chinese curse said, “May you live in interesting times.” Interesting indeed. Bob Dylan told us, “The times they are a-changing.” But are they?