Pegasus spyware journalists Laurent Richard and Sandrine Rigaud were the first to discover an extensive list of specific people being targeted by NSO’s clients. In working on the story, they said they had to take extreme privacy precautions to avoid their own devices being compromised.
One of the major uses of Pegasus has been to silence journalists working on revealing abuses by tyrannical governments, so the risk of their own devices being hacked without their knowledge was very real …
Pegasus explainer
NSO Group makes spyware called Pegasus, which is sold to government and law enforcement agencies. The company purchases so-called zero-day vulnerabilities (ones that are unknown to Apple) from hackers, and its software is capable of mounting zero-click exploits – where no user interaction is required by the target.
In particular, it’s reported that simply receiving a particular iMessage – without opening it or interacting with it in any way – can allow an iPhone to be compromised, with personal data exposed, all without any way for the user to know it has happened.
NSO sells Pegasus only to governments, but its customers include countries with extremely poor human rights records – with the spyware used against political opponents, human rights activists, lawyers, journalists, and more.
Apple has long been working to protect iPhone users against Pegasus: suing the company, alerting owners of infected iPhones, and offering a Lockdown Mode, which disables the most common attack paths.
Pegasus spyware journalists at risk
Pegasus spyware journalists Laurent Richard and Sandrine Rigaud spoke with Bloomberg about their upcoming new book, Pegasus: How a Spy In Your Pocket Threatens the End of Privacy, Dignity, and Democracy (Apple Books, Amazon Kindle).
Rigaud says the power of the tool makes it a major threat against democracy.
Think about what’s on your phone — the results of your Google searches, your photos, your contact book, your location, your passwords. Everybody can appreciate how dangerous this kind of spyware could be in the hands of dictators and authoritarian regimes. Imagine how this can be used to silence journalists, to silence political opponents. That’s why we consider it a major threat against democracy.
They said they had to assume the security their own devices was compromised.
When we started, we were investigating more than 10 countries who’d bought the Pegasus spyware. Some of them were very dangerous. We didn’t want to be the next ones on the list. If one person in our group had been infected by Pegasus, then the project would be exposed. It would have been over immediately.
For security reasons, we can’t explain specifically the tools we had to use. But what was clear is that we couldn’t use our own phones anymore. We couldn’t use our professional computers. Whenever we discussed anything with a source, we had to make sure there were no devices in the room or anywhere around us.
NSO’s ethics claims are nonsensical
NSO has frequently claimed that it doesn’t allow its spyware to be ‘misused,’ while at the same time assuring its clients that the company has no way to monitor who they are targeting.
When NSO sells the spyware, they tell the customer, “We will never know about your targets. We don’t want to know and there is no technical way for us to know about who you are targeting.” At the same time, they say, “If there’s any kind of misuse and people have been targeted improperly, if this is used against people who aren’t terrorists or criminals, we will investigate.” But how can you investigate if you don’t know who the targets are?
Apple’s fight against Pegasus is crucial
Rigaud said that the US government banning the use of Pegasus was really impactful, but Apple’s actions in alerting suspected victims and suing the company may be “even more so.”
Thanks to the exposure of the company’s activities, NSO’s valuation has fallen from around $2B to being near-bankrupt. But the company is hanging in there, and there are competitors waiting to pick up where NSO left off if it does go bust.
The only solution, say the pair, is for governments and tech giants alike to continue to fight the use of spyware.
The book will be available on January 17.
Photo: Peter Forster/Unsplash
FTC: We use income earning auto affiliate links. More.