Pegasus isn’t new. Anyone in the field has known about NSO Group’s spyware and its use against politicians, activists and journalists for half a decade. What’s worth discussing, though, is how the topic has been ignored for so long. Both by the press and by iPhone maker Apple.
I’ve been asked to cover this topic several times over the last few weeks and so today on The Private Citizen, we are finally looking at the Pegasus smartphone spyware from NSO Group. It’s a bit of a boring topic for me, due to my experience with the topic, but it is nonetheless very important to talk about this.
As an aside: It’s nice to see that the show is steadily picking up listeners. As far as I can tell, which is famously hard to do with podcasts, listenership has doubled over the last six months and is now far exceeding any other podcast I have ever done aside from Linux Outlaws. But even in comparison to that show, we’re doing quite well. The podcast now has approximately a third of the listeners LO had at the height of its run – and LO had been around for seven years at that point. No wonder I’m getting so many emails from marketers lately.
The Pegasus Project Investigation
The Pegasus Project, an international collaboration of investigative journalists, has put a media spotlight on Israeli spyware company NSO Group and their Pegasus trojan. While their investigation, beyond implementation details and a list of victims, has revealed nothing that wasn’t already known or suspected by experts in the field, it has galvanised public understanding a bit like the Snowden revelations did for electronic US government spying programs. Thus, another conspiracy theory was borne out to be totally spot on.
That the Pegasus trojan exists and is being actively used isn’t news. Pegasus was first revealed to the world in a Vice story from 2016. I myself covered the discovery of the Android version of the spyware in 2017 . Similarly, we’ve known about NSO Group and their shady practices of selling their software to questionable governments who then use it to spy on politicians, dissidents and journalists for a while. I last covered this almost exactly three years ago when The New York Times reported that NSO Group had hacked a prince, an emir and a journalist to impress a client.
A little background on Pegasus:
Pegasus is a spyware developed by the Israeli cyberarms firm NSO Group that can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android. The 2021 Project Pegasus revelations suggest that the current Pegasus software can exploit all recent iOS versions up to iOS 14.6. As of 2016, Pegasus was capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device’s microphone and camera, and harvesting information from apps.
NSO Group was previously owned by American private equity firm Francisco Partners, but it was bought back by its founders in 2019. The company states that it provides “authorized governments with technology that helps them combat terror and crime.” NSO Group has published sections of contracts which require customers to use its products only for criminal and national security investigations and has stated that it has an industry-leading approach to human rights.
Pegasus was discovered in August 2016 after a failed installation attempt on the iPhone of a human rights activist led to an investigation revealing details about the spyware, its abilities, and the security vulnerabilities it exploited. News of the spyware caused significant media coverage. It was called the “most sophisticated” smartphone attack ever, and marked the first time that a malicious remote exploit using jailbreak to gain unrestricted access to an iPhone had been detected.
On August 23, 2020, according to intelligence obtained by the Israeli newspaper Haaretz, NSO Group sold Pegasus spyware software for hundreds of millions of US dollars to the United Arab Emirates and the other Gulf States, for surveillance of anti-regime activists, journalists, and political leaders from rival nations, with encouragement and mediation by the Israeli government. Later, in December 2020, the Al Jazeera investigative show The Tip of the Iceberg exclusively covered Pegasus and its penetration into the phones of media professionals and activists; and its use by Israel to eavesdrop on both opponents and allies.
And what new things did the Pegasus Project investigation reveal?
In July 2021, widespread media coverage part of the Project Pegasus revelations along with an in-depth analysis by human rights group Amnesty International uncovered that Pegasus was still being widely used against high-profile targets. It showed that Pegasus was able to infect all modern iOS versions up to iOS 14.6, through a zero-click iMessage exploit.
The investigation suggested that Pegasus continued to be widely used by authoritarian governments to spy on human rights activists, journalists and lawyers worldwide, although NSO claims that it is only intended for use against criminals and terrorists.
Targets include known criminals as well as human rights defenders, political opponents, lawyers, diplomats, heads of state and nearly 200 journalists from 24 countries. The Guardian mentioned 38 journalists in Morocco, 48 journalists in Azerbaijan, 12 journalists in the United Arab Emirates and 38 journalists in India as having been targeted.
After the revelations of the Pegasus Project investigation, in which it was revealed that the French president Emmanuel Macron was targeted, France launched an investigation into the matter. In the aftermath of these revelations, Macron changed his telephone number and replaced his phone. Furthermore, he ordered an overhaul in security procedures. French intelligence (ANSSI) confirmed that Pegasus spyware had been found on the phones of three journalists, including a journalist of France 24, in what was the first time an independent and official authority corroborated the findings of the investigation.
As usual, and as was my own experience years ago when I covered this, NSO group denies all involvement aside from having sold spyware. Even though there have been numerous reports in the past that their customer service people actively help customers install the spyware on phones and then in some cases help with operating it.
NSO Group stated: “NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets. NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as the identity of customers of which we have shut down systems.”
The CEO of NSO Group categorically claimed that the list in question is unrelated to them, the source of the allegations can not be verified as a reliable one. “This is an attempt to build something based on a crazy lack of information… There is something fundamentally wrong with this investigation.”
Clearly PR bullshit as they provide no information whatsoever to refute the claims made by the investigators.
So, What’s New?
We knew that Pegasus existed and had no reason to believe it wasn’t still actively being used in 2021, including against politicians, dissidents and journalists. We also knew that the NSO claims of “we only sell to the good people for good reasons” are obviously bullshit. So beyond some headlines and some juicy details (Macron was on a list, it works in current iOS without user interaction) there’s nothing new here.
As with Snowden, nobody in the public and the more mainstream media organisations listened to the experts who had good reasons to warn of all of this years ago. The public once again branded sceptical thinkers as conspiracy theorists and then made it BREAKING NEWS when the theories (by the experts no less) were proven correct. Surprise! There actually is a conspiracy by state organs to spy on citizens and with the more or less tacit approval by the government of Israel, no less.
I am sorry. I just can’t help but be cynical like this. I’ve now been at this for almost a decade as a professional journalist and probably a decade longer as just a geek and I’ve seen this pattern repeat again and again and again. The experts are not listened to, belittled and in some cases branded as nutcases and then suddenly, a journalist gets the right input or motivation and it all changes. Suddenly this is a huge story that concerns everyone! It’s especially ironic in this case, because the journalists often plainly ignored ore even ridiculed the experts as paranoid and prone to conspiracy theories and were later outraged because someone dared to target them.
Still, as much as this topic is boring to me personally (I was interested in this half a decade ago when it was actually news), Snowden has taught me that I need to swallow these personal feelings. Because it is important that the public finally knows what is going on. And it is important that we do not let them forget about it again. Or get duped by hypocrites who will in a year or two try to tell them once again that all of this is fine, blanket surveillance and spying is only used for your own good and everything the government of Israel does is totally above board.
We also need to make people think about this in the context of the nonsense that is spouted by people like Biden about “cyber war” and its consequences. Because somehow Israel gets away with supporting a company like this, while Biden threatens basically nuclear war over Russian hacking. Imagine it would have been revealed that Russia is hosting (and actively supporting) a company that spied on all these people. Imagine the backlash there. Somehow its okay if Netanyahu (and now Bennett) does it, but its evil and grounds for war if Putin does? Give me a break! Why do people buy bullshit propaganda like this?
We also need to hammer it into people’s brains that companies don’t have morals and will sell their weapons (and so-called cyber weapons) to anyone who pays. NSO’s contract clauses are pure PR. They will obviously sell this to anyone if they can pay and if NSO can get away with it. That’s clear. And people should understand that this isn’t the exception but rather very much the rule for companies. Don’t listen to their propaganda, like this thinly-veiled Washington Post shill piece.
Apple’s Role in All of This
One interesting aspect is Apple’s role in all of this. Much in line with my discussion in episode 81, this makes it clear that security (just like privacy) is more of an advertising feature to Apple than the raison d’être they claim it to be. How else can we explain that it has been reported, as recently as yesterday, that NSO can circumvent iOS security with exploits that don’t need user interaction at all?
Citizen Lab, the internet watchdog based at the University of Toronto, analyzed the activist’s iPhone 12 Pro and found evidence that it was hacked starting in February using a so-called “zero-click” attack, since it does not require any user interaction to infect a victim’s device. The zero-click attack took advantage of a previously unknown security vulnerability in Apple’s iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist’s phone.
The hack is significant, not least because Citizen Lab researchers said it found evidence that the zero-click attack successfully exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But the hacks also circumvent a new software security feature built into all versions of iOS 14, dubbed BlastDoor, which is supposed to prevent these kinds of device hacks by filtering malicious data sent over iMessage.
When reached by TechCrunch, Apple would not explicitly say if it had found and fixed the vulnerability that NSO is exploiting. A spokesperson for Apple said BlastDoor was not the end of its efforts to secure iMessage and that it has strengthened its defenses in iOS 15, which is slated for release in the next month or so.
Moosa Abd-Ali, a photojournalist who was previously targeted by FinFisher spyware sold to the Bahraini government, had his iPhone hacked while living in London. Abd-Ali, who said he was arrested and tortured in Bahrain, said that he thought he would find safety in the U.K. but that he still encounters digital surveillance but also physical attacks, as many victims of spyware experience. “Instead of protecting me, the U.K. government has stayed silent while three of their close allies – Israel, Bahrain and the UAE – conspired to invade the privacy of myself and dozens of other activists,” he said.
The Guardian came to pretty much the same conclusions right after the initial Project Pegasus reporting.
Dating back to the earliest days of the mobile platform, Apple fought to ensure that hacking iOS was hard, that downloading software was easy and safe, and that installing patches to protect against newly discovered vulnerabilities was the norm.
And yet Pegasus has worked, in one way or another, on iOS for at least five years. The latest version of the software is even capable of exploiting a brand-new iPhone 12 running iOS 14.6, the newest version of the operating system available to normal users. More than that: the version of Pegasus that infects those phones is a “zero-click” exploit. There is no dodgy link to click, or malicious attachment to open. Simply receiving the message is enough to become a victim of the malware.
It’s worth pausing to note what is, and isn’t, worth criticising Apple for here. No software on a modern computing platform can ever be bug-free, and as a result no software can ever be fully hacker-proof. Governments will pay big money for working iPhone exploits, and that motivates a lot of unscrupulous security researchers to spend a lot of time trying to work out how to break Apple’s security.
But security experts I’ve spoken to say that there is a deeper malaise at work here. “Apple’s self-assured hubris is just unparalleled,” Patrick Wardle, a former NSA employee and founder of the Mac security developer Objective-See, told me last week. “They basically believe that their way is the best way.” What that means in practice is that the only thing that can protect iOS users from an attack is Apple – and if Apple fails, there’s no other line of defence.
At the heart of the criticism, Wardle accepts, is a solid motivation. Apple’s security model is based on ensuring that, for the 99% – or more – for whom the biggest security threat they will ever face is downloading a malicious app while trying to find an illegal stream of a Hollywood movie, their data is safe. Apps can only be downloaded from the company’s own App Store, where they are supposed to be vetted before publication. When they are installed, they can only access their own data, or data a user explicitly decides to share with them. And no matter what permissions they are given, a whole host of the device’s capabilities are permanently blocked off from them.
But if an app works out how to escape that “sandbox”, then the security model is suddenly inverted. “I have no idea if my iPhone is hacked,” Wardle says. “My Mac computer on the other hand: yes, it’s an easier target. But I can look at a list of running processes; I have a firewall that I can ask to show me what programs are trying to talk to the internet. Once an iOS device is successfully penetrated, unless the attacker is very unlucky, that implant is going to remain undetected.”
A similar problem exists at the macro scale. An increasingly common way to ensure critical systems are protected is to use the fact that an endless number of highly talented professionals are constantly trying to break them – and to pay them money for the vulnerabilities they find. This model, known as a “bug bounty”, has become widespread in the industry, but Apple has been a laggard. The company does offer bug bounties, but for one of the world’s richest organisations, its rates are pitiful: an exploit of the sort that the NSO Group deployed would command a reward of about $250,000, which would barely cover the cost of the salaries of a team that was able to find it – let alone have a chance of out-bidding the competition, which wants the same vulnerability for darker purposes. And those security researchers who do decide to try to help fix iPhones are hampered by the very same security model that lets successful attackers hide their tracks. It’s hard to successfully research the weaknesses of a device that you can’t take apart physically or digitally.
This goes at least some way to explain why Apple is only catching these critical exploits years late, if at all. But you wouldn’t know that if you believe their PR and the journalist regurgitating it without a critical thought in their head.
I was sent some really interesting stories by Stefan and Galteran that I will not talk about here because I think I want to cover them more in-depth in future episodes of the show. Nonetheless, thanks for the good input, guys! This kind of stuff really helps me with the show going forward.
If you have any thoughts on the things discussed in this or previous episodes, please feel free to contact me. In addition to the information listed there, we also have an experimental Matrix room for feedback. Try it out if you have an account on a Matrix server. Any Matrix server will do.
Toss a Coin to Your Podcaster
I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.
You can also support the show by sending money to via PayPal, if you prefer.
This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.
Thanks and Credits
I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show. This is why I am thankful to the following people, who have supported this episode through Patreon and PayPal and thus keep this show on the air:
Georges, Steve Hoos, Butterbeans, Jonathan M. Hethey, Michael Mullan-Jensen, Dave, 1i11g, Michael Small, Jackie Plage, Philip Klostermann, Vlad, Jaroslav Lichtblau, ikn, Kai Siers, Bennett Piater, Fadi Mansour, Joe Poser, Dirk Dede, tobias, m0dese7en, David Potter, Sandman616, Mika, Martin, Rhodane the Insane, Rizele, avis, MrAmish, Dave Umrysh, drivezero, RikyM, Barry Williams, Jonathan Edwards, Cam, Philip, Captain Egghead, RJ Tracey, D, Rick Bragg, Robert Forster, Superuser, noreply and astralc.
Many thanks to my Twitch subscribers: Mike_TheDane, Flash_Gordo, redeemerf, Galteran, BaconThePork, jonathanmh_com, Sandman616, Zenith252, centurioapertus and m0dese7en_is_unavailable.
I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.
The show’s theme song is Acoustic Routes by Raúl Cabezalí. It is licensed via Jamendo Music. Other music and some sound effects are licensed via Epidemic Sound. This episode’s ending song is Settle Your Regrets by Non-State Actor.