Quick quiz: Name the flying horse of ancient Greek mythology? Why? If it is living on your phone, you are toast. You have no secrets.
SNAP! Mexico – The journalist is humped over his smartphone punching furiously away at letters trying to file an expose’ on the corruption between government officials and contractors. There is a knock on the door. This isn’t good.
SNAP! UAE – It’s hot and dusty and the human rights activist is sweating, although less from the temperature than from the police pursuing him. He’s been on the run for a while but they always seem to be only one step behind.
SNAP! USA – You just got a visit from the FBI. That was upsetting. What the hell did they want? What were those questions all about? You’re a good citizen with never anything more than a parking ticket. Could it be that rally you went to and the texts and emails you exchanged with some of the folks you met. Nah, it can’t be.
Welcome to Pegasus: no, not the winged horse of Greek mythology, but software from the Israeli firm, NSO Technology Group. This malware vacuums up all communications and the locations of the targeted smartphones. That includes, but not limited to, iMessage, Gmail, Facebook, WhatsApp, Telegram and Skype communications, amongst other data. Oh, it can collect Wi-Fi passwords too.
But don’t worry, NSO claims they only provide “authorized governments with technology that helps them combat terror and crime”. Of course, once they sell the software there’s no telling what those “authorized governments” do with it. And, for those “authorized governments” this handy tool is a real steal.
First exposed in 2016, the NSO Group prices its surveillance tools by the number of targets, starting with a flat $500,000 installation fee. To spy on 10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users — on top of the setup fee.
Need more smartphones bugged? No problem. You can pay for more targets. One hundred additional targets will cost $800,000, 50 extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000, according to an NSO Group commercial proposal. There is an annual system maintenance fee of 17 percent of the total price every year thereafter. Talk about value for money! Say your tracking 110 targets, after the first year it costs only $3,000 a year to keep tabs on each target. (Just to get a perspective the NSA’s budget was guesstimated in 2013 to be $10 Billion.)
Good thing this software is only used to pursue criminals and terrorists. Except it’s not. The world became aware of this malware when a human rights activist in 2016 got suspicious of a text on his phone inviting him to learn “‘secrets’ about torture happening in prisons in the United Arab Emirates”, along with a link. Luckily, he turned it over to Citizen Labs and they traced the malware back to the NSO Group.
Right now, the Mexican government has been on the defensive for months, battling revelations that the surveillance technology (Pegasus) it acquired has been used to spy on some of the nation’s most prominent human rights lawyers, academics and journalists.
How do you protect yourself? Practice good IT hygiene to protect from phishing. Citizen Labs revealed in Mexico:
“The targets received SMS messages that included links to NSO exploits paired with:
- Troubling personal and sexual taunts,
- Messages impersonating official communications by the Embassy of the United States in Mexico,
- Fake AMBER Alerts,
- Warnings of kidnappings, and other threats.
The operation also included more mundane tactics, such as messages sending fake bills for phone services and sex-lines. Some targets only received a handful of texts, while others were barraged with dozens of messages over more than one and a half years.”
It’s a good thing none of the myriad agencies of the US government would do some thing like this. (We hope.)