NSO Has Been Selling a Smartphone-Surveilling Malware For Six Years

The New York Times continues their coverage of the commercial spytech industry, noting its services "are in higher demand now that companies like Apple, Facebook and Google are using stronger encryption to protect data in their systems, in the process making it harder for government agencies to track suspects... For the last six years, the NSO Group's main product, a tracking system called Pegasus, has been used by a growing number of government agencies to target a range of smartphones -- including iPhones, Androids, and BlackBerry and Symbian systems -- without leaving a trace...to extract text messages, contact lists, calendar records, emails, instant messages and GPS locations." Slashdot reader turkeydance quotes their article: That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like -- just check out the company's price list. The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user's location and personal contacts. These tools can even turn the phone into a secret recording device...

The company is one of dozens of digital spying outfits that track everything a target does on a smartphone. They aggressively market their services to governments and law enforcement agencies around the world. The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords. The NSO Group's corporate mission statement is "Make the world a safe place"... An ethics committee made up of employees and external counsel vets potential customers based on human rights rankings set by the World Bank and other global bodies....
One of the services offered by the NSO group is "over the air stealth installation," though they can also install their spying software through Wi-Fi hot spots. One critic argues "They can say they're trying to make the world a safer place, but they are also making the world a more surveilled place."

Gee...

[110010001000]

I can sell you a 99 cent app that can do all that. No one checks permissions on apps.

Re:

[FatdogHaiku]

OK, calm down. It's going to be all right.
First, do you keep your cell phone in your back pocket?
If so, please move it before the microphone gets plugged up...

I"m safe!

[NewtonsLaw]

Haha... now those folk who mock me for having a $9 "dumb" phone will realise exactly why I've not moved my life onto an Android or iPhone device!

Re:I"m safe!

[sims 2]

Why can't I deny individual permissions like I can with an Iphone? Solitaire needs access to your location information..Like hell it does deny!...And then somehow the app continues on just fine without access to the camera.

Unlike android calculator needs access your contact list, photos, location information and bank account.

And then i'm given an ultimatum I either let it do whatever it likes or I can't use the app at all.

Re:I"m safe!

[TheGratefulNet]

with all the layers (rf, netmgt, etc) in a 'phone' these days, its 100% impossible for any of us normal folks to fully secure these things.

I have not even tried; given up before trying. I know better. there are carrier layers and layers that even the first few support folks can't get to. layers the vendors put in, and there might be some blobs that even THEY don't get access to.

whole thing is a shit stink mess.

I never install apps unless absolutely necessary. never do anything 'important' on phones and treat them as if each one is perma-keylogging me. that's the only way to work with them - to assume they are thru-and-thru compromised.

which, really, they are. no matter what you fanboys think.

all phones are under government (and other orgs) control. horse has left the barn.

such a shame. pocket computers were a cool concept, but we lost the right to own our own computers and even desktops are becoming owned by others who will never tell you that they have access to your stuff.

depressing to see this down-side of what humanity lowers itself to.

aliens should just nuke us from orbit. its the only way to be sure.

Re:

[amiga3D]

It's defective by design. It's not intended to be secure. Anyone who trusts their phone with anything more important than their grocery list is a fool.

Re:

[amiga3D]

The funny thing is that snail mail is probably more secure than a cell phone. The lazy fuckers have to get off their asses and actually go get the mail, open and read it. I bet they don't even bother. I wonder what they'd think if you had a modem and simply set up an encrypted BBS for communication? All sorts of tricks you can do if you think about it. Almost anything is better than a cell phone.

Re:

[AHuxley]

Re "I never install apps unless absolutely necessary. never do anything 'important' on phones and treat them as if each one is perma-keylogging me. that's the only way to work with them - to assume they are thru-and-thru compromised."

Thats what makes it all so fun now, everyone knows the US branded product lines are all crypto junk and seem very gov friendly as sold over every generation.
So a journalist or activist can now have some real fun. Create vast investigations on one device and look up governm

Re: I"m safe!

[Anonymous Coward]

Suicide by NSA? It might work, but why try?

Re:

[AHuxley]

Re "It might work, but why try?"
A gov would work out it's all one way, on one device rather quickly. Think of it more as desensitisation to the words, terms, movements, talks. Fictional work by an author is not a very interesting person needing a team of 6-12 gov agents tasked on them or even the cost of long term digital tracking.
Thats really the fault with the domestic modern collect it all vision the NSA has totally sold its 5 eye supporters on over decades.
Humans tasked with looking at an entire n

Re:

[tburkhol]

Watchlists and mass surveillance already sweep up more people and information than "they" can follow. They've poisoned their own data set, and there's little need to go out and create a handful of honey pots.

Those agencies still believe in the myth that big data can pull the One True Terrorist out of a hundred million, if you just give it a big enough data set. They can't. They don't have enough of a positive control population to train their algorithms. The data may be helpful, after the fact, to find

Re:

[BlueStrat]

Those agencies still believe in the myth that big data can pull the One True Terrorist out of a hundred million, if you just give it a big enough data set. They can't. They don't have enough of a positive control population to train their algorithms. The data may be helpful, after the fact, to find co-conspirators, but even that hasn't really worked out so far. If big data really worked, I wouldn't be seeing ads for TVs for a month after I bought one.

Those agencies, at the top levels, never believed any such thing. It was never designed nor intended to catch "terrorists". That was just the cover story.

What it *is* ideal for is domestic surveillance (and blackmail) of journalists, activists, ideological/political opponents/candidates, parallel-construction, and planting evidence (at least, as long as they still bother with things like trials and evidence).

Strat

Re:

[AHuxley]

Re "What it *is* ideal for is domestic surveillance (and blackmail) of journalists, activists, ideological/political opponents/candidates, parallel-construction, and planting evidence (at least, as long as they still bother with things like trials and evidence)."
FIRSTFRUIT tracked the press daily :)
https://theintercept.com/2016/... [theintercept.com] (May 17 2016)

On why we should assume systems are compromised

[Paul Fernhout]

By me: http://pdfernhout.net/why-encr... [pdfernhout.net]
"I believe decentralized knowledge sharing is important, especially for disaster preparedness. I also believe encryption is important in practice, the same way as many people have locks on their doors. Such things do affect a balance between state power and individual power, which is important in a democracy, and they also make it harder for vandals and criminals to operate. So, a project like Briar that supports decentralized communications and encryption is importan

Re:I"m safe!

[currently_awake]

We need a third option: Deny but fake yes. The App thinks it has permission but it doesn't. All access just gets fake data and a "Everything worked ok" message. And log all access attempts, with data, so we can see what it's actually doing.

Re:

[sims 2]

Sounds like a good option to have for diagnostics but its not an option I would want to put in front of he average user.

I don't have anything running the latest IOS but none of the versions I used allowed apps to talk to each other in the background. Thats another thing I don't like about android no one seems to know how to keep apps from chatting with each other something they never should have been allowed to do in the first place at the very least not without permission.

Re:

[coolsnowmen]

Sounds like a good option to have for diagnostics but its not an option I would want to put in front of he average user.

Stop doubting your fellow man. Give them the option, just don't make it easy to shoot yourself in the foot.

Re:

[guises]

This was a proposed solution for the spying on Android - instead of trying to block permissions, just give a fake location and fake credentials, fake contacts, etc. Most MOD makers rejected this though, for fear that it would make Google angry. Maybe it's time to return to this option.

Re:

[AmiMoJo]

Privacy Guard supports this. Apps get fake data, usually stuff like "user has 0 contacts" or "GPS location not available at this time". You can enable logging on a per app basis. Many phones ship with it built in.

There is also the separate system from Marshmallow onwards that lets apps be aware of when they are being denied. You can use Privacy Guard instead if you want them not to know that you denied them for some reason.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: I"m safe!

[BellyJelly]

Is it possible to use LXC containers in an android kernel? Containerise the app and control it's access. Maybe use that to allow the presentation of multiple different address books to different containers so that Facebook only gets to see the contacts you actually use Whatsapp to talk to. Feed fake location data to other apps so they think you are in Antarctica.

Re:

[AmiMoJo]

You can deny individual permissions on Android since Marshmallow, or before if you had Cyanogen or another ROM that supported it (my phone shipped with Cyanogen).

The stock calculator and every one I've ever downloaded needs zero permissions. If you look at the reviews on Play, apps that want excessive permissions get negative ratings and developers usually justify each permission in the description.

Re:

[NotAPK]

"Nothing on it is encrypted. NOTHING."

But that's the point: there's nothing on it.

Also, the user doesn't trust it because they know that it's not encrypted.

Re:

[e70838]

The dumbphone is more secure because it contains almost nothing. IMHO, we need dumbphone with good battery, good 4G and excellent tethering.

Re:

[Desler]

Because you want to make it easier for them to snoop on you?

You can have most anyone tracked for a $1.1 MILLIO

[raymorris]

This software is $500,000 setup plus $650,000 per target. So $1.15 million dollars.

Bounty hunters track down bail jumpers for $250 (if they're easy and for $5,000 if they're hard. ($50-$100/hour isn't bad for someone without a degree).

If someone is willing to spend over a million dollars tracking you, you'll be tracked. A million dollars will hire ten private investigators for a year.

Re:

[tlhIngan]

This software is $500,000 setup plus $650,000 per target. So $1.15 million dollars.

Bounty hunters track down bail jumpers for $250 (if they're easy and for $5,000 if they're hard. ($50-$100/hour isn't bad for someone without a degree).

If someone is willing to spend over a million dollars tracking you, you'll be tracked. A million dollars will hire ten private investigators for a year.

I suspect that's because of the relative difficulty in breaking iOS. There are a lot of flaws in it, but it's very hard to ex

Not sure if ... Also, not even most secure iOS

[raymorris]

I'm not sure if you're a fan saying "best team ever", a troll, or just very misinformed.

If you're a big fan of Apple, that's cool. Your quarterback is the best ever. Steve Jobs was a genius. Beat the hell outta Microsoft! Stop reading here if you're a big Apple fan.

If you're trolling, you're late. Try getting in right when the story is posted for best results.

Lastly, I've been doing network security full time for nearly 20 years. Apple's iOS doesn't -completely- suck for some aspects of security. Conven

Re:

[jonwil]

I have a Nokia N900 Linux phone which is so obscure and unpopular no-one is going to bother writing exploits specifically for it. And with the unofficial updates from the community I get fixes for a lot of the general bugs going around (e.g. more recent OpenSSL than the phone came with for example). And being Linux and using so much open source software I can contribute directly to the development of the thing (e.g. I have done a lot of work on updating the included set of root certificates to the latest se

Re:

[stealth_finger]

I'm safe. I have a windows phone and nothing fucking works on it and hardly any other fucker has one (because they're shit). It's quite nice in the security through obscurity boat now that it's been abandoned by the mac people.

Re: I"m safe!

[jmcvetta]

If you're an American, the joke's on you. Ever since CALEA, it's unlawful to sell a phone in the United States that doesn't have hardware level remote surveillance capabilities built-in.

This particular badlaw was signed by Bill Clinton well before 911. Try to get a copy of the (secret, but leaked) implementing regulations if you can.

1/ to cover a hack, leave cyrillic clues

[sittingnut]

to cover identity, use the well tested fact that western media/'security researchers' are always willing to 'fall' for any and all obvious cyrillic clues left behind, to blame russians on all occasion.
but don't forget to leave small amount of korean script too. very good for free publicity.

CFAA?

[whoever57]

How is using this software not illegal under the CFAA?

Re:

[dead_user]

U.S. law, Israeli company. I would assume they wouldn't have to follow U.S. law.

Re:

[whoever57]

U.S. law, Israeli company. I would assume they wouldn't have to follow U.S. law.

Yes, I understand that. However, the USA has extradited people from abroad for breaking into computers based in the USA. Also, some of the users may be in the USA.

Re:

[Desler]

This isn't an actual serious question, right? You aren't really that naive, are you?

Re:

[whoever57]

This isn't an actual serious question, right? You aren't really that naive, are you?

No, it was a rhetorical question, designed to show how f*cked up things are in the USA.

Re:

[Desler]

Right. Because governments and police agencies in other countries don't do the exact same thing.

Re:

[amiga3D]

Welcome to the New World Order. Hope you like it.

Re:

[stealth_finger]

How is using this software not illegal under the CFAA?

Ha, like they give a shit what's legal.

Only terrorists, kidnappers and drug lords?

[haruchai]

"The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords"

what about pedophiles? And Jason Bourne?

Re:

[stealth_finger]

Israel is always in trouble, they have three highly aggressive neighbors who don't seem they think they have the right to exist (because they're jewish I think is the main reason) and everyone else expects them to play nice and get along.

Re:

[stealth_finger]

I didn't think this had anything specifically to do with jewishness or israel itself. That just happens to be where these guys are. They could be in the US, Russia, China or even fucking North Korea and it wouldn't change the implications too much.

Re:Windows 10...

[Gumbercules!!]

Windows Phone users are protected from vulnerability in the same way Santa Claus is protected from vulnerabilities. Neither exist.

Re:

[zenlessyank]

I feel like I exist. Feel me and see if I exist. And so does my WinPhone. Security through obscurity.

Re:

[amiga3D]

Oh man. I haven't laughed that hard in ages. My sides hurt.

Israeli outfit called the NSO Group?

[khz6955]

"Want to invisibly spy on 10 iPhone owners .. That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group .. Since it is privately held, not much is known about the NSO Group’s finances"

In other words a front group for the Israeli Security Service, the same people that have full control of all telephone records in the continental United States.

NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender [citizenlab.org]

Re:

[AmiMoJo]

It's telling that no government has set up an agency like these guys or the NSA / GCHQ, that is tasked solely with finding zero days and helping companies fix them. They could protect their citizens from the bad guys, but instead they prefer to keep their options open in case they want to make use of these services one day.

Re:

[khz6955]

There isn't a security company on the planet that isn't hooked into the security services of some nation state. In certain cases the security apparatus of one state is a wholly owned subsidiarity of another states security apparatus.

Behind the Scenes at the Company Behind the Scenes [haaretz.com]
--
At my fingertips, the zero day is wrapped in code like a Christmas present, then becomes an exploit, the programmatic expression of my will. I live for this shit.

Attention Slashdot Editors

[Anonymous Coward]

It's "malware", not "a malware".

I'll bore them to death

[ITRambo]

Anyone listening to my calls or texts deserves the death by boredom that will happen to them. Fuck all you spy agency assholes.

How to make NSO's job difficult

[hwstar]

Let's see... If I was a terrorist, I'd have a pool of 100 or so smartphones ready to be cloned from a virgin image. When one needs to use a phone for a mission, I'd pull one randomly from the pool, install the image, and a never-used, new SIM card, and give it to the operative. When they are done with a mission, I'd wipe the phone, and return it to the pool.

TELL ME AGAIN: WHY SHOULD I HAVE A SMARTPHONE?

[kheldan]

I'm the guy who keeps saying: "So-called 'smartphones' have more holes in their security than a swisscheese or a colander, why the hell would I ever want one!?" and then I get called a 'Luddite' and any number of other names for not adopting such shitty technology -- regardless of the fact that practically every single day I read about yet another exploit someone discovered that can be used to take total and complete control of any smartphone. Then there's this story, which just confirms everything I've bee

Re:

[kheldan]

I have the dumbest of dumbphones ($50 retail price). First sign it's been compromised? I consider going back to a landline.
I don't own a 'smart TV' because I'm not stupid.
I don't have cable, I have an antenna, so no cable box or satellite box.
I can't control the phone network or the internet. If I ever need a job above dishwasher at a mexican restaurant I need those (unfortunately!) but I don't use my real name online anywhere I can get away with it -- and I DO NOT use 'social media' of any kind because IT