Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Cellphones Government Communications Security

Investigation Reveals Widespread Cellphone Surveillance of the Innocent (theguardian.com) 184

Posted by EditorDavid from the phoning-it-in dept.
Cellphones "can be transformed into surveillance devices," writes the Guardian, reporting startling new details about which innocent people are still being surveilled (as part of a collaborative reporting project with 16 other media outlets led by the French nonprofit Forbidden Stories).

Long-time Slashdot reader shanen shared the newspaper's critique of a "privatised government surveillance industry" that's made NSO a billion-dollar company, thanks to its phone-penetrating spy software Pegaus: [NSO] insists only carefully vetted government intelligence and law enforcement agencies can use Pegasus, and only to penetrate the phones of "legitimate criminal or terror group targets". Yet in the coming days the Guardian will be revealing the identities of many innocent people who have been identified as candidates for possible surveillance by NSO clients in a massive leak of data... The presence of their names on this list indicates the lengths to which governments may go to spy on critics, rivals and opponents.

First we reveal how journalists across the world were selected as potential targets by these clients prior to a possible hack using NSO surveillance tools. Over the coming week we will be revealing the identities of more people whose phone numbers appear in the leak. They include lawyers, human rights defenders, religious figures, academics, businesspeople, diplomats, senior government officials and heads of state. Our reporting is rooted in the public interest. We believe the public should know that NSO's technology is being abused by the governments who license and operate its spyware.

But we also believe it is in the public interest to reveal how governments look to spy on their citizens and how seemingly benign processes such as HLR lookups [which track the general locations of cellphone users] can be exploited in this environment.

It is not possible to know without forensic analysis whether the phone of someone whose number appears in the data was actually targeted by a government or whether it was successfully hacked with NSO's spyware. But when our technical partner, Amnesty International's Security Lab, conducted forensic analysis on dozens of iPhones that belonged to potential targets at the time they were selected, they found evidence of Pegasus activity in more than half.
The investigators say that potential targets included nearly 200 journalists around the world, including numerous reporters from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, and even the editor of the Financial Times.

In addition, the investigators say they found evidence the Pegasus software had been installed on the phone of the fiancée of murdered Saudi journalist Jamal Khashoggi. NSO denies this to the Washington Post. But they also insist that they're simply licensing their software to clients, and their company "has no insight" into those clients' specific intelligence activities.

The Washington Post reports that Amnesty's Security Lab found evidence of Pegasus attacks on 37 of 67 smartphones from the list which they tested. But beyond that "for the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty's detective work."

Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.
This discussion has been archived. No new comments can be posted.

Investigation Reveals Widespread Cellphone Surveillance of the Innocent More

Investigation Reveals Widespread Cellphone Surveillance of the Innocent

Comments Filter:

  • Socialism/Communism (Score:3, Interesting)

    by backslashdot ( 95548 ) on Sunday July 18, 2021 @10:52PM (#61596105)

    Most of their clients are governments. Expect more of this as we give the government money and power. These are glimpses, we'll never find out what they are up to. "Nothing a government does is illegal."

    • Just because a Tyrant or a want-to-be Tyrant says that Nothing a government does is illegal does not make it true.

      There are these things called Constitutions as well as things called Treaties. When you violate a Constitution it is definitely illegal, even if you get away with your crime. Treaties are not as well defined as illegal. The 'real' treaties require you to pass laws, so when you break them without first changing the laws, that government is definitely breaking the law.

      • Just a bookmark of the current waste of the discussion triggered by the irrelevant Subject of the FP. At this time the discussion is quite active, but more than half of it is a bunch of irrelevant squabbling about "communism". Congrats to the troll. NOT.

    • I smell a troll.

      What concerned me most about this story (though at this point I'm not sure which parts I got from which versions, since I've already read several of them (which may also be suspicious obfuscation?)) is the ease of installing the software and the difficulty of detecting that it's been installed. I have seen a couple of suspicious incoming messages that may have been the pwning of my smartphone.

    • Most of their clients are governments. Expect more of this as we give the government money and power. These are glimpses, we'll never find out what they are up to. "Nothing a government does is illegal."

      Ummm, you do know who called for the CNN and NYT Reporters to be spied on, don't you?

      Or was your "Socialism/Communism" tittle maximum sarcasm?

  • Hacking the contents of the actual phone, of course is valuable, but how much value is there in hacking a phone's camera? Front facing camera shows my face, but if someone's hacking my phone, they probably already know what I look like or they at least suspect that I'll be the face that belongs to the phone they've been tracking. The rear camera *might* occasionally show some interesting documents if it's pointed at my desk, but generally you'd just see my lap. Otherwise the real video value is in the Facet

    • Re:analog solutions? (Score:5, Informative)

      by Rockoon ( 1252108 ) on Monday July 19, 2021 @01:10AM (#61596313)
      Physical switches?

      I got a logitech headset which I found comfortable enough to want a second solution, and the mic switch proved good enough to keep regular audio software from recording off of it.

      So I get that second set. Same brand. Same model number. If the new one is muted when the machine boots up, amazingly, audio software can still record off of it until its unmuted and then muted again.

      Were they cost cutting, or exploit-making when they made this change?

      • Re:analog solutions? (Score:5, Informative)

        by fazig ( 2909523 ) on Monday July 19, 2021 @03:38AM (#61596523)
        I suspect that your new set probably does not have an actual physical switch in the classical sense where the connection is physically disconnected.
        It sounds more like they use a potentiometer or simply a high resistance resistor that might double as a different component as well (cutting costs). So if the connection isn't physically disrupted, a good opamp on the microphone input of your computer or whatever device, can still be able to amplify the electrical potential to useful SNR levels.

        Beyond that, physical switches are feasible to use when you work with mostly discrete parts. So for example on your headset, if you wanted, you could cut the wire from the microphone and solder a proper switch between the cut ends. And that ought to work.
        But with highly integrated parts like in modern phones, tablets, notebooks or whatever, you can't even be sure what exactly works as a microphone.

        MEMS microphones are tiny and thus easy to hide or disguise as some other component. So even if you found and managed to build in a physical switch between the 'official' microphone in your device and the processing parts, you couldn't be sure if that was the only component potentially listening.

  • Intelligence Wet Dream (Score:5, Insightful)

    by nehumanuscrede ( 624750 ) on Sunday July 18, 2021 @11:28PM (#61596153)

    Smartphones are the greatest gift ever given to the intelligence agencies across the World.
    Not only do these units have a built in camera, they have a microphone and a GPS unit just begging to be abused.

    The best part ?

    Once upon a time it took a risky operation to introduce a bug and / or tracking system to a target. Now people will
    stand in line for DAYS to voluntarily get their hands on one and keep it with them at all times. It's basically a digital
    security blanket for many and god forbid they be denied access to it. They tend to lose their F'ing minds.

    People know these things are being abused. They're so addicted to them now, they simply don't care.

    • Re: (Score:3, Interesting)

      by J.L. Pettimore ( 8392827 )
      And people accept all of this today, as something "normal". If you don't want anything to do with cell phones or social media, you're the one who is somehow suspect.
      • "If you don't want anything to do with cell phones or social media, you're the one who is somehow suspect." - Exactly. I don't use social media, never have (too creepy, looks like a giant low-IQ trailer park) and I have the dumbest of dumb phones that still works with my cell provider. Why do people suspect I have something to hide? I have a Palm T|X that does everything a "smart" phone does (besides text and make calls obviously) and best of all its WiFi is so old that it won't connect if if I wanted it to

        • Exactly. I don't use social media, never have (too creepy, looks like a giant low-IQ trailer park) .

          I have some bad news for you:

          Slashdot is a social media service and website.

          • 'Slashdot is a social media service' - Ayup, it even has that Trailer Park Boys feel to it as well...

            • Re: (Score:2)

              by bn-7bc ( 909819 )
              Well yes it technically is, but not ar any significant scale, example you see loggin in with twitter/facebook buttons in quite a lot of places, I 've yet to see a single log in with slashdot button anywhere. So websites just assume thet using twitter/fb logins will make it easier for people to sign up/sign in because evryonne already has at least one of them, for exactly the same reason there are no slashdot buttons, because genteelly no one ( statisilcally speaking) has a slashdot account, and/or maby s

      • Meanwhile in Australia, it is mandatory to use a smartphone to check into shops and public transport. Yes, it is illegal to ride a bus without an Android or IOS device on your person: https://www.covid19.act.gov.au... [act.gov.au]

        No, there isn't a platform-agnostic alternative (you know, like a simple website, or, heaven forbid, a pen and paper!)

        Our courts are generally pretty good at striking this sort of shit down. Until then, however, it sucks.

    • Its a close match with social media as to which is best for intelligence agencies. Continuous tracking, or constant information on political beliefs, and friends? Fortunately the intelligence community doesn't need to choose, they get both! Happy days.

    • They let you spy on them and even pay for it.

      Maybe Trump should have embedded touchscreens in his wall on the Mexican side...

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Or maybe people don't think that they are a valuable enough target to waste zero-days on. Maybe they have a smartphone but are careful to turn it off or leave it at home when doing stuff that might compromise them.

      • How do I really know it's off though? Also, what good is a phone that's turned off? How are my friends and relatives suppose to call me for help if my phone is not turned on? Kind of defeats the point unless you want me to get a landline which is also digital and also likely being spied upon by the same people.

        So, solution? You can disconnect from society and go live off the grid or you can just accept it.

    • Israel Solution (Score:2, Informative)

      by Canberra1 ( 3475749 )
      Negative intelligence is worse than useless. The golden rule of if you think you are being listened to - is to make up juicy shit. Sexual peccadilloes, drug use, blackmail, bribes. Mention government ministers all the way to the top. Then say too sensitive to do electronically, a 'friend' will hand deliver the documents at (3am somewhere remote, or 8am peak commuter in a station (needs more agents). Waste their time. Email random numbers. Post USB sticks full of hand made / generated viruses. Make up code

  • how is this a surprise? (Score:5, Informative)

    by Anonymous Coward on Sunday July 18, 2021 @11:36PM (#61596171)

    Snowden already told us this was happening.

    • Re: (Score:3)

      by AmiMoJo ( 196126 )

      And journalists were already taking precautions before then. The people who helped Snowden were using Tor, were using Linux live distros to access GPG encrypted email.

      The difference here is that it's not the NSA/GCHQ, it's a private company selling to anyone who can pay. Targeting much lower level people for political reasons. People who probably figured they were not worth the secret services wasting zero day exploits on.

    • I still don't understand how this software is legal? In the United States, we have many laws the forbid spying on someone, intercepting digital communications, and bypassing computer security:

      • Computer Fraud and Abuse Act
      • Electronic Communications Privacy Act
      • Digital Millennium Copyright Act (I believe DMCA has been used for security bypass even when the target was not copyrighted material)
      • Espionage Act

      I assume many other countries have similar laws. While I don't expect a government to enforce these laws upon

  • Diplomats, heads of state, etc. are not offensive. (Score:4, Interesting)

    by gurps_npc ( 621217 ) on Sunday July 18, 2021 @11:37PM (#61596177) Homepage

    Spying on protestors, lawyers, and religious figures is horrendously offensive. Any truly free society outlaws that.

    But spying on other governments is expressly legal in every single country I have heard of, is expected and not offensive to reasonable people. I would be offended if my government did NOT attempt to spy on our opponents.

    Grouping them with human rights attorneys does not help your case, instead it makes me think you are a moron. You tell me that the government spied on someone because they objected to a gasoline pipeline, I get mad.

    You tell me we spied on someone that has nuclear weapons and threatened to use them on our citizens and I say 'shhh', don't let people know.

    • Except, a lot of this was governments spying on their own citizens. And btw it's not OK to spy on someone just because they aren't a citizen of your country. All humans (sentient beings, really) have certain rights that must be respected, or you might as well not respect anyone's rights if you can get away with it. Why be fair to anyone?

    • Re: (Score:3)

      by znrt ( 2424692 )

      Spying on protestors, lawyers, and religious figures is horrendously offensive. Any truly free society outlaws that.

      But spying on other governments is expressly legal in every single country I have heard of, is expected and not offensive to reasonable people. I would be offended if my government did NOT attempt to spy on our opponents.

      true, a simple passport determines what rights a person has, and i think everyone here fully understands the legal implications of that, i'm going to completely ignore the fact that that's actually a crime by international law because, you know ... international law! lol! i'm just amused on how you champion that the same act is "horrendously offensive" if against a national, or "not offensive but desirable" against foreigners and still intend to pass that as a rational position.

      but tell me again, what count

    • On Fox News, the big scandal is that the Washington Post didn't even mention some minor connection to some public affairs and political consulting firm associated with a Biden advisor and to Beacon Global Strategies which was founded by a guy in the Obama administration and lawyer Tom Clare, who has represented a Russian oligarch, Project Veritas and Dominion Voting Systems.

      Washington Post report neglected spyware firm's Democratic connections in hacking investigation [foxnews.com]

      They also refer to NSO Group as the "NR

    • Re: (Score:3)

      by AmiMoJo ( 196126 )

      There is spying to gather some useful information on enemies, and then there is spying on your supposed friends and screwing with important technology (like when GCHQ hacked a Dutch telecom provider and millions of SIM cards had to be replaced).

  • Define "surveillance".
    Because it's been a well known fact for decades that stuff like call destination, source, and length are recorded for everybody in America.
    There's a great book about it called "The Watchers: The Rise of America's Surveillance State"

    • Re: (Score:2)

      by smap77 ( 1022907 )

      Big difference between the business that needs to bill you for services having that information in a difficult-to-compile and difficult-to-access format and data mining those bills by one's government for lawful and unlawful purposes.

  • I'd love to hear more about this from a technical standpoint, so much of the story is vague with regards to the intrusion methods.
    What's app had a zero-day, that much was already known, but what about:

    "Where neither spear-phishing nor zero-click attacks succeed, Pegasus can also be installed over a wireless transceiver located near a target"

    "wireless transceiver".. I'm assuming they mean cell phone base station here, If so I'd be interested to know how that works. Any one heard of this for anything other th

    • Re: (Score:2)

      by amorsen ( 7485 )

      Yes, they mean a fake base station. Cell phone modems are just as buggy as everything else, and they generally do not get subjected to much security research.

    • Re: (Score:2)

      by shanen ( 462549 )

      That's the problem with The Guardian as a source for a technical story. I've already looked at a couple of more technical discussions--but I'm not sure how much I trust the sources I've seen so far. Technical sources I trust? Not many. For example, nothing on Ars Technica since 2019 about this topic...

  • Have known they're not secure at all for years now.
    • I take it that you don't own a computer either and does all your web surfing on a type writer and abacus.

      • I take it that you don't own a computer either and does all your web surfing on a type writer and abacus.

        If one owns a computer, one typically has root access, and can trivially check what software is running on that computer. This is not the case for phones.

        • > one typically has root access, and can trivially check what software is running on that computer

          I envy you, who lives in a world where rootkits don't exist.

        • Re: (Score:2)

          by GuB-42 ( 2483988 )

          If one owns a computer, one typically has root access, and can trivially check what software is running on that computer.

          Unless your computer is a C64 or something like that, no, it is not.

          Your computer is actually a network of smaller computers, each one running proprietary firmware (Intel's IME or AMD's PSP are just one of them). You are only in control of the main CPU. And by you I mean the OS. If you are using only free software, you are better than most, but you probably didn't inspect the hundreds of megabytes of code of just the base system. And even the OS is the last step of the boot chain. Unless you are one of the

  • OK, it wasn't the Guardian, but there was a UK scandal where major newspapers were intercepting innocent people's mobile phone texts to get stories. They ruined peoples' lives to get juicy headlines. I could easily see them buying this software if they thought sales, oops, sorry, public interest, justified its use.

  • Are you all really surprised? (Score:4, Informative)

    by MindPrison ( 864299 ) on Monday July 19, 2021 @05:49AM (#61596751) Journal

    Most of you work in tech one way or the other, right?

    How do you NOT know that you've been listened to for years already? How do you NOT know this, and work with tech?

    Here's an eyeopener for you:

    - Simcards have had known exploits for over 20 years, they're still the same weaknesses today. Software can be uploaded to these cards.
    - Intel processors have had its own backdoor for ages, Intel call this their Management Engine (look up ME in Intel processors).
    - Most CPU's comes with something called devmode, look up defcon25 on youtube for more information, educate yourselves.
    - Even if none of the above existed, most people are voluntarily handing out all information about themselves when using Google to search for things, when you switch channels on your smart TV, when you use your cellphone, when you shop with your credit card, when you disclose your private information to the doctor who inputs it on his computer filled with spyware, because he's a medical expert, not an IT expert.
    - Exploits for every known system exists today. Anyone denying that is living under a rock, or believe themselves to be superior, or is just downright lying to you.

    It's not that we CAN listen to everything you do, watch your every move, or take a deep interest in everything you've done, who you are, what personality you have, you just have to stay away from our attention. And when I say "we/our" I am refering to anyone of us, because you can do that too if you're clever enough, and even if not that clever, the tools are readily available just about anywhere.

    Your windows vibrate as you talk, they're giant microphone surfaces, all that is needed is a laser and optical sensors that pick up the minute vibrations on the surface as you speak, advanced DSP techology exists to counter the noise just like noise cancelling headphones you may have heard of.

    You can't even use a spectrum analyzer to guarantee that there's no listening devices, your LED lightbulb can contain a microphone so small it's just a needlehole in the chip, and it can send out a flicker with the speed of light, which you don't see with the naked eye, transmitting packets with the recorded sound picked up from your environment. All we need to do, is to point a powerful telescope towards your window, and a light sensor connected to a high speed modem that receives the light signals (packets) sent.

    And I could go on.

  • The walls have curves (Score:4, Interesting)

    by Maelwryth ( 982896 ) on Monday July 19, 2021 @06:24AM (#61596793) Homepage Journal
    The article says the Guardian seeks to expose the lie âoeIf you have done nothing wrong, you have nothing to fear.â but it is worth remembering that isn't the first or only lie. It starts with denial and continues with obfustication as politicians and security agencies stretch the news cycle out to find what exactly has been exposed and to bore people. If there is evidence that is was used by the security it will be again stretched out in the news cycle in small tit for tat exchanges concerntrated on minutiae further boring the populace. Perhaps an official investigation will be lauched that concludes, after 2 years and five truckloads of worthless redacted documents, that it indeed did happen but was the fault of a contractor who no longer works for them and luckily the program was caught by the agencies own internal oversite and oh golly isn't it good the systems works. Finally, having spent all this time getting the populace so thoroughly bored and confused and internalising the existance of the program, the government will legalise it and publically extent it in order to protect national security. I read yesterday the cows are less stressed if you put curves in the alleys. With humans you just take a subject from easy to difficult and then they would rather believe the authorities than have to expend the effort on mass.
  • Almost everybody carries a device with microphones, cameras, location awareness and often knowing what you are thinking and holding your most intimate secrets. It even shapes your perception of reality.

    If we are not careful, this could end very badly, especially for those who enjoy freedom.

  • But there's no problem here, since they can just do all their confidential work and communication through the web using Chrome and HTTPS. (-sarcasm)

Slashdot Top Deals

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Close