The Phaserl


The 11 Ghastly Things I Got out of NSO Group’s iPhone Hack

by Wolf Richter, Wolf Street:

You have nothing left to hide.

NSO Group is so secretive it doesn’t even have a website. The malware company was founded in 2010 in Israel with $1.6 million in seed money. Its “most recently-known owner” – as Forbes put it – is private equity firm Francisco Partners in San Francisco which acquired a majority stake in 2014 for $120 million and then tried to sell that stake in November 2015 for $1 billion, “people familiar with the matter” told Reuters at the time.

Reuters also said that the company “has since changed its name several times, most recently calling itself ‘Q.’”

I have not found any evidence that the sale actually happened. At the time, the valuations of unicorns were routinely taken out the back and slashed.

The company makes and sells surveillance malware called Pegasus that governments around the world, or anyone able to buy it and willing to pay the steep price, can use to target a specific user’s iPhone, Android, BlackBerry, or Symbian device.

An NSO proposal seen by the New York Times points out that the system gives “unlimited access to a target’s mobile devices” to “remotely and covertly collect information about your target’s relationships, location, phone calls, plans and activities — whenever and wherever they are.” And, “It leaves no traces whatsoever.”

It has a rich list of features and benefits, according to the New York Times:

Among the Pegasus system’s capabilities, NSO Group contracts assert, are the abilities to extract text messages, contact lists, calendar records, emails, instant messages and GPS locations. One capability that the NSO Group calls “room tap” can gather sounds in and around the room, using the phone’s own microphone.

Pegasus can use the camera to take snapshots or screen grabs. It can deny the phone access to certain websites and applications, and it can grab search histories or anything viewed with the phone’s web browser. And all of the data can be sent back to the agency’s server in real time.

In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.

So here are the 11 ghastly things I got out of it.

1. It gets expensive to spy on a lot of people. According to the New York Times, it starts with an installation fee of $500,000. It costs an additional $650,000 for 10 iPhones; $650,000 for 10 Android devices; $500,000 for 5 BlackBerry devices, and $300,000 for 5 Symbian devices. Quantity discounts apply: 10 additional targets for $150,000; 50 additional for $500,000; and 100 additional for $800,000.

2. Big Money backs this kind of technology, and it will go far. PE firm Francisco Partners has “nearly $10 billion of capital raised to date,” as it says. Venture Capital is chasing these technologies too. So this is just the beginning.

3. It worked and left “no traces whatsoever” – until someone used his brain. Ahmed Mansoor, a human rights activist in the United Arab Emirates received a text message on his iPhone that promised to reveal details about torture in UAE prisons. He didn’t click on the link but contacted Citizen Lab.

Citizen Lab, in conjunction with Lookout Mobile Security, then discovered three previously-unknown and unpatched Apple iOS vulnerabilities (called “zero days” because companies had zero days to patch them) that Pegasus exploited. Apple has since fixed the three vulnerabilities. Citizen Lab also discovered a second target, a journalist in Mexico who wrote about corruption.

Read More @

Help us spread the ANTIDOTE to corporate propaganda.

Please follow SGT Report on Twitter & help share the message.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>