Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSO Has Been Selling a Smartphone-Surveilling Malware For Six Years (nytimes.com)

Posted by EditorDavid on from the spying-on-spyware dept.

The New York Times continues their coverage of the commercial spytech industry, noting its services "are in higher demand now that companies like Apple, Facebook and Google are using stronger encryption to protect data in their systems, in the process making it harder for government agencies to track suspects... For the last six years, the NSO Group's main product, a tracking system called Pegasus, has been used by a growing number of government agencies to target a range of smartphones -- including iPhones, Androids, and BlackBerry and Symbian systems -- without leaving a trace...to extract text messages, contact lists, calendar records, emails, instant messages and GPS locations." Slashdot reader turkeydance quotes their article: That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like -- just check out the company's price list. The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user's location and personal contacts. These tools can even turn the phone into a secret recording device...

The company is one of dozens of digital spying outfits that track everything a target does on a smartphone. They aggressively market their services to governments and law enforcement agencies around the world. The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords. The NSO Group's corporate mission statement is "Make the world a safe place"... An ethics committee made up of employees and external counsel vets potential customers based on human rights rankings set by the World Bank and other global bodies....
One of the services offered by the NSO group is "over the air stealth installation," though they can also install their spying software through Wi-Fi hot spots. One critic argues "They can say they're trying to make the world a safer place, but they are also making the world a more surveilled place."

17 of 98 comments (clear)

  1. Gee... by 110010001000 · · Score: 2, Interesting

    I can sell you a 99 cent app that can do all that. No one checks permissions on apps.

  2. I"m safe! by NewtonsLaw · · Score: 4, Interesting

    Haha... now those folk who mock me for having a $9 "dumb" phone will realise exactly why I've not moved my life onto an Android or iPhone device!

    1. Re:I"m safe! by sims+2 · · Score: 5, Informative

      Why can't I deny individual permissions like I can with an Iphone? Solitaire needs access to your location information..Like hell it does deny!...And then somehow the app continues on just fine without access to the camera.

      Unlike android calculator needs access your contact list, photos, location information and bank account.

      And then i'm given an ultimatum I either let it do whatever it likes or I can't use the app at all.

      --
      Minimum threshold fixed. Thanks!
    2. Re:I"m safe! by TheGratefulNet · · Score: 4, Interesting

      with all the layers (rf, netmgt, etc) in a 'phone' these days, its 100% impossible for any of us normal folks to fully secure these things.

      I have not even tried; given up before trying. I know better. there are carrier layers and layers that even the first few support folks can't get to. layers the vendors put in, and there might be some blobs that even THEY don't get access to.

      whole thing is a shit stink mess.

      I never install apps unless absolutely necessary. never do anything 'important' on phones and treat them as if each one is perma-keylogging me. that's the only way to work with them - to assume they are thru-and-thru compromised.

      which, really, they are. no matter what you fanboys think.

      all phones are under government (and other orgs) control. horse has left the barn.

      such a shame. pocket computers were a cool concept, but we lost the right to own our own computers and even desktops are becoming owned by others who will never tell you that they have access to your stuff.

      depressing to see this down-side of what humanity lowers itself to.

      aliens should just nuke us from orbit. its the only way to be sure.

      --

      --
      "It is now safe to switch off your computer."
    3. Re:I"m safe! by currently_awake · · Score: 5, Insightful

      We need a third option: Deny but fake yes. The App thinks it has permission but it doesn't. All access just gets fake data and a "Everything worked ok" message. And log all access attempts, with data, so we can see what it's actually doing.

    4. Re:I"m safe! by AHuxley · · Score: 2

      Re "I never install apps unless absolutely necessary. never do anything 'important' on phones and treat them as if each one is perma-keylogging me. that's the only way to work with them - to assume they are thru-and-thru compromised."

      Thats what makes it all so fun now, everyone knows the US branded product lines are all crypto junk and seem very gov friendly as sold over every generation.
      So a journalist or activist can now have some real fun. Create vast investigations on one device and look up government document's, hint at meetings with a few gov informants or contractors who reached out to pass on paper files. Read up on whistleblower protections and the private sector, the private sector with gov contracts. Seek out law firms with security cleared staff who can take on such issues. Create huge lists of contacts that are only hinted at on that device. Hints about other agencies, funding... documents.
      Pack lots of fiction in and make the junk crypto become a chore to any intelligence service or contractor who actually has to extract and read it all :)
      A real human has to wade into all that effortlessly collected data, so make the haul impressive and add some fictional depth.
      Get a voice actor with an older voice who can invoke doubt about their decades in gov, mil to create the other party to conversations every so often too so the mic malware gets some use. Wonder around the right parts of a city to make a meeting with a gov worker or contractor seem possible to any mapping or tracking software.

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re:I"m safe! by AmiMoJo · · Score: 2

      Privacy Guard supports this. Apps get fake data, usually stuff like "user has 0 contacts" or "GPS location not available at this time". You can enable logging on a per app basis. Many phones ship with it built in.

      There is also the separate system from Marshmallow onwards that lets apps be aware of when they are being denied. You can use Privacy Guard instead if you want them not to know that you denied them for some reason.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:I"m safe! by tburkhol · · Score: 2

      Watchlists and mass surveillance already sweep up more people and information than "they" can follow. They've poisoned their own data set, and there's little need to go out and create a handful of honey pots.

      Those agencies still believe in the myth that big data can pull the One True Terrorist out of a hundred million, if you just give it a big enough data set. They can't. They don't have enough of a positive control population to train their algorithms. The data may be helpful, after the fact, to find co-conspirators, but even that hasn't really worked out so far. If big data really worked, I wouldn't be seeing ads for TVs for a month after I bought one.

      They want the public to believe that big data can identify the One True Terrorist, because it serves the two-fold goals of making the public feel like the government is keeping them safe and serves as a deterrent against organizing or conspiring. All of the "you can't trust your devices" paranoia furthers these goals.

  3. CFAA? by whoever57 · · Score: 2

    How is using this software not illegal under the CFAA?

    --
    The real "Libtards" are the Libertarians!
    1. Re:CFAA? by whoever57 · · Score: 2

      This isn't an actual serious question, right? You aren't really that naive, are you?

      No, it was a rhetorical question, designed to show how f*cked up things are in the USA.

      --
      The real "Libtards" are the Libertarians!
  4. Only terrorists, kidnappers and drug lords? by haruchai · · Score: 2

    "The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords"

    what about pedophiles? And Jason Bourne?

    --
    Pain is merely failure leaving the body
    1. Re:Only terrorists, kidnappers and drug lords? by stealth_finger · · Score: 2

      Israel is always in trouble, they have three highly aggressive neighbors who don't seem they think they have the right to exist (because they're jewish I think is the main reason) and everyone else expects them to play nice and get along.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    2. Re:Only terrorists, kidnappers and drug lords? by stealth_finger · · Score: 2

      I didn't think this had anything specifically to do with jewishness or israel itself. That just happens to be where these guys are. They could be in the US, Russia, China or even fucking North Korea and it wouldn't change the implications too much.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
  5. Re:Windows 10... by Gumbercules!! · · Score: 4, Funny

    Windows Phone users are protected from vulnerability in the same way Santa Claus is protected from vulnerabilities. Neither exist.

  6. Israeli outfit called the NSO Group? by khz6955 · · Score: 3, Insightful

    "Want to invisibly spy on 10 iPhone owners .. That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group .. Since it is privately held, not much is known about the NSO Group’s finances"

    In other words a front group for the Israeli Security Service, the same people that have full control of all telephone records in the continental United States.

    NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender

    1. Re:Israeli outfit called the NSO Group? by AmiMoJo · · Score: 2

      It's telling that no government has set up an agency like these guys or the NSA / GCHQ, that is tasked solely with finding zero days and helping companies fix them. They could protect their citizens from the bad guys, but instead they prefer to keep their options open in case they want to make use of these services one day.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  7. Not sure if ... Also, not even most secure iOS by raymorris · · Score: 2

    I'm not sure if you're a fan saying "best team ever", a troll, or just very misinformed.

    If you're a big fan of Apple, that's cool. Your quarterback is the best ever. Steve Jobs was a genius. Beat the hell outta Microsoft! Stop reading here if you're a big Apple fan.

    If you're trolling, you're late. Try getting in right when the story is posted for best results.

    Lastly, I've been doing network security full time for nearly 20 years. Apple's iOS doesn't -completely- suck for some aspects of security. Convenience is of utmost importance with Apple iOS, though, and there are always compromises between convenience and security. Apple's iOS is not even the most secure iOS. Cisco iOS is safer. Cisco iOS basically runs the entire internet, that's how much it's trusted. (But even it isn't perfect.) If we wanted to expand to operating systems not called iOS, many are more secure.