There is an ongoing competition among developers, ethical hackers, and hackers with malicious intent to discover and exploit zero-day flaws in new or updated hardware and software. But there’s another subset of hackers, operating in the liminal spaces between these groups, hoping to quietly exploit these flaws without anyone else ever finding out. Driven by the need for intel, these are predominately nation-state actors, like the National Security Agency (NSA) in the United States or the Russian Foreign Intelligence Service (SVR RF). There are also private intelligence groups, like the NSO Group, who develop spyware to sell to governments.
Motherboard recently spoke with an Israeli entrepreneur who had a meeting with the NSO, during which he was treated to a demo of the company’s powerful Pegasus spyware program. His experience, according to Motherboard’s reporting, highlights “the power of an increasingly popular product among governments: software for remotely hacking phones in order to access communications and other data from targets.”
As the anonymous entrepreneur tells it, an NSO representative asked if he could demonstrate the software on one of his iPhones®—not his daily driver but a second phone with a foreign number. He put his iPhone down in the middle of the table and gave the representative the phone number. He says that in less than 10 minutes, “the contents of his phone’s screen appeared on a large display that was set up in the meeting room, all without … clicking on a malicious link.”
The Pegasus spyware gave the NSO access to everything: e-mail, SMS messages, contacts, voice mail, and even the microphone and camera.
Perhaps the most amazing thing about this is that the spyware can infect fully patched iPhones and Android devices. This means that even security-minded people who are vigilant updaters are potential targets. According to researchers with Citizen Lab, Pegasus has been actively spotted in 45 countries, including the United States.
In response to this report, the NSO told Motherboard that “many of the countries listed by Citizen Lab were not customers, and said that its product cannot work in the United States.” The company also states that it has a “suicide feature” baked into the malware, which can trigger if a surveillance target moves from one country into another or should the NSO need to terminate the deployment.
The source told Motherboard that current NSO customers “have purchased the capability to target between roughly 350 to 500 devices,” or between 15 and 30 devices per customer. While the number of targets of NSO spyware doesn’t seem like much, it is not the only private company exploiting zero-day flaws for profit.