Could these agencies enumerate some phone models / sw versions that are vulnerable to Pegasus and just blast email the govt folks "if you got one of these it's vulnerable, upgrade to new hardware or software { list of phones without known vulnerabilities here }"?
I said they don't appear to be abdicating responsibility for the risk their software could be used for bad things to happen. If you look at the report, it's all about weighing that risk against the risks of not licensing their software.
They are abdicating responsibility for the list, which doesn't seem unreasonable since the Pegasus Project has been pretty explicit that they don't know where the list came from, who put it together, or why any particular entry was put in to the list. The Pegasus Project guys have already walked back their statement that the list is phones that have been targeted by Pegasus, so...
It very much sounds like someone found some HLR logs and then failed to determine whether that list was specific to Pegasus or not. It seems very unlikely that there'd be HLR logs that would be specific to Pegasus somewhere, so I'm not sure how anyone could expect them to take responsibility for such a list.
I don't dispute that there is evidence that 67 phones had been targeted with Pegasus software. I am however skeptical of that justifying an international breaking news story that so-and-so is on the "list" without having checked if their phone has been infected.
I'm curious about the threat modelling of those high level officials. With all these hacking going on, if feels like it's not been a consideration.
Pegasus claims iOS and Android hacking capabilities, one would expect more specialised communications being used at that level. Car companies provide specialised vehicles for governmental use, I would have expected to see specialised iOS or Android devices at least. Nothing completely out of this world but with special software configurations and features to detect and prevent attacks.
Is this a reliable source? Anyhow, The Guardian and WaPo made clear the leak are not confirmed Pegasus targets, but rather:
> The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016.
And:
> The analysis also uncovered some sequential correlations between the time and date a number was entered into the list and the onset of Pegasus activity on the device, which in some cases occurred just a few seconds later.
Suggesting it may be a superset of pegasus targets. They managed to examine 57 phones on the list and found that 37 were infected.
> That thesis is supported by forensic analysis on the phones of a small sample of journalists, human rights activists and lawyers whose numbers appeared on the leaked list.
> The research, conducted by Amnesty’s Security Lab, a technical partner on the Pegasus project, found traces of Pegasus activity on 37 out of the 67 phones examined.
> The analysis also uncovered some sequential correlations between the time and date a number was entered into the list and the onset of Pegasus activity on the device, which in some cases occurred just a few seconds later.
> Amnesty shared its forensic work on four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed they showed signs of Pegasus infection. Citizen Lab also conducted a peer-review of Amnesty’s forensic methods, and found them to be sound.
---
> NSO has always maintained it does “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”.
A sufficiently determined user (and these are often national governments) could easily target a phone they control. With sufficient monitoring and logging they could grab the exploit directly. The only thing stopping them is whatever contract/“EULA” they signed agreeing not to reverse engineer the product, and I doubt the big spooks would care about such a thing.
From the Guardian article: "The research, conducted by Amnesty’s Security Lab, a technical partner on the Pegasus project, found traces of Pegasus activity on 37 out of the 67 phones examined." The results were released by an international consortium of media entities that includes The Guardian and the WaPo.
We do not even know if the FBI knows the vulnerability. The phone could have been attacked by a contractor working for the FBI without the contractor sharing the tools.
Indeed they shouldn't be able to know that without deliberately bypassing the phone's security features using vulnerabilities. Maybe confirmation bias is at play here?
Presumably phones used by government employees in relation to sensitive data are security critical? I'm not aware if their phones are being used in the wild in such a way but it's not hard to imagine such use cases.
The newest and weirdest twist in this story, is that some of the government officials involved (which had no open investigations against them) are now "bringing their phones to NSO" to check if they indeed had Pegasus installed on their phones[1]
Now, that would mean NSO has no logs on the phone numbers used to install Pegasus. I don't see how they would allow that
If that were true, any country (Saudi Arabia, UAE, for example) Who got a green light from the Israeli weapons export to purchase Pegasus, can now spy on the Israeli government, army, everyone at NSO, the Mossad, and 8200. And the Israeli's would never know? No way
NSO is playing dumb by saying "we can't know if you were hacked without your physical phone in our hands"
You can't trust anyone, but... The Pegasus Project did change their statement from "thousands of numbers that were selected as targets by NSO’s Group clients" to "a list of phone numbers concentrated in countries known to surveil their citizens and also known to have been clients of NSO Group", and they specifically say: "The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled".
It sounds like the "list" is from HLR lookups, which get done all the time without NSO being involved.
If you think about it, none of NSO's clients would want NSO (or anyone else) to know who they are spying on in the first place, so it stands to reason that there'd not be a centralized list anywhere of targets for their software. I'm sure the list is real and all, but there's a distinct lack of clarity about how that list links to NSO and Pegasus specifically.
Now the other bit that the Pegasus Project did was look at phones they suspected of being compromised. I think that's telling in the sense of, "journalists, activists and business people are being targeted". That seems pretty credible, but NSO doesn't seem to be denying that aspect of the story.
This is the kind of thing I'd expect to see utilized by state-level actors who in many cases may be able to obtain internal technical information and tools from vendors. I wouldn't expect this to become an in-the-wild exploit, but for targeted use by agencies with the resources and motivations to identify specific models, obtain them and test against them this kind of thing should be relatively easy.
As an example, what kind of Android device is best used for insomniac tweets? At one point I thought I saw mentioned that it was a Samsung device a generation or two old, so perhaps a Galaxy S5 suitable for tweeting from the tub? That's a known-vulnerable device, elderly by Android standards of "who gets updates" meaning that Samsung and the carriers don't put any priority on it. Sure you can look at things like LineageOS, but since part of the problem here is in the proprietary firmware blob of the chipset there may still be problems that aftermarket OS upgrades aren't going to touch.
For that matter, is Trump's possible change to an iPhone within the last month[1] related to this, and has it stuck of does he still have a Samsung floating around as seems to be the case?
I think RMS is making a deep point about the ability to trust what your device is showing you when it's encumbered with non-open software, firmware, and hardware.
I think a clever surveillance agency with inside access to the guts of the phone could make it very, very hard to detect.
reply