“IT’S not paranoia if they really are out to get you.” For Ahmed Mansour, a human rights activist hailing from the UAE, those are words to live by; after all, speaking out on inconvenient issues in a country which frowns upon such expression, is a perilous vocation at best and a deadly one at worst.
So when Mansour receives a message on his phone with an attached link, he doesn’t automatically click on it even if it promises him the greatest cat videos of all time.
That approach served him well when he received several such messages from an unknown source. Instead of clicking, he sent the messages to cybersecurity firm Citizen’s Lab which sent them forward to another cybersecurity firm called Lookout for investigation.
What they found was a form of spyware they had not yet seen, despite the fact that their entire job is to root out and counter such malicious tools. In the words of Lookout, it carries out “the most sophisticated attack they’d ever seen”. How sophisticated? For one thing, this spyware was designed for phones using Apple’s iOs software, which was previously considered incredibly secure (it is also now available for Android).
Phones know more about us than our family and friends do.
Once installed, the spyware ensures total surveillance by installing modules that allow the end user to listen to all calls, take screenshots, read all messages and emails, scan contact lists, photo galleries and browser histories. It can even turn on your phone’s microphone at will, essentially turning your phone into a surveillance device. If you think that your messages are safe because you use encrypted apps like WhatsApp and Signal then consider that Pegasus is capable of logging keystrokes, and thus can read what you’re typing before it is encrypted. And the best part is that it leaves no trace of its existence; even the most skilled cybersecurity experts won’t be able to locate it unless they know exactly what they are looking for. And last but not least, Pegasus can self-destruct; deleting itself without a trace if there is no communication with its command-and-control server for 60 days.
Developed by the Israeli company NSO technologies, Pegasus is a commercial product available for sale to interested bidders, and there is no shortage of those. An investigation by Citizen’s Lab revealed that Pegasus has been detected in at least 45 countries, many of which are notorious for human rights abuses and the suppression of even the most innocuous acts of dissent.
While the Mansour case took place in 2016, Pegasus is back in the news thanks to a lawsuit filed against NSO by Saudi dissident Omar Abdulaziz who claims that it was this software, obtained by the Saudis and surreptitiously installed on Jamal Khashoggi’s phone that allowed the Saudi government to monitor his communications.
Three other lawsuits against NSO have been filed, one by a Qatari citizen, another by a group of Mexican activists and journalists and the third by Amnesty International. All of the complainants claim that they have been targeted by this spyware. For its part, NSO claims that it only sells Pegasus — which is classified as a weapon by Israel and requires governmental approval prior to sale — under the strict condition that it be used to fight ‘crime and terror’. However, leaked emails submitted along with the lawsuits tell a different story: when UAE officials were offered an expensive upgrade to the spyware, they demanded proof of performance by asking NSO to obtain phone calls made by Abdulaziz Alkhamis the editor of a London-based Arab newspaper. Three days later NSO sent them an email containing those recordings.
Why phones are being targeted for spyware is of course obvious: these little devices know more about us than our family and friends do, and if Big Brother gets into these then well, our lives are literally in their hands.
Sometimes it’s not even necessary to get into the phones, as the apps we like to use are sufficient to glean information from. Take the fitness app Strava which inadvertently gave away the locations of US military bases in Afghanistan and even — thanks to the military personnel using it — allowed other users to actually track movements around the base. While the rest of the world was hunting virtual creatures on Pokemon Go! several militaries around the world banned its use by active personnel for the same reason.
But now we have smart TVs, refrigerators and (believe it or not) salt shakers. All these are part of what we like to call ‘the internet of things’, and each one of them is a potential surveillance device. Smart water meters may be efficient for the user, but they also can let hackers know exactly when you flush your toilet. As for those voice assistants we love to use, how can Alexa hear you say ‘hello’ if it’s not always listening? And how hard would it be then for others to listen in? At which point does our convenience end up compromising us?
The writer is a journalist.
Twitter: @zarrarkhuhro
Published in Dawn, December 10th, 2018