Security Is the Story We Have, Not the Story We Want to Have

This weekend’s first batch of stories from the “Pegasus Project” — a collaboration between seventeen different outlets invited by French investigative publication Forbidden Stories and Amnesty International — offers a rare glimpse into the infrastructure of modern espionage. This is a spaghetti junction of narratives: device security, privatized intelligence and spycraft, appropriate targeting, corporate responsibility, and assassination. It is as tantalizing a story as it is disturbing.

“Pegasus” is a mobile spyware toolkit created and distributed by NSO Group. Once successfully installed, it reportedly has root-level access and can, therefore, exfiltrate anything of intelligence interest: messages, locations, phone records, contacts, and photos are all obvious and confirmed categories. Pegasus can also create new things of intelligence value: it can capture pictures using any of the cameras and record audio using the microphone, all without the user’s knowledge. According to a 2012 Calcalist report, NSO Group is licensed by the Israeli Ministry of Defense to export its spyware to foreign governments, but not private companies or individuals.

There is little record of this software or capability on NSO Group’s website. Instead, the company says that its software helps “find and rescue kidnapped children” and “prevent terrorism”. It recently published a transparency report arguing that it offers lots of software for other purposes. It acknowledged some abuse of Pegasus’ capabilities, but said that those amount to a tiny number and that the company does not sell to “55 countries […] for reasons such as human rights, corruption, and regulatory restrictions”. It does not say in this transparency report which countries’ governments it prohibits from using its intelligence-gathering products.

Much of this conflict is about the stories which NSO Group wants to tell compared to the stories it should be telling: how its software enables human rights abuses, spying on journalists, and expanding authoritarian power. In fact, that is an apt summary for much of the security reporting that comprises the Pegasus Project: the stories that we, the public, have, not the stories that we want to have.

One of the stories that we tell ourselves is that our devices are pretty secure, so long as we keep them up to date, and that we would probably notice an intrusion attempt. The reality, as verified by Citizen Lab at the University of Toronto, is that NSO Group is particularly good at developing spyware:

Citizen Lab independently documented NSO Pegasus spyware installed via successful zero-day zero-click iMessage compromises of an iPhone 12 Pro Max device running iOS 14.6, as well as zero-day zero-click iMessage attacks that successfully installed Pegasus on an iPhone SE2 device running iOS version 14.4, and a zero-click (non-zero-day) iMessage attack on an iPhone SE2 device running iOS 14.0.1. The mechanics of the zero-click exploit for iOS 14.x appear to be substantially different than the KISMET exploit for iOS 13.5.1 and iOS 13.7, suggesting that it is in fact a different zero-click iMessage exploit.

“Zero-day” indicates a vulnerability that has not already been reported to the vendor — in this case, Apple. “Zero-click” means exactly what it sounds like: this is an exploit delivered by iMessage that is executed without any user interaction, and it is wildly difficult to know if your device has been compromised. That is the bad news: the story we like to tell ourselves about mobile device security simply is not true.

But nor is it true that we are all similarly vulnerable to attacks like these, as Ivan Krstić, Apple’s Head of Security Engineering and Architecture, said in a statement to the Washington Post:

Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. […] Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. […]

This situation is reminiscent of the 2019 zero-day attacks against iPhone-using Uyghurs, delivered through news websites popular with Uyghurs and presumably orchestrated by the Chinese government. Those vulnerabilities were quietly fixed at the beginning of that year, but their exploitation was not disclosed until Google’s Project Zero published a deep dive into their existence, at which point Apple issued a statement. I thought it was a poor set of excuses for a digital attack against an entire vulnerable population.

This time, it makes sense to focus on the highly-targeted nature of Pegasus attacks. The use of this spyware is not indiscriminate. But — with reportedly tens of thousands of attempted infections — it is being used in a more widespread way than I think many would assume. Like the exploits used on Uyghurs two years ago, it indicates that iPhone zero-click zero-days might not be the Pappy Van Winkle of the security world. Certainly, they are still rare, but it seems that there are some companies and nation-states that have stocked their pantries for a rainy day and might not be so shy about their use.

Still, nothing so far indicates that a typical person is in danger of falling victim to Pegasus, though the mere presence of zero-click full exploitations is worrisome for every smartphone user. The Guardian reports that the victims of NSO Group’s customers are high-profile individuals: business executives, investigative journalists, world leaders, and close associates. That is not to minimize the effect of this spyware, but its reach is more deliberately limited. If anything, the focus of its deployment teases for us mere mortals the unique security considerations faced by those at higher risk of targeted attack.

Thing is that many of those high-profile people use iPhones. The diplomats and friends of assassinated journalist Jamal Khashoggi profiled by the Washington Post all use iPhones. Many celebrities use iPhones, even when promoting Android devices. Jeff Bezos used an iPhone X.1 Many of the devices examines as part of the Pegasus Project are, indeed, iPhones, which has push the Washington Post team reporting on this investigation to conclude that this is largely an iPhone-specific problem:

Researchers have documented iPhone infections with Pegasus dozens of times in recent years, challenging Apple’s reputation for superior security when compared with its leading rivals, which run Android operating systems by Google.

The months-long investigation by The Post and its partners found more evidence to fuel that debate. Amnesty’s Security Lab examined 67 smartphones whose numbers were on the Forbidden Stories list and found forensic evidence of Pegasus infections or attempts at infections in 37. Of those, 34 were iPhones — 23 that showed signs of a successful Pegasus infection and 11 that showed signs of attempted infection.

If you read Amnesty’s full investigation into Pegasus — and I suggest you do as it is comprehensive — there is a different explanation for why the iPhone is overrepresented in its sample, and a clear warning against oversimplification:

Much of the targeting outlined in this report involves Pegasus attacks targeting iOS devices. It is important to note that this does not necessarily reflect the relative security of iOS devices compared to Android devices, or other operating systems and phone manufacturers.

In Amnesty International’s experience there are significantly more forensic traces accessible to investigators on Apple iOS devices than on stock Android devices, therefore our methodology is focused on the former. As a result, most recent cases of confirmed Pegasus infections have involved iPhones.

iOS clearly has many holes in its security infrastructure that need patching. Reporting from the Post suggests that the demand of launching a major new version of iOS every year — in addition to the four other operating systems Apple updates on an annual cycle — not only takes a toll on the reliability of its software, but also means some critical vulnerabilities take months to get patched. Apple is not alone in that regard, but it does raise questions about the security of the world’s information resting entirely in the hands of engineers at three companies on the American west coast. Is it a good thing that that high-risk people only have a choice between iOS and Android? Does it make sense that many of the world’s biggest companies almost entirely run Windows? Is enough being done to counter the inherent risks of this three-way market?

The security story we have is one of great risk, with responsibility held by very few. There are layers of firewalls and scanners and obfuscation techniques and encryption and all of that — but a determined attacker knows there are limited variables. iOS is not especially weak, but it is exceptionally vertically-integrated. If the latest iPhone running the latest software updates is vulnerable, all iPhones probably are as well.

There are two more contrasting sets of stories I wish to touch on about the responsibility of NSO Group and companies like it in these attacks. First, NSO Group is careful to state that it is merely a vendor and, as such, “does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers”. However, it is also adamant that its software had zero role in Khashoggi’s assassination. How is it possible to square that certainty with the company’s alleged lack of involvement in the affairs of customers it cannot confirm nor deny?

Second, I gave credit earlier this year to the notion that private marketplaces of security vulnerabilities might actually be beneficial — at least, compared to weakened encryption or some form of “back door”. NSO Group is the reverse side of that argument. The story I like to tell myself is that, given that there is an established market for zero-days, at least that means law enforcement can unlock encrypted smartphones without the need for a twenty first century Clipper Chip. But the story we have is that NSO Group develops espionage software over which, once sold, it has little control. The company’s spyware is now implicated in the targeting of tens of thousands of phones belonging to activists, human rights lawyers, journalists, businesspeople, demonstrators, investigators, world leaders, and friends and colleagues of all of the above. NSO Group is a private company that enables dictators and autocrats, and somehow gets to wash its hands of all responsibility.

The story it wants is of a high technology company saving children and fighting terrorists. The story it has is an abuse of power and a lack of accountability.

  1. You might remember that embarrassing texts and images were leaked from Jeff Bezos’ iPhone a couple of years ago that confirmed that he was cheating on his now ex-wife with his current partner Lauren Sanchez. Bezos got in front of the National Enquirer story with a heroic-seeming Medium post where he copped to the affair.

    In that post, he also insinuated that the Saudi royal family used NSO Group malware to breach his phone’s security and steal that incriminating evidence in retaliation for his ownership of the Washington Post and its coverage of the Saudi royalty’s role in Post contributor Jamal Khashoggi’s assassination. In addition, the Post had aggressively reported on the Enqiurer’s catch-and-kill scheme to silence salacious stories.

    While that got huge amounts of coverage, a funny thing happened not too long after: the Wall Street Journal confirmed that the Enquirer did not get the texts and photos from some secret Saudi arrangement and, instead, simply paid Sanchez’ brother who had stolen them. A fuller story of this public relations score was reported earlier this year by Brad Stone in Bloomberg Businessweek. It seems that, contrary to contemporary reporting, there was little to substantiate rumours of a high-tech break-in by a foreign government.

    It is unclear whether Bezos was simply spinning a boring story in a politically-favourable way; a recent Mother Jones investigation found that Amazon’s public relations team is notorious among journalists for being hostile and telling outright lies. But if he was targeted by the Saudi Arabian royal family using NSO Group software, it is notable that it is apparently not on the list of 55 countries that the company refuses to sell to on the basis of human rights abuses↥︎