NSO Group Spyware Can Exfiltrate Individual Users’ Cloud-Stored Data Using Credentials Stored On Targeted Devices ft.com

The headline for this linked item is deliberately not snappy, for reasons that should quickly become apparent.

Mehul Srivastava and Tim Bradshaw, Financial Times:

NSO Group’s flagship smartphone malware, nicknamed Pegasus, has for years been used by spy agencies and governments to harvest data from targeted individuals’ smartphones. 

But it has now evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target’s location data, archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration. 

The documents raise difficult questions for Silicon Valley’s technology giants, which are trusted by billions of users to keep critical personal information, corporate secrets and medical records safe from potential hackers. 

This report produced headlines claiming that the software “spies on Apple, Google and Facebook cloud data”, for example, which isn’t entirely accurate.

Dare Obasanjo sums it up nicely:

This is an incredibly misleading headline.

If your phone is compromised by malware then bad actors can access all data any apps on your phone can access including iCloud, Gmail, FB, etc.

This isn’t a cloud service problem but a compromised client issue.

Zack Whittaker:

[…] But it’s worth remembering that it’s in NSO’s best interests to ham up its abilities and stretch the truth in sales meetings. Also don’t forget that NSO malware targets only a few types of people, so don’t panic either.

Joseph Cox of Vice downplayed this story even more:

NSO’s malware can log into Facebook, Amazon etc, download content. FT has bizarrely framed this as an issue for the cloud services, when it’s really about how end devices secure auth tokens. You own the device, you are the device. This will get dumb hyped.

It seems that the Financial Times story is exaggerating the capabilities of this spyware, but I think Cox’s summary may be inaccurate as well. For example, the report leaves the impression that a lot of iCloud data can be pilfered from targeted users’ accounts, but I’m not sure how that squares with the multilayered encryption mechanisms described in Apple’s iOS security guide. Perhaps the data that can be pulled from iCloud is rather limited, and the report mixes iCloud-specific claims with the malware’s more general data-collecting abilities from all services.

I hope more in-depth reporting will be produced on how, exactly, this spyware works and what specifically it can collect. Alas, I don’t see that happening, given how tightly NSO Group controls access to it.