Pegasus spyware – a zero-click way of remotely hacking an iPhone, and gaining access to all the personal data stored on it – has been defended by the company’s CEO. NSO chief exec said that the company had made “mistakes” in selling it to repressive governments, but claimed that it now sells Pegasus only to countries to whom the US sells weapons.
A security researcher said that the comparison was bogus, stating that a more reasonable comparison would be selling long-range nuclear missiles …
NSO Group makes spyware called Pegasus, which is sold to government and law enforcement agencies. The company purchases so-called zero-day vulnerabilities (ones that are unknown to Apple) from hackers, and its software is capable of mounting zero-click exploits – where no user interaction is required by the target.
In particular, it’s reported that simply receiving a particular iMessage – without opening it or interacting with it in any way – can allow an iPhone to be compromised, with personal data exposed.
NSO sells Pegasus only to governments, but its customers include countries with extremely poor human rights records – with the spyware used against political opponents, human rights activists, lawyers, journalists, and more.
Apple has long been working to protect iPhone users against Pegasus: suing the company, alerting owners of infected iPhones, and offering a Lockdown Mode, which disables the most common attack paths.
NSO chief exec defends the spyware
In his first media interview since taking over as CEO some five months ago, Yaron Shohat admitted to making “mistakes” in selling Pegasus to governments who used it for human rights abuses. However, he claimed to the WSJ that NSO is now far more careful, and it only sells to governments approved for US weapons sales.
Mr. Shohat said NSO Group had terminated 10 customers because of alleged misuse of its technology, adding that the spyware vendor had learned lessons from those experiences. He didn’t name the customers.
“I will not tell you that we never had mistakes, but we act responsibly,” he said […] He declined to say whether all of NSO’s clients were democracies, but said “all the customers or countries that the U.S. would sell weapons to.”
An academic who has closely monitored NSO’s activities says this comparison doesn’t stack up.
John Scott-Railton, a senior researcher at Citizen Lab, a cyber-research group at the University of Toronto that has closely monitored NSO Group, dismissed the idea that selling Pegasus, even to allies, was the same as other types of weapons exports.
“If I went around selling ICBMs to all the countries that the U.S. sells various weapons to, I’d imagine the U.S. would be pretty upset, too,” Mr. Scott-Railton said. “Pegasus is a cyber weapon with no logical limitation on range.”
The US government banned the import and use of Pegasus, and placed NSO on a blacklist, blocking it from buying sensitive US technology. This has had severe financial impacts on the company, with credit agency Moody’s saying that the company has debts of around half a billion dollars, and is at risk of defaulting on them.
Photo: US Department of Energy (public domain)
FTC: We use income earning auto affiliate links. More.