Cyber-mercenaries helped Saudis hack an NYT reporter

mostlysignssomeportents:

The NSO Group are among the world’s most notorious cyber-mercenaries; they’re an Israeli firm under UK/EU private equity control (the owners have previously threatened to sue me and other journalists for reporting on the company’s ownership structure).

The company claims to be a “lawful interception” supplier, helping democratic, human-rights-respecting governments to spy on terrorists. Their extreme secrecy helps them sell this tale, but thanks to a group of academic human rights researchers, we know better.

For years, the University of Toronto’s Citizen Lab — a group of tech-savvy human rights defenders — have helped civil society groups defend themselves against cyber-threats from oppressive states. Don’t let the “cyber-threats” part fool you: digital surveillance is the prelude to mass arrests, disappearances, torture, and murder. It’s thanks to Citizen Lab that we know the truth about the NSO Group.

The truth, then: NSO isn’t in the counter-terrorism business. Its signature weapon, a devastating surveillance tool called Pegasus, has been used in at least 45 countries, including some of the world’s most brutal autocracies.

https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/

It has been widely deployed against human rights workers and journalists — more than 50,000 people have been attacked with NSO’s weapons:

https://www.occrp.org/en/the-pegasus-project/

There is no target too petty or insignificant for NSO’s customers. For example, NSO weapons were used against Mexican anti-sugar campaigners, and their young children:

https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/

The NSO Group’s intimidation tactics don’t stop with legal threats against journalists. After Citizen Lab broke a string of NSO Group stories, it was targeted by ex-Mossad “private security” mercenaries working for the same firm that did Harvey Weinstein’s black-bag operations:

https://www.nytimes.com/2019/01/28/world/black-cube-nso-citizen-lab-intelligence.html

Wherever we find brutal autocrats, we find the NSO Group. Their tools were part of the Saudi royals’ plot to murder and dismember the journalist Jamal Khashoggi, and were used again in a failed attempt to blackmail Jeff Bezos into ending the Washington Post’s investigation into the slaughter:

https://www.vice.com/en/article/v74v34/saudi-arabia-hacked-jeff-bezos-phone-technical-report

The Saudi royals are a major NSO customer, and NSO tools like Pegasus are key to helping their secret police track down dissidents for detention, torture and murder.

The Saudi state doesn’t always know who those dissidents are, but they know which journalists they talk to. That’s why they used NSO Group’s Pegasus malware to hack the New York Times’s Ben Hubbard.

https://www.nytimes.com/2021/10/24/insider/hacking-nso-surveillance.html

The technical forensics linking NSO surveillance to the hacks against Hubbard’s Iphone can be found in Citizen Lab’s new “Breaking the News” report:

https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/

Despite the damning evidence, the NSO Group insisted that its tools were not behind the attack, claiming that “contractual reasons and restrictions” made that impossible. It’s the same excuse the company gave last July when a consortium revealed 50,000 uses of its malware:

https://pluralistic.net/2021/07/27/gas-on-the-fire/#a-safe-place-for-dangerous-ideas

NSO Group insists that its weapons are sold under the condition that they only be trained upon terrorists, thus whenever we discover them being used against journalists or dissidents, it can’t possibly be their weapons.

Last July, Edward Snowden published “The Insecurity Industry,” rebutting this claim:

https://edwardsnowden.substack.com/p/ns-oh-god-how-is-this-legal

Snowden’s article reminded us that commercial surveillance and state surveillance can’t be disentangled. Companies like the NSO Group are legal because state actors depend on them, so any attempt to rein them in gets clobbered by spy agencies who lean on lawmakers to halt legislation.

According to Citizen Lab’s forensics, Hubbard’s Iphone was compromised with a “zero-click” exploit — a security vulnerability that could be exploited without any user interactions. These are the scariest kinds of security defects, since there’s nothing you, as the owner of an Iphone, can do to defend yourself against them.

Apple has patched that bug, thankfully, but it’s certainly not the last defect that will creep into the Iphone’s operating systems (indeed, similar defects might lurk in current versions). Apple often (and rightfully) boasts about its security prowess, but as this incident demonstrates, Apple alone can’t be trusted to secure its devices.

Schneier’s Law tells us that “anyone can design a security system that works so well that they themselves can’t think of a way of breaking it.” As with other forms of knowledge-creation, security is an adversarial process, requiring transparency and peer-review to validate its conclusions. There is no security in obscurity.

Apple has a managed process for security researchers, paying bounties in exchange for following a proscribed methodology, including restrictions on the timing and manner of disclosures. This is a great idea, but it’s not enough. As we see with the NSO Group hacks, Apple’s process misses defects that put its customers in mortal danger.

For obvious reasons, companies aren’t good stewards who gets to criticize their products, and how. It’s not that it’s impossible to report on a defect in irresponsible ways, but companies have an unresolvable conflict of interest that disqualifies them from deciding what constitutes “responsible” criticism.

Which is why it’s such bad news that companies — including Apple — have used legal intimidation to control the conduct of security researchers. Most recently, Apple attacked Corellium, a tool that allows independent security researchers to investigate the inner workers of Apple’s software to uncover defects.

https://www.technologyreview.com/2021/08/17/1032113/apple-says-researchers-can-vet-its-child-safety-features-its-suing-a-startup-that-does-just-that/

(Apple lost the suit, thankfully)

The NSO Group and other mercenaries don’t care whether Apple approves of their tactics. They will find and weaponize every error, and sell those weapons to monstrous tyrants. We can’t afford to let companies’ commercial priorities trump their users’ right to know about defects in their products.

Rather than directing its fire against security researchers who find and disclose its bugs, Apple should follow Whatsapp’s lead and sue the NSO Group for exploiting its technology:

https://www.vice.com/en/article/7x5nnz/nso-employees-take-legal-action-against-facebook-for-banning-their-accounts

It should terminate the accounts — personal and commercial — associated with NSO Group employees and executives and permanently bar them from using its services.

Last year, I published Attack Surface, the third novel in the Little Brother series, in which I tell the story of Masha, a young woman who works for a company like the NSO Group until she has a crisis of conscience.

At the time, I ran a series of virtual panels (“The Attack Surface Lectures”), exploring the themes in the book. The first one, hosted by the Strand, featured Citizen Lab founder Ron Deibert and EFF’s Eva Galperin:

https://www.youtube.com/watch?v=rlORdWC3g3E

(here’s the audio)

https://ia801807.us.archive.org/27/items/asl-politics/Politics%20and%20Protest%20with%20Eva%20Galperin%20and%20Ron%20Deibert.mp3

Attack Surface just came out in paperback:

https://us.macmillan.com/books/9781250757517/attacksurface

My local bookstore, Dark Delicacies, has signed copies in stock and I drop by regularly to personalize them:

https://www.darkdel.com/store/p1840/Cory_Doctorow_-__Attack_Surface_HB_%26_TPB.html#/

Last year, I ran a Kickstarter campaign to produce an indie audiobook (outside of Audible’s DRM walled garden), read by Amber Benson. It was the most successful audiobook crowdfunding campaign in world history!

For the rest of this month, I’m selling an audio bundle featuring the audiobooks for all three Little Brother titles (read by Kirby Heyborne, Wil Wheaton and Amber Benson) for $30 (normally $70!).

https://sowl.co/uqT2G