Over the weekend, an international media consortium reported that several authoritarian governments, including Mexico, Morocco and the United Arab Emirates, used spyware developed by NSO Group to hack the phones of thousands of their critics. more virulent, especially journalists, politicians and business leaders.
A leaked list of 50,000 phone numbers of potential surveillance targets was obtained by the Paris-based nonprofit journalism Forbidden stories and Amnesty International and shared with the reporting consortium, including The Washington post and The Guardian. Researchers analyzed the phones of dozens of victims to confirm they were targeted by ONS’s Pegasus spyware, which can access all data on a person’s phone. Reports also confirm new details about government clients themselves, which NSO Group is watching closely. Hungary, a member of the European Union where surveillance confidentiality is supposed to be a fundamental right for its 500 million people, is named as an NSO client.
The report shows for the first time how many individuals are likely the targets of intrusive surveillance at NSO devices. Previous reports put the number of known victims in the hundreds or more than a thousand.
NSO Group has categorically rejected the allegations. NSO has long said it doesn’t know who is targeting its customers, which it reiterated in a statement to TechCrunch on Monday.
Amnesty researchers, whose work has been reviewed by the Citizen Lab at the University of Toronto, have found that NSO can deliver Pegasus by sending a victim a link that, when opened, infects the phone, or silently and without any interaction via a “zero-click” exploit that takes advantage of the vulnerabilities of the iPhone software. Citizen Lab researcher Bill Marczak said in a tweet that NSO’s zero-clicks worked on iOS 14.6, which until today was the most recent version.
Amnesty researchers have shown their work by publish meticulously detailed technical notes and a toolkit that they believe could help others identify if their phones have been targeted by Pegasus.
the Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently. Amnesty said more forensic traces have been found on iPhones than on Android devices, making it easier to find them on iPhones. MVT will allow you to perform a full iPhone backup (or a full system dump if you are jailbreaking your phone) and feed any Indicators of Compromise (IOC) known to be used by NSO to deliver Pegasus, such as domain names used in the NSO infrastructure which can be sent by SMS or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a brand new copy.
The toolkit works on the command line, so it is not a fancy and fancy user experience and requires some basic knowledge of terminal navigation. We got it up and running in about 10 minutes, plus time to create a new backup of an iPhone, which you’ll want to do if you want to check up on time. To prepare the toolkit to scan your phone for signs of Pegasus, you will need to feed Amnesty’s IOCs, which they a on his GitHub page. Whenever the compromised file flags are updated, download and use an updated copy.
Once the process has started, the toolbox scan your iPhone backup file for any evidence of compromise. The process took about a minute or two to complete and spit multiple files into a folder with the results of the analysis. If the toolkit finds a possible compromise, it will say so in the generated files. In our case, we had a ‘detection’, which turned out to be a false positive and was removed from the CIOs after verification with Amnesty researchers. A re-scan using the updated IOCs returned no signs of compromise.
Since it is more difficult to detect an Android infection, MVT takes a similar but simpler approach by scanning your Android device backup for text messages that contain links to domains known to be used by NSO. The toolkit also allows you to scan for potentially malicious apps installed on your device.
The toolkit is – like the command line tools – relatively simple to use, although the project is open source, so soon someone will surely be building a user interface for it. Projects detailed documentation will help you – like we did.
You can send advice securely via Signal and WhatsApp at +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.