B.When wiretapping, it is useful if the existing infrastructure can be used. The smartphone – almost everyone has one with them, usually 24 hours a day and is connected to the Internet almost continuously – offers, like portable computers and tablets, the ideal attack surface for eavesdropping activities. The antivirus software entrepreneur Yevgeny Kaspersky said back in 2017 that he had an old Nokia cell phone with him. It is hardly possible to check whether a smartphone is really switched off.
A research network led by the French non-profit organization Forbidden Stories by investigative journalist Laurent Richard has now published parts of a large-scale research into such wiretapping. It shows how at least ten countries, including Hungary, Saudi Arabia, Kazakhstan, Azerbaijan, Mexico and India, have turned the smartphones of journalists, activists and opposition politicians into surveillance machines with the help of the espionage software Pegasus from the Israeli company NSO Group. In the most prominent case so far, the government of Saudi Arabia is said to have wiretapped the surroundings of the journalist Jamal Khashoggi, who was murdered in Istanbul in 2018, before and after the murder. In India, the Guardian reports, Prime Minister Narendra Modi’s rival Rahul Gandhi is said to be among those targeted for Pegasus surveillance.
The research, which was published simultaneously in several international media on Monday (in Germany, the research network consisting of NDR, WDR and Süddeutscher Zeitung as well as Die Zeit are involved) is based on leaked data that were leaked to Forbidden Stories and Amnesty International. It is a list of more than 50,000 phone numbers that have been selected as possible targets for state surveillance since 2016 in order to spy on them with Pegasus.
Also democratic states among the customers
The NSO Group had previously assured that it only sold its software to government institutions that had been checked beforehand. According to the Guardian, the software can be verified in more than fifty countries. Democratic states such as Spain and the Netherlands are also among the alleged customers. As the SZ reports, NSO also tried to sell its product to German authorities. Officially, however, at least the police in the federal states had no success. Nevertheless, the German Association of Journalists demanded on Monday from “German security authorities and the secret services information about whether the Pegasus spyware was used against German journalists”.
In order to use Pegasus, the respective user, for example the secret service of a country, has to target the smartphone via the telephone number. Then he has to try it through different doors: The system can simulate a cell phone network to which the smartphone connects, which means that the traffic is routed via NSO servers, from which the spyware is played. Or a manipulated link is sent by message to the recipient who, when clicked, ensures that Pegasus is loaded onto the phone. But these are just a few attack vectors. Not all of them are known yet. If the smartphone is infected with Pegasus, the user has remote access to various functions of the device. Among other things, he can read chat messages (even encrypted ones), view the calendar, read out passwords, record conversations and control the microphone. Protecting yourself against the software is difficult with most common smartphones – if you are not sure or even suspect that you are being spied on, you can contact the Amnesty International Security Lab.
In a Statement from Sunday the NSO Group counterattacked: The report by “Forbidden Stories” was “full of false assumptions and unconfirmed theories that raise serious doubts about the reliability and interests of the sources.” Their information has “no factual basis and is far from reality”. The allegations have been verified and the “false allegations are rejected”. Also consider a complaint for damage to reputation. The sources of the reporting would probably have interpreted publicly available data such as that of the home location register of a cellular network “misleading”. That the data came from NSO servers is a lie, they never existed there.