In attacking the iPhone of human rights defender Ahmed Mansour, the Emirati government reportedly bought a rare, zero-day, Israeli exploit of Apple’s iOS.
When a government seeks to rein in a political opponent by listening in on his calls, reading his text messages, and spying on his meetings, how do they go about doing so? In the case of the United Arab Emirates and pro-democracy activist Ahmed Mansoor, they sent him a short text message.
“New secrets about torture of Emiratis in state prisons,” the Aug. 10 and 11 SMS messages to Mansoor read. The texts included a link, and had Mansoor clicked it, his phone would have turned into a powerful surveillance tool for an entity that researchers believe is the Emirati government. Pegasus, the software used against Mansoor, allows its operator to record phone calls and intercept text messages, including those made or sent on nominally encrypted apps such as Viber and WhatsApp. It can mine contact books and read emails. The software can also track its subject’s movements and even remotely turn on the phone’s camera and microphone.
The cyber-offensive against Mansoor was detailed in a new report by Citizen Lab, a research outfit based at the University of Toronto that has extensively chronicled foreign governments’ use of hacking for surveillance. The report shows the spies targeted Mansoor’s iPhone using so-called zero-day vulnerabilities, flaws that Apple had been unaware of. Citizen Lab alerted the company to the flaw earlier this month; the Cupertino, California-based tech giant issued a patch on Thursday, about 10 days after being alerted, an unusually quick response.
Mansoor may have been one of the most high-profile people targeted with Pegasus, but he won’t be the last. As technology like Pegasus comes into wider use and governments become more aware of just how powerful a surveillance tool a smartphone can be, other dissidents, human rights activists, and journalists could come under similar attack. “These dissidents or high-value targets [give] us all a taste of the future,” said Bill Marczak, one of the report’s authors and a senior research fellow at Citizen Lab.
Thursday’s report cannot definitively prove that the UAE government targeted Mansoor for surveillance, but the researchers assembled a strong, if circumstantial, case pointing squarely at the Emiratis. Among other things, they found links between the use of Pegasus and an earlier hacking campaign, dubbed Stealth Falcon, linked to the Emiratis. The UAE’s embassy in Washington did not return calls and emails seeking comment on the report.
The NSO Group, an Israeli surveillance vendor, said in a statement that its “mission is to make the world a safer place by providing authorized governments with technology that helps them combat terror and crime.” It said the company has no knowledge of specific cases in which its technology has been used, and that its “products may only be used for the prevention and investigation of crimes.”
Mansoor is a prominent and internationally recognized human rights activist. He has been awarded the Martin Ennals Award, given out by the foreign ministries of an array of European countries and sometimes called the Nobel Prize of human rights. He was one of the so-called UAE Five arrested and imprisoned in 2011 amid the Arab Spring for insulting the UAE’s royal family. Mansoor’s crime was signing a pro-democracy petition.
This is the third time Mansoor has been targeted by sophisticated malware written by a private intelligence firm. In 2011, he was attacked with a program developed by FinFisher, a company based in Germany and the United Kingdom. In 2012, he was targeted with surveillance software written by Hacking Team, an Italian firm that was hacked last year by cyber-vandals who leaked its internal emails onto the internet. Researchers have tied previous attempts to use sophisticated malware to monitor Mansoor to the Emirati government.
It is unclear how much money the UAE purportedly paid to the shadowy Israeli firm that created Pegasus, the NSO Group, but Marczak said it was likely that the firm’s contract with the Gulf nation was in the range of $10 million to $15 million. The size of that contract, he added, would depend on how many targets the UAE would have hired NSO to surveil.
NSO reportedly sells its surveillance tools to governments around the world, and the UAE appears to be one of its biggest clients, judging by the company’s use of Emirati domains. Citizen Lab also documented the use of Pegasus in countries like Mexico, where it was used to target a Mexican journalist.
The Pegasus software utilized a chain of three zero days in Apple’s mobile operating system to turn iPhones into highly capable, multifunction surveillance tools. It effectively enables the kind of intrusive, round-the-clock snooping that in the past would have required a huge team of operatives and massive resources. Foreign intelligence services once needed to install microphones in the walls to snoop on their subjects’ private conversations at home. Now, operatives from countries like the UAE — and, potentially, more authoritarian regimes like Russia and China — can just hack a phone.
“The cost of monitoring people is no longer the cost of following people around and wiring bugs into your apartment, like the Stasi did in the 1980s,” said John Scott-Railton of Citizen Lab, another senior researcher at Citizen Lab and co-author of the report on Mansoor’s targeting.
Zero-day vulnerabilities are highly rare and can fetch six figures from companies that traffic in such information. Last year, a company called Zerodium issued a $1 million bounty for an iPhone flaw such as the one utilized in the Pegasus software. The bounty was claimed within weeks, an indication of how large payouts for tools to hack into encrypted products such as Apple’s devices is attracting high-end programmer talent.
Though the software used to target Mansoor was written in Israel, NSO is owned by an American private equity firm, Francisco Partners Management LLC. After purchasing NSO for a reported $110 million in 2014, Francisco Partners was reportedly exploring a sale last year that would have valued the company at around $1 billion. To stay under the radar, NSO has repeatedly changed its name.
The spread of Pegasus reflects the cat-and-mouse game taking place between governments determined to steal personal data and companies determined to safeguard it. That was the fundamental divide earlier this year when Apple and the FBI waged a highly publicized war over the encrypted iPhone belonging to one of the terrorists in December’s shooting rampage in San Bernardino, California. The FBI got a court order demanding that Apple undermine the phone’s security features, but Apple pushed back. In the end, the FBI reportedly paid private hackers more than $1 million to break into that device.
That may get steadily harder for the FBI and other intelligence services around the world.
As consumers become more aware of the privacy risks posed by the digital revolution, companies have responded in many cases by rolling out sophisticated encryption tools to safeguard the contents of their customers’ conversations. WhatsApp, one of the world’s most popular messaging apps, uses end-to-end encryption, in which only the participants of a conversation can unscramble its contents. It has incorporated this technology throughout its app — phone calls, voice messages, and texts are all protected by advanced encryption.
This has hugely frustrated government security officials and law enforcement, who are often unable to obtain evidence from phones with encryption enabled. But tools such as Pegasus circumvent such encryption by breaking into the device used to communicate. The surveillance software records communications as they are input into an app, before encryption occurs, and then reports that information back to its maker.
Photo credit: AFP/Getty Images