Skip to main content

NSO’s Pegasus spyware: here’s what we know

NSO’s Pegasus spyware: here’s what we know

/

The Pegasus Project reports that journalists, activists, and heads of state could have been infiltrated

Share this story

Illustration by Alex Castro / The Verge

Throughout the past week, we’ve seen story after story about a company called NSO Group, and a piece of spyware called Pegasus. Some of the stories have been shocking, with allegations that fully updated smartphones can be hacked with a single text message, and reports that two women close to murdered journalist Jamal Khashoggi were among those targeted by a government agency using the spy tool.

A coalition of news outlets, including The Washington Post, Le Monde, and The Guardian is behind the reporting, and they’re calling it the Pegasus Project. The project was led by Forbidden Stories, an organization of journalists that works on stories after the original reporters have been silenced in some way. Amnesty International ran detailed forensics on 67 smartphones to look for evidence that they were targeted by Pegasus spyware — and 37 of those phones tested positive. But many crucial details still aren’t clear.

Here’s what we know about the NSO Group and Pegasus so far.

What is Pegasus, and who or what is NSO Group?

Pegasus is spyware developed by a private contractor for use by government agencies. The program infects a target’s phone and sends back data, including photos, messages, and audio / video recordings. Pegasus’ developer, an Israeli company called NSO Group, says that the software can’t be traced back to the government using it — a crucial feature for clandestine operations.

In short, NSO Group makes products that let governments spy on citizens. The company describes the role of its products on its website as helping “government intelligence and law-enforcement agencies use technology to meet the challenges of encryption” during terrorism and criminal investigations. But as you might imagine, civil liberties groups aren’t happy about the spyware-for-hire business, and restricting the business to government clients does little to quiet their concerns.

The company told The Washington Post that it works only with government agencies, and that it will cut off an agency’s access to Pegasus if it finds evidence of abuse. In its transparency report released at the end of June, the company claimed it has done that before. Still, an Amnesty International statement raised concerns that the company is providing spyware to oppressive governments, where government agencies can’t be trusted to do right by their citizens.

The Forbidden Stories organization, which helped lead the Pegasus Project’s efforts, has a write-up of the company’s exploits and controversies over the past decade, some of which have inspired lawsuits from journalists and activists arguing that NSO’s software has been used improperly. The Washington Post also has an interview that covers the company’s own story about how it was founded and how it got started in the surveillance industry.

Who was being spied on?

We don’t know for sure. However, much of the reporting centers around a list containing 50,000 phone numbers, the purpose of which is unclear. The Pegasus Project analyzed the numbers on the list and linked over 1,000 of them to their owners. When it did so, it found people who should’ve been off-limits to governmental spying (based on the standards NSO says it holds its clients to): hundreds of politicians and government workers — including three presidents, 10 prime ministers, and a king — plus 189 journalists, and 85 human rights activists.

Wait, who made this list?

At this point, that’s clear as mud. NSO says the list has nothing to do with its business, and claims it’s from a simple database of cellular numbers that’s a feature of the global cellular network. A statement from an Amnesty International spokesperson, posted to Twitter by cybersecurity journalist Kim Zetter, says that the list indicates numbers that were marked as “of interest” to NSO’s various clients. The Washington Post says that the list is from 2016.

The Washington Post says the list doesn’t contain information about who added numbers to it, or whether people linked to the numbers were under surveillance. Was the list curated by a shadowy government agency trying to get on the good side of other governments? Was it maintained by a Slack group of Pegasus users? Was it simply a list of numbers? It’s an essential question that remains frustratingly unclear.

So does the list matter?

It seems to. The Washington Post reports that some of the phones analyzed were targeted shortly after they were added to the list. In some cases, only a few seconds separate timestamps that indicate when the phone number was added to the list and incidents of Pegasus attacks on the phones.

According to The Guardian, Amnesty ran its analysis on 67 phones connected to the numbers. It found that 37 of the phones had been at least targeted by Pegasus, and that 23 of those phones had been successfully hacked. The Washington Post details how Pegasus was used to hack a phone belonging to the wife of an imprisoned activist. 

Who else is on the list?

A Washington Post report details some of the highest-ranking officials with numbers on the list. According to an analysis done by the Post and other Pegasus Project members, the current presidents of France, Iraq, and South Africa were included, along with the current prime ministers of Pakistan, Egypt, and Morocco, seven former prime ministers, and the king of Morocco. 

A separate report from the Post claims that the Moroccan king was not the only royalty whose number appeared on the list — a princess from Dubai was also added, along with some of her friends, as she was trying to gain political asylum. Her attempt failed when she was allegedly kidnapped by armed commandos who boarded the yacht she was using to escape.

Also on the list were two women close to Jamal Khashoggi, a journalist who was murdered in 2018.

Was Khashoggi himself on the list?

It doesn’t seem so (though we’ll deal with some nuances in a moment), but people close to him were. The Washington Post has reported that one of those hacked phones belonged to Khashoggi’s fiancé, and that there’s reportedly evidence that his wife’s phone was targeted as well. NSO’s CEO has strongly denied that Khashoggi’s wife was a target. 

As to whether NSO targeted Khashoggi himself, that’s a question without a definite answer. NSO strongly denies that it was involved — it did so in 2019, and again recently, with The Washington Post citing a statement from the company that its technology “was not associated in any way with the heinous murder of Jamal Khashoggi.” According to the Post, Khashoggi’s phone is in the custody of Turkish authorities who are carrying out an investigation of the journalist’s homicide.

What does Pegasus do?

According to The Washington Post, the spyware can steal private data from a phone, sending a target’s messages, passwords, contacts, photos, and more to whoever initiated the surveillance. It can reportedly even turn on the phone’s cameras or microphones to create covert recordings. A document from NSO describes the software’s capabilities in more detail.

Recent versions of it have reportedly been able to do this without having to get the user to do anything — a link is sent to their phone, without a notification, and Pegasus starts collecting information. In other cases, Pegasus has reportedly relied on users to click phishing links that then deliver the Pegasus payload.

Wait, how can Pegasus get all that info?

Both The Guardian and The Washington Post have articles explaining how even modern phones with the latest software updates can be exploited. (Amnesty has shown that even some of the most recent versions of iOS are vulnerable to methods used by NSO.) The summary is that no software is perfect. Where there’s complicated software, like iMessage or WhatsApp, there will be bugs, and some of those bugs will give hackers access to way more than many would think is possible. And, with millions of dollars at stake, hackers and security researchers are very motivated to find those bugs, even if they’ll only be usable for a short amount of time.

It can do all that on iPhones? What about Apple’s security and privacy?

In a statement to The Guardian, Apple didn’t deny NSO’s capability to exploit iPhones, instead saying that attacks like Pegasus are “highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” thereby not affecting most Apple customers. Apple did say that it continues “to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Still, as The Washington Post points out, the fact that the iPhone could be so thoroughly compromised by a reportedly invisible message is unfortunate for a company that prides itself on security and privacy, one that put up “what happens on your iPhone, stays on your iPhone” billboards. Security researchers who spoke to the Post mainly lay the blame on iMessage and its preview software — despite the protections that Apple has reportedly implemented recently to try to secure iMessage.

Are only iPhones vulnerable?

No. A lot of the reporting focuses on iPhones, but that’s only because they’ve proven easier to analyze for signs of a Pegasus infection than Android phones have. Pegasus can, however, infect both, according to an NSO informational document. Both Apple and Google have commented on the situation, with Apple condemning attacks against journalists and activists, and Google saying that it warns users of attempted infiltrations, even those backed by governments.

I think I’ve heard of Pegasus before?

The spyware has been in the news for years, often in connection with incidents similar to what’s currently being reported. In 2017, reports surfaced that the software had been used in attacks against Mexican reporters and activists. In 2019, WhatsApp sued NSO Group, alleging that the software developer was involved in the hacking of around 1,400 devices using an exploit found in WhatsApp’s code. Microsoft, Google, Cisco, and other tech companies signaled support for WhatsApp’s suit. (As of April 2021, the case was ongoing, according to a report from Politico.) 

In 2020, it was reported that NSO was being investigated by the FBI, in connection with the 2018 hack of Jeff Bezos’ cellphone. At the time, NSO denied knowledge of the FBI’s probe, according to Reuters, and the FBI recently declined to comment about the matter to The Washington Post.

Who’s behind the targeting of activists and journalists?

We don’t know at the moment, but it’s likely not just one government agency or country. The Washington Post points to a list of 10 countries where many of the phone numbers on the list seem to be from, and says that those countries have been reported to have worked with NSO in the past. But the fact that many of the basic facts about the list remain disputed means there’s really not enough information to draw solid conclusions.

How much does it cost to spy on a phone?

NSO reportedly provides bulk discounts

In 2016, The New York Times reported that NSO Group charged $500,000 to set a client up with the Pegasus system, and then charged an additional fee to actually infiltrate people’s phones. At the time, the costs were reportedly $650,000 to hack 10 iPhone or Android users, or $500,000 to infiltrate five BlackBerry users. Clients could then pay more to target additional users, saving as they spy with bulk discounts: $800,000 for an additional 100 phones, $500,000 for an extra 50 phones, and so on. NSO would also reportedly charge 17 percent of what the clients had paid over the course of a year as an annual maintenance fee. According to Forbidden Stories, NSO’s contract with Saudi Arabia alone is worth up to $55 million.

What does NSO say about the reports?

In an interview with Calcalist, NSO Group’s CEO and co-founder Shalev Hulio broadly denied the allegations, claiming that the list of numbers had nothing to do with Pegasus or NSO. He argued that a list of phone numbers targeted by Pegasus (which NSO says it doesn’t keep, as it has “no insight” into what investigations are being carried out by its clients) would be much shorter — he told Calcalist that NSO’s 45 clients average about 100 Pegasus targets per year.

“Somebody has to do the dirty work”

Hulio also claims that NSO has investigated its clients’ use of the software, and hasn’t found evidence that they targeted any of the phone numbers NSO had been given, including the one linked to Khashoggi’s wife. He also says that it’s NSO policy to cut off clients’ access to Pegasus if it discovers that they are using the system outside of its intended use.

Hulio told The Washington Post that the reports were “concerning,” and that the company would investigate. He told Calcalist that NSO had been running checks with present and past clients for the past week.

How would NSO know whether these people have been targeted, or keep them from being targeted, if it has no idea who its clients are targeting?

Great question. Hulio tries to answer it in his interview with Calcalist, mentioning an ability to analyze a client’s systems, but doesn’t really provide enough detail to be reassuring.

Also, how does Hulio’s claim of Pegasus clients having an average of 100 targets a year square with the bulk discounts NSO reportedly provides?

Again, great question.

Why make software like this? 

According to NSO, it builds Pegasus solely for use in counterterrorism and law enforcement work. The company reportedly only sells the software to specific government agencies that have been approved by the Israeli Ministry of Defense. 

NSO seems to see its software as a necessary, if unpleasant, part of modern surveillance, with its CEO telling The Washington Post that “somebody has to do the dirty work” and that Pegasus is “used to handle literally the worst this planet has to offer.” 

Are there other companies out there making tools like Pegasus?

Absolutely. The Economic Times has a good rundown of some of the higher-profile companies working in the space, along with an explanation of how the pattern of Israeli cyberintelligence agents leaving military service and founding startups leads to Israel being the home of many of these companies.

What can I do to keep myself safe and my information private?

Despite Amnesty’s report that versions of iOS from July are vulnerable to Pegasus, keeping your phone up to date will ensure that your phone is susceptible to fewer exploits, as updates are continually patched out by phone manufacturers. There’s also the standard set of security best practices: using strong, unique passwords (preferably with a password manager), turning on encryption, not clicking on links from strangers, etc.

Of course, Pegasus has been shown to bypass most of these security measures — a leaked copy of NSO informational material brags that installation “cannot be prevented by the target” — but they will help protect you from less sophisticated hackers.

How can I check if my phone was compromised? 

Amnesty International has actually released a tool that can be used for analysis, and you can read our guide on how to use it here.

How worried should I actually be?

Assuming you’re not a journalist working on sensitive stories, a world leader, or in some position that could threaten governmental powers, the odds are that someone hasn’t paid thousands or tens of thousands of dollars to target you with Pegasus. That said, it’s obviously concerning that these types of attacks are possible, and that they could potentially fall into the hands of hackers looking to target a much broader range of people.

As with all security-related measures, it’s important to be realistic about the threats that you’re facing, and what you should do about them. For most people who aren’t likely to be targeted by an actor on the level of a nation-state (which hopefully includes you), the bigger threat to privacy comes from data brokers, which operate legally and at a larger scale. On the flip side, if you actually are being targeted by governments, with all the resources at their disposal, there’s probably not a whole lot you can do to keep your digital data private.

I’ve heard the software can’t be used against people with +1 country code numbers, like those found in the US or Canada.

NSO has claimed many times that the software is technically incapable of targeting phones with US +1 phone numbers. This, of course, doesn’t protect Americans who are using international phone numbers, but it’s also something that’s hard for the company to actually prove. According to The Washington Post, the investigation didn’t find evidence that any American numbers had been hacked, but they only checked 67 phones.

The rest of the countries using the +1 code at the start of their phone numbers, such as Canada, Jamaica, and others, are largely unmentioned in the new wave of NSO reporting, though Canada was mentioned in a 2018 report.