Ride the Lightning

The NSO Group Sells Full Access to Smartphones- For a Hefty Price

September 8, 2016

Say you want to invisibly spy on 10 iPhone owners without their knowledge, gathering every keystroke, sound, message and location. That will cost you $650,000, plus a $500,000 setup fee with an Israeli company called the NSO Group.

As The New York Times reports, the NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user's location and personal contacts. These tools can even turn the phone into a secret recording device.

Since it was founded six years ago, the NSO Group has kept a low profile. Understandably. But last month, security researchers caught its spyware trying to gain access to the iPhone of a human rights activist in the United Arab Emirates. They also discovered a second target, a Mexican journalist who wrote about corruption in the Mexican government.

Internal NSO Group e-mails, contracts and commercial proposals obtained by The New York Times offer insight into how companies in this secretive digital surveillance industry operate. The e-mails and documents were provided by two people who have had dealings with the NSO Group but would not be named for fear of reprisals. I suspect that had reason to be afraid.

The company is one of dozens of digital spying outfits that track everything a target does on a smartphone. They aggressively market their services to governments and law enforcement agencies around the world. The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords. The NSO Group's corporate mission statement is "Make the world a safe place."

Ten people familiar with the company's sales, who refused to be identified (there's a theme here, yes?), said that the NSO Group has a strict internal vetting process to determine who it will sell to. An ethics committee made up of employees and external counsel vets potential customers based on human rights rankings set by the World Bank and other global bodies. And to date, these people all said, NSO has yet to be denied an export license.

But critics note that the company's spyware has also been used to track journalists and human rights activists as indicated above. That's a long way from making the world a safe place.

"There's no check on this," said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto's Munk School of Global Affairs. "Once NSO's systems are sold, governments can essentially use them however they want. NSO can say they're trying to make the world a safer place, but they are also making the world a more surveilled place."

It makes sense that the NSO Group's capabilities are in higher demand now that companies like Apple, Facebook and Google are using stronger encryption to protect data.

The NSO Group's spyware gets around encryption by baiting targets to click unwittingly on texts containing malicious links or by exploiting previously undiscovered software flaws. It was taking advantage of three such flaws in Apple software — now fixed — when it was discovered by researchers last month.

Companies like the NSO Group seem to operate in a legal gray area, deciding for themselves how far they will dig into someone's life and what governments they will do business with. Israel has strict export controls for digital weaponry, but the country has never barred the sale of NSO Group technology.

Since it is privately held, not much is known about the NSO Group's finances, but its business is clearly growing. Two years ago, the NSO Group sold a controlling stake in its business to Francisco Partners, a private equity firm based in San Francisco, for $120 million. Nearly a year later, Francisco Partners was exploring a sale of the company for 10 times that amount, according to two people approached by the firm but prohibited from speaking about the discussions.

Zamir Dahbash, an NSO Group spokesman, said that the sale of its spyware was restricted to authorized governments and that it was used solely for criminal and terrorist investigations. He declined to comment on whether the company would cease selling to the U.A.E. and Mexico after last week's disclosures. And what does that suggest to you?

For the last six years, the NSO Group's main product, a tracking system called Pegasus, has been used by a growing number of government agencies to target a range of smartphones — including iPhones, Androids, and BlackBerry and Symbian systems — without leaving a trace.

Among the Pegasus system's capabilities, NSO Group contracts indicate, are the abilities to extract text messages, contact lists, calendar records, emails, instant messages and GPS locations. One capability that the NSO Group calls "room tap" can gather sounds in and around the room, using the phone's own microphone.

Pegasus can also use the camera to take snapshots or screen shots. It can deny the phone access to certain websites and applications, and it can grab search histories or anything viewed with the phone's web browser. And all of the data can be sent back to the agency's server in real time.

In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including "over the air stealth installation," tailored text messages and e-mails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.

The NSO Group prices its surveillance tools by the number of targets, starting with a flat $500,000 installation fee. To spy on 10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users — on top of the setup fee, according to one commercial proposal.

As the article notes, you can pay for more targets. One hundred additional targets will cost $800,000, 50 extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000, according to an NSO Group commercial proposal. There is an annual system maintenance fee of 17 percent of the total price every year thereafter.

What that gets you, NSO Group documents say, is "unlimited access to a target's mobile devices" allowing you to "remotely and covertly collect information about your target's relationships, location, phone calls, plans and activities — whenever and wherever they are." All without leaving a trace.

We are indeed becoming a dystopian world. Hat tip to Dave Ries.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson