There have been allegations doing the rounds that Amazon.com boss and Washington Post owner Jeff Bezos had his phone hacked by Saudi Crown Prince Mohammed bin Salman. This incident has turned the spotlight on the security of smartphones and the secretive tools used to hack them.
Smartphones can be hijacked easily and there exists a thriving market in surveillance vendors helping the world’s spies get access to people’s secrets. Once hackers are in, the possibilities are vast - and frightening. Anyone with full control of a smartphone can turn it into a powerful surveillance device, silently tracking users’ locations while quietly copying their emails, instant messages, photos and more.
Smartphones are effectively pocket-sized computers that run apps on operating systems such as Apple’s iOS or Google’s Android and have enabled a new world of connectivity. They operate through a collection of apps, sometimes scores of them, running over an operating system, which in turn runs on a complex piece of hardware embedded with receptors, lenses and sensors.
Each one carries potential flaws - sometimes called bugs - that can cause a system to crash or behave unexpectedly when sent a rogue command or a malicious file. Even small openings like that can allow hackers to take control of a device.
Many developers work hard to ensure those seams stay sealed, but with millions of lines of code to choose from, it is virtually impossible to guarantee total safety.
A 2015 technical document from NSO Group - one of the better known spyware vendors - outlines the capability of its Pegasus spyware program to monitor the smallest details of a target’s life, throwing up alerts if a target enters a certain area, for example, or if two targets meet, or if a certain phone number is called.
The document, made public as part of a lawsuit against NSO by communications firm WhatsApp, shows how keystrokes can be logged, phone calls can be intercepted and a feature dubbed “room tap” uses a phone’s microphone to soak up ambient sound wherever the device happens to be.
The document says the spyware can be installed by enticing targets to click malicious links or rogue text messages, but spies particularly prize the quieter “push message” installations that remotely and invisibly install themselves on users’ phones.
NSO and other spyware vendors have long argued that their products are used responsibly - only sold to governments for legitimate purposes. NSO has denied any link to the alleged Bezos hack. Saudi officials dismiss allegations of their involvement as absurd.
Years of investigative work from internet watchdog group Citizen Lab - which has a well-documented record of exposing international cyber espionage campaigns - and a drumbeat of court cases and leaked documents have called such assertions as these of responsible use into question.
In October of last year messaging company WhatsApp sued NSO in California, alleging that the spyware firm had taken advantage of a bug in the app’s video calling protocol to hack 1,400 users around the world in the period between April 29 and May 10, 2019, alone.
Disclosures from other companies such as Italy’s now-defunct Hacking Team and the spyware company now known as FinSpy have also raised questions about the business. Hacking Team’s spyware was implicated in spying campaigns against dissidents in Ethiopia and the Middle East, for example, while researchers have recently found evidence that FinSpy’s software was used in Turkey.
Both companies’ tools work similarly to NSO’s - using flaws in smartphones to subvert the devices entirely.
(The article was first published in Reuters and is authored by Raphael Satter)
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
