Malware Merchant NSO Group Caught Leaving Harvested Location Data Exposed

from the oh-well-'little-people'-aren't-the-end-users-so-who-cares dept

Israeli surveillance tech firm NSO Group is something else. (Pejorative, yo.) It set up shop in a contested country where it’s not all that paranoid to say everyone is out to get them. (But it’s still a little paranoid, if not a lot racist.) That being said, Israel doesn’t have a lot of nearby allies. And its ongoing conflict with Palestine hasn’t made it any new friends.

You’d think a government contractor operating out of this space would be more judicious with its sales efforts. But finding new customers seems to be more important to NSO Group than defending its own country against attacks. NSO has sold its pervasive surveillance products — ones that leverage popular messaging apps to create spy-holes in end-to-end encryption — to anyone who wants them, including those that would turn these tools against Israeli citizens, journalists, and activists.

NSO has enabled a global war on dissent and criticism. It’s not the only company that takes a hands-off approach to sales — justifying the money in its pocket with claims it’s nothing more than an exploit-hawking middleman. This has earned it some justifiable disdain. It has also earned it lawsuits, including one filed by a company too big to ignore: Facebook.

Multiple governments have purchased exploits from NSO, resulting in a worldwide war on journalists and activists. This makes NSO richer. But it doesn’t make the company any smarter. NSO and Israel briefly joined forces to engage in domestic surveillance, utilizing NSO’s malware to facilitate COVID contact tracing — an effort swiftly blocked by an Israeli court.

NSO hasn’t slowed down its surveillance efforts — the ones deployed by its customers. But it has again managed to generate unfavorable headlines and coverage. The company, whose offers of contact tracing were rejected by an Israeli court, hasn’t dialed back its efforts to place people under surveillance — supposedly for the public good.

But its exploits have their own security flaws. While it was trying to sell governments its contract tracing goods, it failed to secure some of the data it had been gathering in hopes of vertically integrating its spy tech and its “concern” for the general population’s health. Zack Whittaker reports for TechCrunch:

NSO, a private intelligence company best known for developing and selling governments access to its Pegasus spyware, went on the charm offensive earlier this year to pitch its contact-tracing system, dubbed Fleming, aimed at helping governments track the spread of COVID-19. Fleming is designed to allow governments to feed location data from cell phone companies to visualize and track the spread of the virus. NSO gave several news outlets each a demo of Fleming, which NSO says helps governments make public health decisions “without compromising individual privacy.”

But in May, a security researcher told TechCrunch that he found an exposed database storing thousands of location data points used by NSO to demonstrate how Fleming works — the same demo seen by reporters weeks earlier.

NSO has responded to the hole it didn’t close until notified by TechCrunch — months after the first notification by the security researcher. It says the data seen in the breach isn’t “real and genuine data.”

Well, we’ll see if that’s true. At this point, this appears to be bullshit. As Whittaker notes, NSO’s statement conflicts with news reports about NSO’s use of location data sold to it by third-party brokers who gather location info from phone apps. NSO used this data to “train” its contact tracing AI. It’s still “real and genuine data,” even if NSO wasn’t (yet!) using it in real-word applications.

TechCrunch asked researchers at Forensic Architecture, an academic unit at Goldsmiths, University of London that studies and examines human rights abuses, to investigate. The researchers published their findings on Wednesday, concluding that the exposed data was likely based on real phone location data.

Whatever the real-world applications by NSO, the fact is NSO utilized data of thousands of individuals from multiple countries (Rwanda, Israel, Saudi Arabia, UAE, Bahrain) to train an AI it was pitching to world governments — a pitch that likely did not inform potential end users NSO would be buying data in bulk from brokers who are generally unconcerned about local data privacy laws.

NSO may be trying to rehabilitate its image by offering its considerable surveillance power to the fight against COVID, but its efforts show it’s really still just in the business of collecting everything it can while expanding its user base to whoever’s willing to buy — even if it includes foreign enemies.

A failure to secure a database — even if it’s only filled with “trial” data — is a monumental self-own. This indicates NSO isn’t nearly as careful as it should be, considering the wealth of data/communications it helps government agencies siphon from targets’ devices. When millions of people around the world are just grist for the surveillance mill, it rarely seems imperative to protect the data you’ve harvested from them. The only thing that matters to NSO is surveillance and the profit made. Collateral damage doesn’t affect its bottom line — not when there’s a host of human rights violators lining up to buy your goods.

Filed Under: , , , , ,
Companies: nso group

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Malware Merchant NSO Group Caught Leaving Harvested Location Data Exposed”

Subscribe: RSS Leave a comment
ECA (profile) says:


really says allot about th"e wireless system.
How easy it is to get into it, and NOT tell the other nations what you/we/they are doing.
Using a cellphone to track the virus? Would mean someone Inserted the data onto a phone.
Who is willing to insert the data onto a phone and no other computer or database? Then have it connect to the internet, with no security at all.

"leverage popular messaging apps to create spy-holes"
This is an interesting comment, if the amount of data concerned has MORE then a few Bytes of data in it. Scanning Chats and Forums and Msg. programs to gain data, is abit sloppy IMO. You are expecting Someone to say they have the virus.

"those that would turn these tools against Israeli citizens, journalists, and activists.
NSO has enabled a global war on dissent and criticism."
Love an OPEN nation of information, and letting persons Argue and debate openly, JUST TO MONITOR them, as they think they are safe in their phones/computers/internet.

But even WE, have problems with this idea. Backpage and a few others, know this very well. Even after BP, Cut the section out, they were taken to court. Love that Section 230 is so abused.

Anonymous Coward says:

Re: This

Love that Section 230 is so abused.

Umm… What?

Sorry that last statement is pure BS. Section 230 has nothing to do with this. Hell even if it did, the group in question is on the other side of the world for crying out loud. US law has no jurisdiction on their operations.

Further more, what the hell makes anyone think that a company that sells malware to anyone with the money to spend would care about the victims said malware creates? It’s like expecting a murder to care about the lives of the people he kills.

Scanning Chats and Forums and Msg. programs to gain data, is abit sloppy IMO. You are expecting Someone to say they have the virus.

Idiots will be idiots and the US is far from the only country with a well stocked supply of people who still think COVID-19 is just another seasonal flu. It wouldn’t surprise me at all if people posted their diagnosis on social media. Too many twittershitters out there….

Using a cellphone to track the virus? Would mean someone Inserted the data onto a phone.

Yep, as many places are contemplating creating "vaccine passports" that effectively amounts to a "Papers Please Citizen" campaign. Apps to verify and hold on to such information have been in development for a while and have many companies backing them. Hell, both Google and Apple have their own notifications API specifically for notifying people when they’ve been near someone who put a positive diagnosis on their phone. (Can’t wait to see that abused like hell….)

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...