NSO Confirms It Gave Israeli Police Access To Malware To Spy On Israelis

(Mis)Uses of Technology

from the 'hey,-we're-only-MOSTLY-as-bad-as-people-say' dept

Nearly every rumor about NSO Group has been proven true, despite plenty of early denials by the (oh, I guess we’ll be nice…) “embattled” malware merchant. The world’s foremost purveyor of zero-click exploits capable of completely compromising phones of targets is still in damage control mode. The damage can no longer be controlled, though. So, it’s basically just NSO admitting the nasty things said about have been mostly true.

Here’s the latest on NSO and its refusal (pre-mass criticism) to ask any other question than “Why not?,” brought to us by the Times of Israel.

The Israel Police was sold a version of the Pegasus spyware that is weaker than the software sold abroad but, unlike the international package, can be used against Israeli cellphones, the CEO of NSO Group said Tuesday.

Shalev Hulio confirmed to Radio103FM in an interview that police were provided with the Saifan package, which was assumed to be the case based on police rhetoric, media reports and expert opinions.

Apparently, it’s ok to assist in domestic surveillance as long as the surveillers don’t have access to the full version of the malware. That’s weird. What’s weirder is that NSO sold the full-strength version of this exploit to Israel’s enemies — a list that pretty much includes every other nation in the Middle East. They got the real exploit. Meanwhile, the locals had to make do with something less effective, presumably under the theory that this would make domestic surveillance more palatable.

But it really doesn’t. All we have is the CEO Salev Hulio’s assertions that foreign customers (including plenty of human rights abusers) couldn’t target Israeli numbers. This assertion means a whole lot less when the company is willing to bend the rules to target numbers previously declared to be off-limits. It created a version for the FBI that allowed the agency to target US phone numbers. And it crafted a variation that allowed Israeli police to bypass the rules NSO claims governs its spyware: the “forbidden” targeting of Israeli phone numbers.

This selective inability to remain consistent makes this statement by Hulio completely nonsensical.

“The police incident was not Pegasus but Saifan, a weaker version of Pegasus, with fewer capabilities and options for action. They tried to paint it as if they were spying on Israeli citizens; this of course was not true,” Hulio said.

But it is spying on Israeli citizens. You don’t target a phone with malware for any other reason if you’re a law enforcement/domestic security agency. Phones were hit with allegedly-weakened malware for one purpose: to gain intel. That is the definition of surveillance and spying. Previous reporting confirms what NSO won’t admit: its spy tech used to spy on Israeli citizens.

Pegasus is an extremely powerful tool that delivers a zero-click exploit — requiring no user interaction — allowing the spyware’s operator to remotely gain access to all of a phone’s data and functionality. It also enables operators to listen in on calls and use it as a listening device.

Israeli media reports have suggested it was only those latter capabilities that police had access to.

The latter capability is 100% spying. Even if what happened was 100% lawful, it’s still spying. If Hulio wants to argue about the specifics of Israeli surveillance law, that’s one thing. But to claim that “listening in on calls” and turning phones into “listening devices” isn’t spying is absurd. Even in its weakened state, the spyware was completely capable of doing plenty of surveillance.

And Hulio freely admits it was used to target Israelis. That is domestic surveillance. Lawful or not, that’s what happened and that’s what NSO enabled. There’s no walking away from that no matter how often media figures give you the opportunity to reiterate NSO’s corporate cognitive dissonance.

Filed Under: israel, malware, pegasus, surveillance
Companies: nso group