How can we allow open access to sophisticated tools that can attack anyone’s phones undetected? It seems like creating tools that can only be used for illegal and immoral purposes should be banned by society. Breaking into someone’s computer files is a crime all over the world, but why can businesses still make money by enabling this crime?
Private companies are producing and selling spyware that Google experts claim is equivalent to spyware produced by nation states. This private spyware can be purchased by anyone and used against anyone.
This means that nearly any phone, laptop or social media account can be successfully and expeditiously hacked by anyone willing to purchase and activate the software. Why are we allowing this to happen? Can anything be done to stop it?
The work of spyware companies re-entered the news last week when Google warned that Israeli company NSO Group’s product called ForcedEntry is one of the world’s most technically sophisticated exploits. John Scott-Railton, senior researcher at Citizen Lab was quoted by Ars Technica saying, “This is on par with serious nation-state capabilities. It's really sophisticated stuff, and when it's wielded by an all-gas, no-brakes autocrat, it's totally terrifying. And it just makes you wonder what else is out there being used right now that is just waiting to be discovered. If this is the kind of threat civil society is facing, it is truly an emergency.”
NSO Group’s spyware has been implicated in the Saudi government’s pre-murder surveillance of Washington Post Journalist Jamal Khashoggi (See today's Washington Post article) and its pre-arrest surveillance of dissident woman’s rights advocate Loujain al-Hathloul. Al-Hathloul, following her release from Saudi custody, has sued three former American contractors for hacking her cell phone. These contractors haven’t spoken publically about their work for the Saudis, but they admitted in September to providing computer hacking technology to the UAE.
Victims of this private spyware are not all dissidents from dictatorships. Earlier this month, the U.S. discovered that the phones of 11 American Embassy employees in Uganda were hacked by NSO Group’s Pegasus spyware. Apple had notified the embassy officials about the attack. The Times reports that “NSO is one of several companies that make money by finding operating system vulnerabilities and selling tools that can exploit them. NSO [is] not accused of maliciously hacking into phones [itself], but of selling tools to clients despite knowing that they would be used in malicious attacks.”
Why is no one stopping NSO Group from producing and selling these tools? Where are the police in this situation?
In some ways, we live in a world without law enforcement. The FBI, for example, only has jurisdiction to investigate certain kinds of activities, undertaken by certain kinds of people, in certain kinds of places. The internet, on the other hand, allows nearly any person sitting in any country to attack people all around the world. These attacks can be words, they can be electronic attacks that infiltrate or delete computer data, or they can be attacks that start electronically and bring down power systems, hospitals or nuclear reactors. Attackers can evade justice by physically locating in places that won’t investigate or prosecute them.
The same is clearly true for spyware creators. NSO Group is in Israel, has ties with the Mossad and Israeli military, and is protected by the Israeli government. Its Pegasus Spyware is classified as a weapon by the Israeli government and can’t be exported without government permission. Cytrox – whose spyware was recently banned from the Meta platforms – is a North Macedonian spyware manufacturer. Four Israeli spyware companies were also banned, Cobwebs, Cognyte, Black Cube and Bluehawk, as well an Indian company named BellTrox and a Chinese-based spyware maker. All of these headquarter locations are beyond the reach of Western law enforcement agencies.
Attackers can evade justice by physically locating in places that won’t investigate or prosecute them. The same is clearly true for spyware creators.
According the Meta’s report which accompanied its company bans, “these cyber mercenaries work across many platforms and national boundaries. Their capabilities are used by both nation-states and private enterprises, and effectively lower the barrier to entry for anyone willing to pay. For their targets, it is often impossible to know they are being surveilled across the internet.” And according to TechCrunch, recent surveillance using software from these companies seemed to find zero-day attacks that could not be spotted by the most up-to-date security protection.
Last week, researchers at the Citizen Lab published new findings about Cytrox product Predator, showing how the tool was used – probably by the Egyptian government – to surveil Egyptian dissidents. According to Apple Insider, “Cytrox is part of the so-called "Intellexa alliance," which is a network of mercenary spyware vendors that emerged in 2019. Although originally based in Cyprus, recent reports indicate that Intellexa now operates in Greece.”
If no one can force the jurisdictions hosting these attack weapon manufacturers to stop production and sale, then the tools will continue to be available. Some actions are being taken to show formal displeasure with the marketing of sophisticated private spyware. For example, the U.S. government just placed NSO Group on its formal Entities List, blacklisting the Israeli company from certain technology sharing. The New York Times wrote, “The ban is the strongest step an American president has taken to curb abuses in the global market for spyware, which has gone largely unregulated. The move by the Commerce Department was driven by NSO’s export around the world of a sophisticated surveillance system known as Pegasus, which can be remotely implanted in smartphones.” In addition, Apple has filed a lawsuit against NSO Group for breaking past the security of Apple phones to surveil U.S. citizens. WhatsApp has also sued NSO Group in U.S. courts, citing violations of the Computer Fraud and Abuse Act and California Comprehensive Data Access and Fraud Act.
These actions may not stop the world’s dictatorships from using private spyware tools against their own people and Americans who might support them, but they can take a bite out of the revenues for the private companies who make this spyware. These actions and the new coverage surrounding them also shine a cleansing light on an industry that thrives best in darkness. When data security professionals know what to look for, spyware is easier to spot and disable.
The private spyware industry should be heavily regulated. This is undoubtedly why its constituent members live in jurisdictions unwilling to regulate them. At the moment, we can’t shut these companies down, but we can illuminate their abuses and those performed with their products, and we can take side-road attacks that can hobble the industry. Tin pot dictators and immoral actors may still have access to these tools, but we can make it more difficult to use them.