NSO's Pegasus software can allegedly penetrate any iPhone via one simple missed call on WhatsApp

As Apple rolled out an advertising campaign last month touting the impenetrability of the iPhone — “Privacy. That’s iPhone”, the commercials promised — a secretive Israeli company called in its sales people to talk about an important update designed to thwart that very privacy.

According to one person at the meeting, the executives from NSO Group made a bold claim: using just one simple missed call on WhatsApp, it had figured out a way to “drop its payload”, a piece of software called Pegasus that can penetrate the darkest secrets of any iPhone.

Within minutes of the missed call, the phone starts revealing its encrypted content, mirrored on a computer screen halfway across the world. It then transmits back the most intimate details such as private messages and location, and even turns on the camera and microphone to live-stream meetings.

The software itself is not new — it was the latest upgrade to a decade-old technology so powerful that the Israeli defence ministry regulates its sale. But the WhatsApp hack was an enticing new “attack vector”, the person says. “Great from a sales point.”

An Israeli woman uses her iPhone in front of the building housing the Israeli NSO group, on August 28, 2016, in Herzliya, near Tel Aviv. Apple iPhone owners, earlier in the week, were urged to install a quickly released security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by cyber arms dealers. Lookout and Citizen Lab worked with Apple on an iOS patch to defend against what was called "Trident" because of its triad of attack methods, the researchers said in a joint blog post. Trident is used in spyware referred to as Pegasus, which a Citizen Lab investigation showed was made by an Israel-based organization called NSO Group. / AFP / JACK GUEZ (Photo credit should read JACK GUEZ/AFP/Getty Images)
An Israeli woman on her iPhone outside NSO's headquarters in Herzliya, near Tel Aviv © AFP

It was an illustration of the sales pitch that NSO has made to governments around the world — and which has helped give a tiny and discreet company a market valuation of around $1bn. NSO’s few hundred engineers claim they have managed to manoeuvre around whatever obstacle Apple, the world’s most valuable company, has thrown in its way. Apple declined to comment for this article.

At an investor presentation in London in April, NSO bragged that the typical security patches from Apple did not address the “weaknesses exploited by Pegasus”, according to an unimpressed potential investor. Despite the annual software updates unveiled by companies such as Apple, NSO had a “proven record” of identifying new weaknesses, the company representative told attendees.

NSO’s pitch has been a runaway success — allowing governments to buy off the shelf the sort of software that was once thought to be restricted to only the most sophisticated spy agencies, such as GCHQ in the UK and the National Security Agency in America.

The sale of such powerful and controversial technologies also gives Israel an important diplomatic calling card. Through Pegasus, Israel has acquired a major presence — official or not — in the deeply classified war rooms of unlikely partners, including, researchers say, Gulf states such as Saudi Arabia and the United Arab Emirates. Although both countries officially reject the existence of the Jewish state, they now find themselves the subject of a charm offensive by Prime Minister Benjamin Netanyahu that mixes a shared hostility to Iran with intelligence knowhow.

The Israeli government has never talked publicly about its relationship with NSO. Shortly after he stepped down as defence minister in November, Avigdor Lieberman, who had responsibility for regulating NSO’s sales, said: “I am not sure now is the right time to discuss this . . . I think that I have a responsibility for the security of our state, for future relations.” But he added: “It is not a secret today that we have contact with all the moderate Arab world. I think it is good news.”

Israeli Prime Minister Benjamin Netanyahu (C) arrives to the weekly cabinet meeting at his Jerusalem office May 12, 2019. Gali Tibbon/Pool via REUTERS
Israeli Prime Minister Benjamin Netanyahu has improved relations with Saudi Arabia and the UAE © Reuters

The NSO Group says Pegasus has been used by dozens of countries to prevent terrorist attacks, infiltrate drug cartels and help rescue kidnapped children.

But two lawsuits against the company, which have been filed in Israel and Cyprus, and build on investigations by human rights groups, claim it tracked the software to the phones of journalists, dissidents and critics of governments from Mexico to Saudi Arabia, including a researcher at Amnesty International, the wife of a murdered Mexican journalist and anti-corruption activists. 

As the company has grown in influence, it has been tracked by researchers at the University of Toronto who have shadowed Pegasus. They believe it has been used in 45 countries including Bahrain, Morocco, Saudi Arabia and the UAE. Half the group’s revenues come from the Middle East, according to an investor at the April presentation, although the company also told the gathering that it had contracts with 21 EU countries. 

NSO’s technology has become a trophy weapon in the rivalries that consume the Middle East. The Israeli lawsuit says the UAE, an NSO client, asked a company representative to hack the mobile phones of Qatar’s emir, a rival Saudi prince and the editor of a dissident newspaper in London. 

The murder of Jamal Khashoggi, the Washington Post columnist, in Istanbul by Saudi government hitmen brought deeper scrutiny of the company.

MONTREAL, CANADA - OCTOBER 17: Omar Abdulaziz poses for a portrait in Montreal. Abdulaziz, a 27-year-old Saudi opposition activist, is a close associate of the missing Saudi journalist Jamal Khashoggi. (Photo by François Ollivier for The Washington Post via Getty Images)
Omar Abdulaziz alleges in a lawsuit in Israel that his phone was infiltrated by NSO's Pegasus spyware

Omar Abdulaziz, a Canada-based vocal critic of the Saudi government, and a friend of Khashoggi, alleges in one of the lawsuits in Israel that his phone was infiltrated by Pegasus, and was used to track Khashoggi’s conversations with him before his death in October.

NSO has offered a hedged response — saying publicly only that its software was not used by any of its clients to infect Khashoggi’s phone itself and that it only sells to responsible countries after diligent vetting, and with the approval of the Israeli government. 

The company declined to comment on the record. But on the question of its software being used by clients to monitor dissidents or journalists instead of legitimate terror targets, a person familiar with NSO says it does not see any of the data collected by its customers. Instead, it has designed a firewall between its software, which it regularly updates and maintains, and the data it collects, which sits in separate servers located in the customer country, the person says.

NSO has also turned down potential business worth $150m in the past three years, and declined to pursue a further $250m in deals after work done by an ethics committee, which vets the customer government, its agencies, the human rights risks and the spy agency itself, the person says.

Few of the company’s critics are assuaged by these assurances. “Its talk about careful customer selection seems like a joke, because it already has many contracts with states with very problematic human rights records, like Saudi Arabia,” says Alaa Mahajna, a Jerusalem-based human rights lawyer who is representing Mr Abdulaziz and a group of Mexican journalists and activists in two lawsuits against NSO. 

In a previously unreported detail, NSO has been selling the ability to hack mobile phones in any part of the world — most recently using WhatsApp — with geographical software limitations decided by the Israeli government, according to a person familiar with the company. That means that a spy agency in one country can theoretically hack phones well outside their jurisdiction.

In early May, engineers at WhatsApp discovered the vulnerability in its code that NSO was exploiting, and by last week had started to repair it, the company said. It released an update to its 1.5bn users on Monday to completely close the loophole.

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” says a person familiar with the internal WhatsApp investigation. “We are deeply concerned about the abuse of such capabilities.”

A protestor wears a mask of depicting Saudi Crown Prince Mohammad Bin Salman with red painted hands next to people holding posters of Saudi journalist Jamal Khashoggi during the demonstration outside the Saudi Arabia consulate in Istanbul, on October 25, 2018. - Jamal Khashoggi, a Washington Post contributor, was killed on October 2, 2018 after a visit to the Saudi consulate in Istanbul to obtain paperwork before marrying his Turkish fiancee. (Photo by Yasin AKGUL / AFP)YASIN AKGUL/AFP/Getty Images
A protester in Istanbul wears a mask depicting Saudi Crown Prince Mohammed bin Salman in protests against the killing of Saudi journalist Jamal Khashoggi in the city last October © AFP

For a company with such unparalleled reach, NSO maintains a veil of secrecy — until recently, it did not have a website. Its founders, Shalev Hulio and Omri Lavie, rarely speak to the press — in a 2013 interview with the FT, Mr Lavie said keeping the company private allowed “things that are secret to remain secret”.

But interviews with more than half a dozen Israeli officials, several people involved in NSO’s business, court documents in Israel and Cyprus, police complaints and wary investors show a company struggling to complete the transition from the shadows of Israel’s offensive tech industry to an astoundingly profitable enterprise that is now unveiling its secrets in investor presentations and buyout negotiations. NSO was valued at about $1bn in a recent leveraged buyout backed by Novalpina Capital, a UK-based private equity fund.

It has launched a campaign to rehabilitate its reputation, which had taken such a hit that a $510m loan backing Novalpina’s leveraged buyout of the company struggled to attract buyers even after trying to sell it for 90 cents on the dollar, with a 9.5 per cent interest rate.

The contracts with governments around the world are certainly lucrative. The company reported $251m in revenues in 2018 — with an ebitda of $128m — up from revenue of $109m in 2014, according to its investor presentation. Free cash flow was $80m in 2018.

About 10 per cent of revenues come from sales of a van that carries equipment to soak up the data from a target’s location. Another tenth or so comes from a product called Landmark, which tracks the physical location of phones. But the bestseller is still Pegasus, making up three-quarters of revenue.

The latest iteration of Pegasus is hugely attractive to governments. In mid-2017, according to a police complaint in Israel and a European businessman who was involved in the sales pitch, NSO representatives flew to Cyprus to meet two senior Saudis, including a top intelligence official. The businessman did not agree to make his name public.

Lawyer Alaa Mahajna poses for a photo on Mount Scopus, overlooking Jerusalem, on Saturday, Feb. 9, 2019. Mahajna was one of at least half a dozen people targeted by a mysterious group of undercover operatives over the past couple of months. All of them have crossed paths, in some way, with the NSO Group, a spyware maker that Mahajna is suing in Israeli court. (AP Photo/Raphael Satter)
Lawyer Alaa Mahajna: 'NSO's talk about careful customer selection seems like a joke' © AP

In a conference room at the Four Seasons in Limassol, the company representatives had a brand new iPhone brought in and showed the Saudis how quickly they could hijack its camera and microphone. The version they were marketing was nicknamed Pegasus 3, and it invades a phone without needing to trick the user into clicking on a hoaxed link hiding the software, marketed by the company as “zero click technology.” 

“They were still discussing pricing, when the Saudis said they wanted it immediately,” says the businessman, who estimates the Saudi government paid $55m for the ability to track 150 targets simultaneously. He never received a commission, and is pursuing a criminal complaint against two other middlemen involved in the deal. The company says it does not discuss its clients or sales.

According to the businessman, the Saudi government also received some “horses”, as the company refers to the Trojan horse malware it loads on to target phones of Pegasus 2 — the same version that researchers at the University of Toronto’s Citizen Lab tracked to the iPhone of Mr Abdulaziz, Khashoggi’s friend.

Speaking about the new WhatsApp hack, which its parent Facebook tried to patch with its latest update, John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, says: “If true, this is extremely concerning because it suggests that the same reckless behaviour from customers that Citizen Lab and others have documented could easily spill across borders. This suggests a novel new mechanism.”

A passenger looks at his Apple iPhone on a commercial flight from Sydney, Australia, to Auckland, New Zealand, July 8, 2017. REUTERS/Jason Reed - RC14238A9010
An iPhone user on a plane: Apple has focused on improving the security of its handsets in recent years © Reuters

The Mexican government had paid $32m in 2014 for Pegasus 2, according to a contract with the Mexican attorney-general’s office included in the lawsuit in Israel. That came with an NSO service called Enhanced Social Engineering Message, in which NSO representatives helped create an enticing SMS that the target was most likely to click on, according to the lawsuit. 

These messages are a central part of the two lawsuits facing NSO. Days after unknown assailants murdered Mexican journalist Javier Valdez in 2017, who had been highly critical of the government, his widow received text messages that offered details on his murder. Citizen Lab concluded it was highly likely that the texts carried the malicious software. Mr Abdulaziz, in Canada, received a link that offered to track a shipment, which Citizen Lab said it had “high confidence” carried the malware. Others tracked by Citizen Lab received similarly personal, tailored messages. The company has declined to address the claims specifically, but has said that its internal investigations indicate that the software tracked by Citizen Lab is not Pegasus. 

The creation of these messages required customers to work directly with NSO, says the businessman, who described a help desk based in Cyprus that worked with agencies.

That runs counter to NSO’s position that it sells the software in a manner that does not allow it to monitor how it is being used and on whom. Novalpina has said that an exhaustive review turned up only a handful of abuses, and has suggested other companies or governments may be responsible for the traces of Pegasus that researchers claim to have tracked to the phones of journalists, dissidents and critics. The lawsuits in Israel are still in pre-trial hearings, so the company has yet to present its formal defence.

In Israel, where the military has created its own secure phone for its officers to use, the susceptibility of smartphones has become a national security issue. Many senior officials no longer carry smartphones — Mr Lieberman, the former defence minister, proudly showed off to reporters a scarred and cracked Nokia, at least a decade old, that his family can reach him on.

“These companies are telling the world that they made this product to make the world safer — but the people who know how these companies work stop using cell phones, and that doesn’t sound safer to me,” says Mr Scott-Railton at Citizen Labs.

Mr Lavie and Mr Hulio, the founders of NSO, have another company in the same game. Its niche product? Phones that cannot be hacked.

Additional reporting by Quique Kierszenbaum

Copyright The Financial Times Limited 2023. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Follow the topics in this article