Israel’s NSO: the business of spying on your iPhone

As Apple rolled out an advertising campaign last month touting the impenetrability of the iPhone — “Privacy. That’s iPhone”, the commercials promised — a secretive Israeli company called in its sales people to talk about an important update designed to thwart that very privacy.

According to one person at the meeting, the executives from NSO Group made a bold claim: using just one simple missed call on WhatsApp, it had figured out a way to “drop its payload”, a piece of software called Pegasus that can penetrate the darkest secrets of any iPhone.

Within minutes of the missed call, the phone starts revealing its encrypted content, mirrored on a computer screen halfway across the world. It then transmits back the most intimate details such as private messages and location, and even turns on the camera and microphone to live-stream meetings.

The software itself is not new — it was the latest upgrade to a decade-old technology so powerful that the Israeli defence ministry regulates its sale. But the WhatsApp hack was an enticing new “attack vector”, the person says. “Great from a sales point.”

It was an illustration of the sales pitch that NSO has made to governments around the world — and which has helped give a tiny and discreet company a market valuation of around $1bn. NSO’s few hundred engineers claim they have managed to manoeuvre around whatever obstacle Apple, the world’s most valuable company, has thrown in its way. Apple declined to comment for this article.

At an investor presentation in London in April, NSO bragged that the typical security patches from Apple did not address the “weaknesses exploited by Pegasus”, according to an unimpressed potential investor. Despite the annual software updates unveiled by companies such as Apple, NSO had a “proven record” of identifying new weaknesses, the company representative told attendees.

NSO’s pitch has been a runaway success — allowing governments to buy off the shelf the sort of software that was once thought to be restricted to only the most sophisticated spy agencies, such as GCHQ in the UK and the National Security Agency in America.

The sale of such powerful and controversial technologies also gives Israel an important diplomatic calling card. Through Pegasus, Israel has acquired a major presence — official or not — in the deeply classified war rooms of unlikely partners, including, researchers say, Gulf states such as Saudi Arabia and the United Arab Emirates. Although both countries officially reject the existence of the Jewish state, they now find themselves the subject of a charm offensive by Prime Minister Benjamin Netanyahu that mixes a shared hostility to Iran with intelligence knowhow.

The Israeli government has never talked publicly about its relationship with NSO. Shortly after he stepped down as defence minister in November, Avigdor Lieberman, who had responsibility for regulating NSO’s sales, said: “I am not sure now is the right time to discuss this . . . I think that I have a responsibility for the security of our state, for future relations.” But he added: “It is not a secret today that we have contact with all the moderate Arab world. I think it is good news.”

The NSO Group says Pegasus has been used by dozens of countries to prevent terrorist attacks, infiltrate drug cartels and help rescue kidnapped children.

But two lawsuits against the company, which have been filed in Israel and Cyprus, and build on investigations by human rights groups, claim it tracked the software to the phones of journalists, dissidents and critics of governments from Mexico to Saudi Arabia, including a researcher at Amnesty International, the wife of a murdered Mexican journalist and anti-corruption activists. 

As the company has grown in influence, it has been tracked by researchers at the University of Toronto who have shadowed Pegasus. They believe it has been used in 45 countries including Bahrain, Morocco, Saudi Arabia and the UAE. Half the group’s revenues come from the Middle East, according to an investor at the April presentation, although the company also told the gathering that it had contracts with 21 EU countries. 

NSO’s technology has become a trophy weapon in the rivalries that consume the Middle East. The Israeli lawsuit says the UAE, an NSO client, asked a company representative to hack the mobile phones of Qatar’s emir, a rival Saudi prince and the editor of a dissident newspaper in London. 

The murder of Jamal Khashoggi, the Washington Post columnist, in Istanbul by Saudi government hitmen brought deeper scrutiny of the company.

Omar Abdulaziz, a Canada-based vocal critic of the Saudi government, and a friend of Khashoggi, alleges in one of the lawsuits in Israel that his phone was infiltrated by Pegasus, and was used to track Khashoggi’s conversations with him before his death in October.

NSO has offered a hedged response — saying publicly only that its software was not used by any of its clients to infect Khashoggi’s phone itself and that it only sells to responsible countries after diligent vetting, and with the approval of the Israeli government. 

The company declined to comment on the record. But on the question of its software being used by clients to monitor dissidents or journalists instead of legitimate terror targets, a person familiar with NSO says it does not see any of the data collected by its customers. Instead, it has designed a firewall between its software, which it regularly updates and maintains, and the data it collects, which sits in separate servers located in the customer country, the person says.

NSO has also turned down potential business worth $150m in the past three years, and declined to pursue a further $250m in deals after work done by an ethics committee, which vets the customer government, its agencies, the human rights risks and the spy agency itself, the person says.

Few of the company’s critics are assuaged by these assurances. “Its talk about careful customer selection seems like a joke, because it already has many contracts with states with very problematic human rights records, like Saudi Arabia,” says Alaa Mahajna, a Jerusalem-based human rights lawyer who is representing Mr Abdulaziz and a group of Mexican journalists and activists in two lawsuits against NSO. 

In a previously unreported detail, NSO has been selling the ability to hack mobile phones in any part of the world — most recently using WhatsApp — with geographical software limitations decided by the Israeli government, according to a person familiar with the company. That means that a spy agency in one country can theoretically hack phones well outside their jurisdiction.

In early May, engineers at WhatsApp discovered the vulnerability in its code that NSO was exploiting, and by last week had started to repair it, the company said. It released an update to its 1.5bn users on Monday to completely close the loophole.

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” says a person familiar with the internal WhatsApp investigation. “We are deeply concerned about the abuse of such capabilities.”

For a company with such unparalleled reach, NSO maintains a veil of secrecy — until recently, it did not have a website. Its founders, Shalev Hulio and Omri Lavie, rarely speak to the press — in a 2013 interview with the FT, Mr Lavie said keeping the company private allowed “things that are secret to remain secret”.

But interviews with more than half a dozen Israeli officials, several people involved in NSO’s business, court documents in Israel and Cyprus, police complaints and wary investors show a company struggling to complete the transition from the shadows of Israel’s offensive tech industry to an astoundingly profitable enterprise that is now unveiling its secrets in investor presentations and buyout negotiations. NSO was valued at about $1bn in a recent leveraged buyout backed by Novalpina Capital, a UK-based private equity fund.

It has launched a campaign to rehabilitate its reputation, which had taken such a hit that a $510m loan backing Novalpina’s leveraged buyout of the company struggled to attract buyers even after trying to sell it for 90 cents on the dollar, with a 9.5 per cent interest rate.

The contracts with governments around the world are certainly lucrative. The company reported $251m in revenues in 2018 — with an ebitda of $128m — up from revenue of $109m in 2014, according to its investor presentation. Free cash flow was $80m in 2018.

About 10 per cent of revenues come from sales of a van that carries equipment to soak up the data from a target’s location. Another tenth or so comes from a product called Landmark, which tracks the physical location of phones. But the bestseller is still Pegasus, making up three-quarters of revenue.

The latest iteration of Pegasus is hugely attractive to governments. In mid-2017, according to a police complaint in Israel and a European businessman who was involved in the sales pitch, NSO representatives flew to Cyprus to meet two senior Saudis, including a top intelligence official. The businessman did not agree to make his name public.

In a conference room at the Four Seasons in Limassol, the company representatives had a brand new iPhone brought in and showed the Saudis how quickly they could hijack its camera and microphone. The version they were marketing was nicknamed Pegasus 3, and it invades a phone without needing to trick the user into clicking on a hoaxed link hiding the software, marketed by the company as “zero click technology.” 

“They were still discussing pricing, when the Saudis said they wanted it immediately,” says the businessman, who estimates the Saudi government paid $55m for the ability to track 150 targets simultaneously. He never received a commission, and is pursuing a criminal complaint against two other middlemen involved in the deal. The company says it does not discuss its clients or sales.

According to the businessman, the Saudi government also received some “horses”, as the company refers to the Trojan horse malware it loads on to target phones of Pegasus 2 — the same version that researchers at the University of Toronto’s Citizen Lab tracked to the iPhone of Mr Abdulaziz, Khashoggi’s friend.

Speaking about the new WhatsApp hack, which its parent Facebook tried to patch with its latest update, John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, says: “If true, this is extremely concerning because it suggests that the same reckless behaviour from customers that Citizen Lab and others have documented could easily spill across borders. This suggests a novel new mechanism.”

The Mexican government had paid $32m in 2014 for Pegasus 2, according to a contract with the Mexican attorney-general’s office included in the lawsuit in Israel. That came with an NSO service called Enhanced Social Engineering Message, in which NSO representatives helped create an enticing SMS that the target was most likely to click on, according to the lawsuit. 

These messages are a central part of the two lawsuits facing NSO. Days after unknown assailants murdered Mexican journalist Javier Valdez in 2017, who had been highly critical of the government, his widow received text messages that offered details on his murder. Citizen Lab concluded it was highly likely that the texts carried the malicious software. Mr Abdulaziz, in Canada, received a link that offered to track a shipment, which Citizen Lab said it had “high confidence” carried the malware. Others tracked by Citizen Lab received similarly personal, tailored messages. The company has declined to address the claims specifically, but has said that its internal investigations indicate that the software tracked by Citizen Lab is not Pegasus. 

The creation of these messages required customers to work directly with NSO, says the businessman, who described a help desk based in Cyprus that worked with agencies.

That runs counter to NSO’s position that it sells the software in a manner that does not allow it to monitor how it is being used and on whom.  Novalpina has said that an exhaustive review turned up only a handful of abuses, and has suggested other companies or governments may be responsible for the traces of Pegasus that researchers claim to have tracked to the phones of journalists, dissidents and critics. The lawsuits in Israel are still in pre-trial hearings, so the company has yet to present its formal defence.

In Israel, where the military has created its own secure phone for its officers to use, the susceptibility of smartphones has become a national security issue. Many senior officials no longer carry smartphones — Mr Lieberman, the former defence minister, proudly showed off to reporters a scarred and cracked Nokia, at least a decade old, that his family can reach him on.

“These companies are telling the world that they made this product to make the world safer — but the people who know how these companies work stop using cell phones, and that doesn’t sound safer to me,” says Mr Scott-Railton at Citizen Labs.

Mr Lavie and Mr Hulio, the founders of NSO, have another company in the same game. Its niche product? Phones that cannot be hacked.

Additional reporting by Quique Kierszenbaum