July 19, 2019updated 22 Jul 2019 3:28pm

NSO denies having spyware that can hack cloud servers

By Robert Scammell

Israeli cyber-intelligence firm NSO Group has denied that the latest version of its spyware tool can covertly steal a person’s data from Google, Apple, Facebook, Microsoft and Amazon servers.

It follows a report by the Financial Times (FT) that alleged the NSO spyware tool can scrape information such as location data and archived messaged or photos stored in the cloud servers of these big tech companies. The newspaper cited sources close to the matter and documents it had seen.

“There is a fundamental misunderstanding of NSO, its services and technology. NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure, as listed and suggested in today’s FT article,” an NSO spokesperson told Verdict in an email.

While an NSO spokesperson told the FT that it did not “provide or market any type of hacking or mass-collection capabilities to any cloud applications, services or infrastructure”, the FT stated that NSO Group “did not specifically deny that it had developed the capability described in the documents”.

The latest alleged hacking tool is supposedly an evolution of the NSO spyware that exploited a WhatsApp security flaw by sending a voice call to target phones, which provided a gateway for the app to send the phone’s data back to the attacker.

Known as Pegasus, the NSO spyware has been sold to spy agencies and governments to carry out targeted data gathering from an individual’s smartphone. NSO has long insisted that it only did business with reputable governments. However, researchers have previously found evidence that the NSO spyware was being deployed on the phones of journalists and human rights activists around the world.

In its statement to Verdict, NSO added:

“Increasingly sophisticated terrorists and criminals are taking advantage of encrypted technologies to plan and conceal their crimes, leaving intelligence and law enforcement agencies in the dark and putting public safety and national security at risk. NSO’s lawful interception products are designed to confront this challenge.

“Our products are licensed in small scale to legitimate government intelligence and law enforcement agencies for the sole purpose of preventing or investigating serious crime including terrorism.”

How the NSO spyware works

Pegasus can apparently infect most of the latest iPhones and Android smartphones. The new NSO spyware tool reportedly works on any of the same devices, as well as providing access to data uploaded to the cloud from laptops and tablets.

Once a phone is infected, the new NSO spyware technique reportedly copies authentication keys used by services such as iCloud and Facebook Messenger. These keys are what verifies a person’s identity, giving them access to the target’s data that is stored on the associated cloud server.

With these keys, an attacker can then impersonate the phone and gain access to all the cloud data. It doesn’t require 2-step verification or trigger any warnings, a sales document reportedly states.

Amazon told the FT it found no evidence any of its systems had been compromised by the NSO spyware tool but would monitor the situation, as did Facebook.

Apple and Microsoft provided assurances that their systems were secure. Google initially declined to provide comment to the FT, but a spokesperson has since said:

“We’ve found no evidence of access to Google accounts or systems, and we’re continuing our investigation. We automatically protect users from security threats and we encourage them to use tools like our Security Checkup, 2-step verification, and our Advanced Protection Program, if they believe they may be at especially high risk of attack.”

The new spyware tool can reportedly be stopped by changing an app’s password and revoking login permission. However, the spyware tool can simply be redeployed, according to the leaked sales document.

Commenting on the NSO spyware reports in the FT, Matt Walmsley, EMEA Director at cybersecurity firm Vectra said:

“This all comes down to an individual’s view on what is ethical, or what the legal use of these types of tools is exactly. They are neither good nor bad – just a capability that can be used.  Do those who legitimately protect us need such tools? Almost certainly in some cases. Do we want oppressive regimes or parties to have access to them? Definitely not.

“There’s a deep, moral responsibility on organisations such as the NSO group who build and sell such tools. It is presently unclear whether there is any specific oversight on the sale and use of spyware technology; or any barriers for bad actors to overcome when trying to get access to it.”

Read more: Battling state-sponsored cyber warfare with modern cybersecurity methods