Further state surveillance capabilities in the arsenal of Israel’s NSO Group, recently in the news for bugging WhatsApp to spy on users, are revealed in a report by the Financial Times.
In a product demonstration to the government of Uganda earlier this year, NSO’s parent company Q-Cyber has claimed that its technology can secretively harvest individual user data from the servers of the big five tech giants -- Google, Apple, Amazon, Facebook and Microsoft.
According to the FT report, the Pegasus malware works on any device it can infect, including many of the latest iPhones and Android smartphones. Pegasus offers continuous access to data uploaded to the cloud from laptops, tablets and phones — even if it is removed from the infected device, said the report.
Although NSO Group repeatedly stated that it never promoted hacking or mass-surveillance tools, Pegasus has been found in the smartphones of human rights activists and journalists across the globe.
That governments solicit snooping tech from private players is no surprise, said Mike Beck, global head of threat analysis at Darktrace in an email to SC Media UK. "It stands to reason that national governments who are not equipped with large national intelligence budgets will look to the private sector to provide this capability," he said.
Ernest Aduwa, criminal defence lawyer at Stokoe Partnership Solicitors, agrees. Adding: "Governments are supposed to use this technology. It comes as no surprise that this capability is being developed and is being promoted the way it is."
Trouble happens when these private vendors start selling the same stuff out in the market, said Beck. "In the wrong hands, we could see this malware used to collect intelligence on average citizens and even used against nation-states, as part of cyber-warfare," he warned.
"It is better that it is promoted and that the public are aware of it than having clandestine organisations," Aduwa suggested. "The greater the awareness of the surveillance threat, then the greater the ability to protect against surveillance will be."
The report puts into question the security claims of global tech leaders Facebook, Apple, Google, Amazon and Microsoft among others. Amazon, Google and Apple maintains that their data was never breached.
"The likes of Apple, Google and Facebook will need to demonstrate that they can identify security threats and intervene rapidly, before user data is breached," said Beck.