The Israeli company whose spyware hacked WhatsApp has told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch.
NSO Group’s flagship smartphone malware, nicknamed Pegasus, has for years been used by spy agencies and governments to harvest data from targeted individuals’ smartphones.
But it has now evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target’s location data, archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration.
The documents raise difficult questions for Silicon Valley’s technology giants, which are trusted by billions of users to keep critical personal information, corporate secrets and medical records safe from potential hackers.
NSO denied promoting hacking or mass-surveillance tools for cloud services. However, it did not specifically deny that it had developed the capability described in the documents.
The company has always maintained that its software, which is designated by Israel as a weapon, is only sold to responsible governments to help prevent terrorist attacks and crimes. But Pegasus has been traced by researchers to the phones of human rights activists and journalists around the world, raising allegations that it is being abused by repressive regimes.
The new technique is said to copy the authentication keys of services such as Google Drive, Facebook Messenger and iCloud, among others, from an infected phone, allowing a separate server to then impersonate the phone, including its location.
This grants open-ended access to the cloud data of those apps without “prompting 2-step verification or warning email on target device”, according to one sales document.
It works on any device that Pegasus can infect, including many of the latest iPhones and Android smartphones, according to the documents, and allows ongoing access to data uploaded to the cloud from laptops, tablets and phones — even if Pegasus is removed from the initially targeted smartphone.
One pitch document from NSO’s parent company, Q-Cyber, which was prepared for the government of Uganda earlier this year, advertised the ability of Pegasus to “retrieve the keys that open cloud vaults,” and “independently sync-and-extract data”.
Having access to a “cloud endpoint” means eavesdroppers can reach “far and above smartphone content” allowing information about a target to “roll in” from multiple apps and services, the sales pitch claimed. It is not yet clear if the Ugandan government purchased the service, which costs millions of dollars.
Security teams at the Silicon Valley companies potentially affected are now investigating the method, which appears to target the industry-wide authentication techniques that have until now been thought to be secure.
Amazon said it had found no evidence its corporate systems, including customer accounts, had been accessed by the software, but said it would “continue to investigate and monitor the issue”. Facebook said it was “reviewing these claims”. Microsoft said its technology was “continually evolving to provide the best protections to our customers” and urged users to “maintain a healthy device”.
Apple said its operating system was “the safest and most secure computing platform in the world. While some expensive tools may exist to perform targeted attacks on a very small number of devices, we do not believe these are useful for widespread attacks against consumers.” The company added that it regularly updates its operating system and security settings.
Google declined to comment.
“This has got to be a serious wake-up call for a lot of companies,” said John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, who has been following the use of Pegasus. He said it “accelerates the need for stronger forms of device authentication”.
A spokesperson for NSO said: “We do not provide or market any type of hacking or mass-collection capabilities to any cloud applications, services or infrastructure.”
Meanwhile, the $1bn company faces lawsuits in Israel and Cyprus that allege that it shares liability for the abuse of its software by repressive regimes.
In May, the FT reported that the company used a vulnerability in Facebook’s WhatsApp messaging system to insert Pegasus on smartphones. WhatsApp has closed the loophole and the US Department of Justice is investigating.
Following those revelations, Novalpina Capital, the UK private equity group that owns a large stake in NSO, pledged to reform its business practices and “establish a new benchmark for transparency”, but has yet to release further details.
The number of people whose cloud accounts may have been targeted by the latest alleged technique is not yet known. One of the pitch documents offered an old-fashioned way to thwart this kind of eavesdropping — changing an app’s password and revoking its login permission. That cancels the viability of the replicated authentication token until, according to the document, Pegasus is redeployed.
Additional reporting by Patrick McGee in San Francisco