Yeah, you should worry about the booming spyware industry
Surveillance tools like Pegasus are currently aimed at high-profile targets — we might be next
How Pegasus works
Pegasus is regarded as themost advanced spywareon the market. It can infiltrate victims’ devices without their even having to click a malicious link – a so-called “zero-click attack”. Once inside, the power Pegasus possesses to transform a phone into a surveillance beacon is astounding.
It immediately sets to work copying messages, pictures, videos and downloaded content to send to the attacker. As if that’s not insidious enough, Pegasus can record calls and track a target’s location while independently and secretly activating a phone’s camera and microphone. With this capability, an infected phone acts like a fly on the wall, seeing, hearing and reporting back the intimate and sensitive conversations that itwatches continuously.
There’s previous evidence of Pegasus misuse. It was implicated in thealleged hackingof Jeff Bezos’ phone by the crown prince of Saudi Arabia in 2018. The following year, it was revealed that severalIndian lawyers and activistshad been targeted by a Pegasus attack via WhatsApp.
The new revelations suggest that Pegasus was used to watch Mexico’s president Andres Manuel Lopez and50 membersof his inner circle – including friends, family, doctors, and aides – when he was an opposition politician. Pegasus has also been linked to thesurveillance of Rahul Gandhi, the current political rival to Indian prime minister Narendra Modi.
A Pegasus infiltration has also nowbeen foundamong phones belonging to the family and friends ofmurdered journalistJamal Khashoggi, and there are indications that Pegasus may also have beenused by a Mexican NSO clientto target the Mexican journalist Cecilio Pineda Birto, who wasmurderedin 2017.
Spyware industry
Although the power of Pegasus is shocking, spyware in its various forms is far from a new phenomenon. Basic spyware can be traced back tothe early 1990s. Now it’s abooming industrywith thousands of eager buyers.
At the base of the spyware industry are the lesser snooping tools, sold for as little as $70 (£51)on the dark web, which can remotely access webcams, log computer keystrokes and harvest location data. The use of such spyware bystalkers and abusive partnersis a growing, concerning issue.
Then of course there’s theglobal surveillance estatethat Edward Snowden lifted the curtain on in 2013. His leaks revealed howsurveillance toolswere being used to amass a volume of citizens’ personal data that seemed to go well beyond the brief of the intelligence agencies using them.
In 2017, we also learned how a secret team of elite programmers at the US National Security Agency had developed an advanced cyber-espionage weapon calledEternal Blue, only for it to be stolen by the hacker collective Shadow Brokers andsold on the dark web. It was this spyware that would later be used as the backbone of the infamous 2017Wannacry ransomware attack, whichtargeted the NHSand hundreds of other organizations.
Why Pegasus is different
When the Snowden leaks were published, many were shocked to learn of the scale of surveillance that digital technologies had enabled. But this mass spying was at least developed and conducted within state intelligence agencies, who had some legitimacy as agents of espionage.
We’re no longer debating the right of the state to violate our own rights to privacy. The Pegasus revelations show we’ve arrived in a new, uncomfortable reality where highly sophisticated spyware tools aresold on an open market. To be under no illusion, we’re referring here to an industry of for-profit malware developers creating and selling the same types of tools – and sometimes the very same tools – used by “bad hackers” to bring businesses and government organizations to their knees.
In the wake of the Pegasus revelations, Edward Snowden has called for aninternational spyware ban, stating that we’re moving towards a world where no device is safe. That will certainly be the case if Pegasus meets the same fate as Eternal Blue, with its source code finding its way onto the dark web for use by criminal hackers.
We’ve only just begun to fully contemplate the full implications of Pegasus on our collective privacy and democracy. Without transparency, we have no sense of how and under what circumstances Pegasus is licensed, who has authorization to use Pegasus once it’s licensed, under what circumstances a license may be revoked, or what international regulations are in place to police against its abuse. Evidence suggests that Pegasus has been misused and greater accountability and oversight is needed. We must also seek to rekindle important debates around enforceable controls on the creation and sale of corporate spyware. Without this, the threat that Pegasus and future spyware tools pose to privacy will not be limited to the high-profile targets that have so far been revealed, but will be a threat to us all.
This article byChristian Kemp, Lecturer, Criminology,Anglia Ruskin University, is republished fromThe Conversationunder a Creative Commons license. Read theoriginal article.
Story byThe Conversation
An independent news and commentary website produced by academics and journalists.An independent news and commentary website produced by academics and journalists.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
