WASHINGTON – Mysterious text messages had been popping up on Mexican investigative journalist Rafael Cabrera’s iPhone but he didn’t take the bait. The messages contained links which if clicked upon, would have turned his phone into a surveillance tool, similar to a digital ankle bracelet, that would transmit his every move, email, and contact list entries.
The spyware scandal that rocked Apple this week only brought bad news for dissidents, investigative journalists, and human right activists in the sight of meddlesome governments as their cellular phones are potentially their worst enemies.
According to Cyber experts, an NSO Group from Israel created a spyware that allowed remote operators to seize virtual control of iPhones and iPads. Once the phone was seized, it would allow them to listen to all their conversations, intercept all the data on the phone and even activate cameras and microphones at will.
The spyware allows an attacker to take complete control of an iPhone or iPad if the user clicks on any of the links just once. No indication is given when the device is infected. The attacker can observe and control every activity once the device is infected.
A security update was released quickly by Apple in reaction to the spyware to address the vulnerabilities. iPhone users can download the patches onto their Apple devices running the iOS operating system. According to an estimate, about 1 billion users are currently using these devices. Experts are of the opinion that sophisticated spyware can now be put in the hands of leaders of even the most backwater nations.
The NSO Group was formed in 2010 in Herzliya, near Tel Aviv. According to peerlyst.com, a portal for information security professionals, NSO Group has done business in Mexico, Panama and the United Arab Emirates. It also retains internet domains in Turkey, Thailand, Qatar, Kenya, Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria and Bahrain.
The company is a pillar in the industry of “lawful intercept” software that is prized by government agencies whose task it is to maintain stability, combat crime and fight terrorism. According to an estimate, such surveillance software can cost more than $1 million, but the capabilities it brings for governments make it a bargain.
Global policy analyst for the Electronic Frontier Foundation, Eva Galperin, commented that even though the surveillance software is expensive, it is “pocket change for a government entity.” Electronic Frontier Foundation is a nonprofit in San Francisco that champions free expression and civil liberties in the digital world.
Galperin also stated that the United Arab Emirates does not treat its dissidents very well. Even when a lawful intercept software is sold to the UAE, it will not be used to send milk and cookies to the targets.
Cabrera works for a digital news portal called Aristegui Online that has been a perpetual thorn in the side of President Enrique Peña Nieto, leader of the Institutional Revolutionary Party, which has an authoritarian past.
Peña Nieto was rankled in 2014 when the site reported that a $7 million mansion had been built by a major government contractor to the design specifications of the first lady. Earlier in 2016, it was found that the contractor had sought to hide $100 million in assets in offshore companies. Then last weekend, Aristegui Online reported that around 30% of Peña Nieto’s 1991 undergraduate law thesis had been plagiarized.
In mid-2015, Cabrera began getting text messages on his iPhone. With the passage of time, the messages became more and more personal in an effort to have him click on the links in those messages so his phone could be infected.
The links for Cabrera were as clever and evil as they could get, said Geoffrey King who is a lawyer and technology program coordinator for the Committee to Protect Journalists. One of the first messages he received mentioned the “white house” scandal which involved the first lady. Another message said that those behind the Aristegui report would be sued for defamation, yet another message stated that the reporters might be jailed while an investigation unfolded. These messages spoofed an address for a new television network and contained a hyperlink.
Some of the later text messages Cabrera got on his iPhone addressed him by his nickname ‘Rafa.’ These messages stated that he owed money on his cellular account and also offered him credit with Uber, the ride-sharing service. Another text message he received was quite vulgar, asking him if he wanted to see his partner having sex with another person. The message had a link for the supposed video. It would have been game over for him had he clicked on any of those links, said King.
According to Cabrera, other members of the Aristegui Online team also received similar messages. It is not known who was behind the surveillance scheme, but according to an expert, it seems that the NSO Group surveillance spyware had been sold to governments all over the world.
According to a San Francisco cyber-forensics firm, that took part in uncovering the NSO spyware, NSO Group had been sold for $110 million to Francisco Partners, a private equity firm, in 2014.
Given that kind of high valuation, it’s highly likely that it is being widely used around the world, said Edin Omanovic, a research officer at Privacy International, a charity in London that opposes unlawful and intrusive surveillance.
Researchers who found the spyware stated that it had three chains of ‘zero-day exploits.’ Major vulnerabilities are named such as the problem is immediate, giving the software engineers zero days to fix it.
Uncovering such flaws in coding is very expensive and rare for a company like Apple as Apple is very good at security. However, despite the vulnerabilities, those using Apple should not give up using their devices if they can afford them. Once a security update is downloaded onto the device, it appears to be safe again.
Apart from Mexico, Panama bought surveillance equipment from NSO Group for $6 million to $8 million. During his 2009-14 term, President Ricardo Martinelli’s administration bought surveillance platforms to intercept cellular phones. The resulting espionage scandal led Martinelli to flee Panama early last year, as the scandal targeted some 150 of Martinelli’s political opponents. In December last year, a high court judge ordered his arrest, but his whereabouts have not been known since then.
According to King, the use of sophisticated spyware for cellular phones may prove in the future to be simply too tempting for many national leaders to resist. Talking about petty grudges by governments, it seems quite frightening.