What you need to know
- The maker of spyware that was used to target the phones of journalists, activists, and politicians has denied responsibility.
- It says that if customers misuse its products then they are to blame.
- It also says recent reports are part of a coordinated media campaign and are erroneous.
NSO Group, the company behind Pegasus, spyware that was allegedly used to target the phones of journalists, activists, and politicians, has said that its customers are to blame for the "misuse" of its products.
Background
Earlier this week it was reported that Pegasus was being used to target thousands of devices. From our explainer:
Pegasus is spyware that's maintained and licensed by a company called NSO Group to nation-states and used by the operatives of those nation-states to extract information from iPhones and Android phones and to track and monitor the people using them. Amnesty International and Forbidden Stories, working with a consortium of over a dozen world news outlets including The Washington Post and The Guardian, released a series of coordinated reports over the weekend, basically accusing NSO of being less than forthright about who exactly is using their Pegasus spyware, and how much it's really being used. In other words, they're handing out cyber guns without really checking cyber IDs or running basic background checks. And maybe not just by the hundreds or thousands, but by the tens of thousands.
According to the report authoritarian regimes had used Pegasus to target activists, diplomats, politicians, and more. At the time of the report the company said it had no access to the data of customer targets nor did it operate its own technology, simply licensing it "vetted government customers". The story was of particular note to iPhone users because it was installed on iPhones running iOS 14.6 using a zero-click exploit, which means it can be installed without any user input.
Now, the company has hit back strongly against criticism in wake of the report.
Denial
In comments made to the BBC NSO group said that there were issues with the story. Firstly the list of 50,000 potential targets was reportedly taken from an NSO Group server in Cyprus, but the company says it doesn't have any servers there. A spokesman said:
"And secondly, we don't have any data of our customers in our possession. And more than that, the customers are not related to each other, as each customer is separate. So there should not be a list like this at all anywhere. And the number of potential targets did not reflect the way Pegasus worked. It's an insane number... Our customers have an average of 100 targets a year. Since the beginning of the company, we didn't have 50,000 targets total."
Responsibility
NSO Group also states that regardless, it can't be held responsible for the actions of its customers, reportedly telling the BBC "If I am the manufacturer of a car and now you take the car and you are driving drunken and you hit somebody, you do not go to the car manufacturer, you go to the driver. We are sending the system to governments, we get all the correct accreditation and do it all legally. You know, if a customer decides to misuse the system, he will not be a customer anymore. But all the allegations and all the finger-pointing should be at the customer."
Statement
The company has also posted a statement on its website titled Enough is Enough which states:
In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.
The company reiterated that "the list" was not a list of targets or potential targets, nor that the numbers in the list were related to NSO group. The company also says "any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false."
NSO group also said it would thoroughly investigate "any credible proof of misuse of its technologies", shutting down the system where necessary. For its part, Apple says it "unequivocally condemns cyberattacks". In a statement provided to iMore Apple's head of Security Engineering and Architecture Ivan Krstic said:
Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation, and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.
