Many of us use our phones without living in constant fear that our personal data could be stolen, but a new report should be a big eye-opener for many, including big tech.
The claims go that an authentication technique that is used on almost any big cloud service can easily be bypassed by a tool designed by an Israeli company surrounded by controversies related to its ethics.
Earlier this year, news broke that a vulnerability in WhatsApp allowed a spyware tool to be injected into phones with a simple call that would not need to be answered and also would not leave any trace.
The software was built by a secretive Israeli firm called NSO Group, which is also behind the infamous Pegasus spyware, with a history of selling this kind of tools to governments and intelligence agencies.
New report from the Financial Times says the very same company that was essentially selling the keys to our digital lives has been touting new capabilities for its flagship spyware tool, Pegasus, to potential buyers. Where it was previously only able to harvest data from the phone’s storage, apparently it can now steal a user’s data from various accounts made on Apple, Microsoft, Facebook, Amazon, and Google’s cloud services.
The spyware tool is said to have received a significant upgrade that allows it to access things like location history, archived messages, and other online data not synced on the phone. While it is not clear how exactly this is achieved, FT speculates that once Pegasus is on the target phone, it is able to essentially clone the authentication keys of services like Facebook Messenger and Google Drive and sync with a surveillance server, where it can be used to imitate the phone down to a tee, location included.
This is not as benign as the Bluetooth vulnerability that was recently disclosed by Boston University engineers. While that one has an easy fix, the vulnerability exploited by the latest Pegasus iteration appears to be related to authentication techniques that are widely used in the industry.
NSO Group denied the accusations that it promoted mass surveillance tools, maintaining that its software is an important asset for responsible governments, but also did not deny that Pegasus is able to extract data from cloud accounts.
All five companies have so far offered generic statements that they are not aware of any breach and that they are continually working on security. Apple did acknowledge the existence of tools capable of targeting a “small number” of devices, but the company does not believe they can be used on a large scale. That said, it should worry companies like Microsoft, which make a significant portion of revenue from cloud services.
FT noted that documents they received offered a simple fix to prevent Pegasus from being effective, requiring changing your app password