iCloud, Facebook And Google Clouds Can All Be Hacked By Israeli Spyware

[straycat19]

Israeli spyware from shadowy NSO has made plenty of headlines this year, most recently back in May when it was exposed as the culprit in a high-profile WhatsApp hack that had enabled nation-states to target specific phones, installing spyware through voice calls on both iPhone and Android devices whether or not a user answered an infected call.

 

That hack was first exposed by the Financial Times, and the same newspaper has continued to investigate, publishing a report today (July 19) that exposes sales claims being made by NSO that "its [Pegasus] technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft."

NSO has continually denied that it promotes mass-surveillance or unethical hacking, but, according to the FT, "it did not specifically deny that it had developed the capability," described in documents seen by the newspaper.

 

Put simply, the latest revelation suggests that an infected phone will provide NSO's software with the authentication keys for the cloud services—including Google Drive,

Facebook Messenger and iCloud—that can be accessed by that device. And given that smartphones have now become the individual entry points into our cloud-based world, the implications of this will raise serious concerns. The FT cites a claim in one of the sales documents that this all happens without "prompting 2-step verification or warning email on a target device."

 

NSO's Pegasus software has been described as the most sophisticated spyware smartphone of its kind and has become a highly-prized export for the Israeli government to help the company market to foreign states. The fact that Israel has been accused of allowing sales of the technology to countries like Saudi Arabia and the UAE carries geopolitical interest given the context and the developing situation in the Middle East.

Now, this latest report suggests that compromising data on a phone or using the phone as an eavesdropping endpoint, is not enough. The phone can be hacked to such an extent that it provides the keys to the entire digital kingdom—the cloud-based ecosystem within which it operates.

 

According to the FT, Amazon claimed there was no evidence of such a hack having access to its systems, but assured—as did Facebook—that it would review the claims. Microsoft and Apple responded with assurances around the continually developing security features on their platforms. Google didn't comment.

 

Meanwhile, NSO itself told the newspaper that "we do not provide or market any type of hacking or mass-collection capabilities to any cloud applications, services or infrastructure."

 

But the FT cites an NSO sales pitch, seen by the newspaper and prepared for the Ugandan government, which claimed that "having access to a 'cloud endpoint' means eavesdroppers can reach 'far and above smartphone content', allowing information about a target to 'roll in' from multiple apps and services."

 

Smartphone compromises have been a continual theme this year, with malicious apps lurking in the Google Play Store, the NSO WhatsApp vulnerability, an Android media jacking hack hitting both WhatsApp (again) and Telegram and even the current FaceApp "something from nothing" controversy.

 

State-level hacking, though, is on an entirely different level. The sophistication applied by the governments of China, Russia, Iran and North Korea goes way beyond what is seen in the mass-market and which targets financial information and login credentials and user carelessness in the main. With NSO, there is a productized state-level hack and that is why is causes so much concern. The targets of such hacks are significantly better protected than casual smartphone users.

 

In May, Amnesty International (along with other human rights groups) filed a lawsuit in Israel to revoke NSO's export license. The groups cited allegations that NSO software had been used by oppressive regimes to target human rights activists and journalists—including its use by Saudi Arabia on murdered journalist Jamal Khashoggi. NSO denies that its software played any part in tracking Khashoggi—the company’s CEO Shalev Hulio claimed that "Khashoggi was not targeted by any NSO product or technology, including listening, monitoring, location tracking and intelligence collection."

 

There has always been a risk associated with the integration of cloud platforms and multiple endpoints. And this is it. If I trust a device to access an entire online world, if the device is compromised then so is the security associated with that entire world. The cloud platforms have played down the exposure here. But you can bet that behind the scenes there will be some serious meetings and planning sessions in California and Seattle later today.
 

Source