How The Pegasus Spyware Worked
AILSA CHANG, HOST:
This week brought an explosive investigation from The Washington Post and a consortium of media partners dubbed the Pegasus Project. It gets its name from a controversial spyware called Pegasus, and their investigation linked Pegasus and its vendor, the Israel-based NSO Group, to thousands of phone numbers and dozens of devices belonging to international journalists, human rights activists and heads of state. Today, we wanted to explore some of the details of how this spyware works. Drew Harwell, a technology reporter for The Washington Post, joins us now to explain. Welcome.
DREW HARWELL: Thanks for having me.
CHANG: So first, can you just tell us about this company, NSO Group? What products, what services do they offer, and who are their clients mainly?
HARWELL: Their product is spy tools, and their customer is governments around the world. And what they sell is one of the most powerful spyware tools that we know about. It can effectively take over the phone of pretty much anybody they want to target. Your contacts, your call logs, even your cameras and microphones become data devices for whoever has targeted you.
CHANG: OK, this is sounding really scary. How did Pegasus actually work on the specific devices that your investigation looked into?
HARWELL: Pegasus works in a really uniquely scary way, because it relies on something called zero-click hacking. A lot of the traditional spyware requires you to click on a spammy (ph) link, right? You get a bad text or an email. You open a document, and you give your computer away. Zero-click means you don't have to do anything and you can still be made vulnerable. And one scary thing from our investigation was that Apple iPhones - even if you were all the way updated, you had the newest generation of iPhone, you could still be vulnerable. We ran tests that found forensic evidence of actual hacks of these updated devices. So Pegasus really is a symbol of how scarily sophisticated the spyware industry has become.
CHANG: Yeah. I mean, we should note that the CEO of NSO Group, Shalev Hulio, has denied that his company or any software that his company has created had anything to do with the many phone numbers on the list compiled by the reporters in the Pegasus Project. NSO has also said that its product can't target phones in the U.S. Is that last part true? Do you know? Has NSO ever successfully hacked a U.S. phone?
HARWELL: Not that we know of. And that is what they say, but we do know from this big list of 50,000 numbers that some of those numbers were plus-1 U.S. country codes. And so, you know, we can tell that there have been instances where these American numbers have been added on to this potential, you know, list, where along the way, surveillance could happen down the road.
CHANG: So, Drew, is there a way for an average person to look at their phone or other device and to be able to tell that there's spyware on it?
HARWELL: The sad answer is no. And for certainly a lot of the people we talked to, this was a huge surprise to them, right? They thought they had been careful, and yet this spyware can so effectively work behind the scenes to take the sensitive data. And there's just no easy way to figure it out.
CHANG: That is Drew Harwell, technology reporter for The Washington Post and one of the journalists on the Pegasus Project. Thank you very much.
HARWELL: Thank you.
CHANG: And this week, NPR reached out to NSO Group's Shalev Hulio as well, but we haven't yet received a response.
(SOUNDBITE OF MUSIC) Transcript provided by NPR, Copyright NPR.