The NSO Group, the company behind the hack that forced Apple to release emergency iOS and Mac OS X updates to patch up the vulnerabilities, is just one of several firms that sell digital spying services, with governments and law enforcement agencies being the industry’s biggest customers.
Since the NSO Group was founded six years ago, it has mostly kept a low profile while offering products such as surveillance tools that can track all the activities of a target smartphone, including its location and contents.
However, the company’s name was brought to light due to security researchers catching NSO Group’s main spyware product, named Pegasus, attempting to gain access to the iPhone of United Arab Emirates human rights activist Ahmed Mansoor. A second target, a journalist in Mexico who wrote about the government’s corruption, was later discovered.
The New York Times has now acquired internal emails, contracts and commercial proposals of the NSO Group, which offers a deeper look into the workings of the company and all other firms operating within the digital surveillance industry.
According to the emails and documents, which were acquired by two sources who wish to remain anonymous in fear of reprisals, the NSO group is just one of dozens of companies that offer services that can track all the activities of a target device.
The companies, including the NSO Group, aggressively sell their services to governments and law enforcement agencies all over the world. The industry believes that their services are needed to be able to track criminals, with the corporate mission statement of the NSO Group being “Make the world a safe place.”
Ten sources who are familiar with the sales of the NSO Group said that the company has a strict internal process in place to determine whom it will sell its services to, with an ethics committee that is composed of employees and external parties. The committee checks potential clients based on human rights rankings that are set by global bodies such as the World Bank.
However, the sources added that so far, the NSO Group has not denied a sale to any potential customer. In addition, critics of the company and the wider digital surveillance industry note that spyware has been used to target human rights activists and journalists.
According to Bill Marczak, a senior fellow at Citizen Lab that analyzed the attempted hack on Mansoor, there is no check on the spyware. Once the NSO Group sells its software, the government or law enforcement agency that purchased it can use it for whatever purpose.
A price list of the NSO Group’s services shows why governments and law enforcement agencies are the industry’s biggest customers. To breach the security of 10 iPhones or Android-powered devices, the price tag is a whopping $650,000, which will come with a setup fee of $500,000. Adding 10 targets will cost another $150,000, 20 additional targets will be for $250,000, 50 more targets will cost $500,000 and 100 more targets will cost $800,000.
Pegasus is capable of extracting content such as GPS locations, text messages, calendar entries and emails from target devices. The software can use its “room tap” feature to allow the device’s microphone to collect all the sounds surrounding it, and can also use the device’s camera for screenshots and to take pictures. All the data that Pegasus acquires can then be sent to the server of the attacker in real time.