back to article American diplomats' iPhones reportedly compromised by NSO Group intrusion software

The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters. NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about …

  1. ShadowSystems
    Mushroom

    All I want for xmas

    is a ten metric tonne meteore to crash through the roof of their HQ & cause everything in 1KM to vapourize in a cloud of plasma.

    *Sigh*

    Damn my fantasies of deific grade smiting.

    Icon because it would be the shape of the cloud...

    1. LDS Silver badge

      Re: All I want for xmas

      Think how much nasty criminals buy Apple gear, and Apple is more than happy to get money from them.

      Or how many guns are produced knowing a lot of them will end in the hands of criminals. How many weapons US routinely sell to governments that aren't democratic at all?

      Guns don't kill people people do? That's true for spying devices as well. You can use microphones, cams and spyware to save lives or kill people...

      1. Anonymous Coward
        Anonymous Coward

        Re: All I want for xmas

        The vast majority of people who buy Apple products are not criminals.

        You comparison to guns is more accurate.

        Expect blowback when the guns you sell are used to harm people who have the capability to blowback at you. Especially those who were supposedly your allies.

        1. hammarbtyp

          Re: All I want for xmas

          The only way to stop a bad guy with a root exploit is to have a good guy with a root exploit....

          That and other myths

      2. sed gawk Silver badge

        Re: All I want for xmas

        There is no legitimate use of drive by exploitation.

        Perhaps they should be free to sell these tools, but lets not pretend this is not a tool for authoritarian control.

        The appropriate analogy for this technology are shackles. *You* might only use them on "bad" people, but they are a tool of repression not liberation or defense.

        1. Anonymous Coward
          Anonymous Coward

          @sed gawk - Re: All I want for xmas

          Oh but it is, my dear friend. It is called user experience. It is this idiotic urge of developers to anticipate user needs and fulfill them even before the user realizes those needs.

    2. John Brown (no body) Silver badge

      Re: All I want for xmas

      So, you have no qualms about vaporising the innocent people in the immediate blast radius, as well as the many, many more deaths and injuries of innocents in the wider blast radius. Or is that just simple "collateral damage"?

      I'm sure you meant it in jest, but yeah, well...

      1. Anonymous Coward
        Anonymous Coward

        @John Brown (no body) - Re: All I want for xmas

        Collateral damage it is. This is a nice concept to show you care when in reality you don't give a damn.

    3. MacroRodent Silver badge

      Re: All I want for xmas

      If American diplomats' phones indeed turn out to be hacked by NSO, you may get the next best thing: The U.S. governement smiting NSO and its owners with sanctions.

    4. Intractable Potsherd Silver badge
      Joke

      Re: All I want for xmas

      Which "their HQ". There are so many deserving cases in the article, you need to be more specific!

      (Joke icon for the humour-deficient.)

    5. Furious Reg reader John

      Re: All I want for xmas

      Nothing to see here - pass along - ShadowSystems is only fantasising about the mass killing of Jews....

  2. theniginator

    So how did they know who which of their naughty customers to cut off then.........???

    1. devin3782

      I'm going to go with yes, of course there will be a fingerprint or telemetry there always is

    2. LDS Silver badge

      If they're told enough about the target they can probably identify which customer of theirs was.

    3. John Brown (no body) Silver badge

      "So how did they know who which of their naughty customers to cut off then.........???"

      It also raises and interesting point. Once you know someone is a customer, can you DoS them simply by making a serious allegation?

      "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations,"

      1. Anonymous Coward
        Anonymous Coward

        Weasel words.

    4. big_D Silver badge
      Facepalm

      We don't know who it was or which numbers they targeted, but we've blocked their use anyway...

      Sometimes the PR person should proof read these missives, before sending them out!

  3. This post has been deleted by its author

  4. Clausewitz 4.0
    Devil

    Quite convenient .. NSO is blocked on US (+1) numbers

    "NSO’s technologies are blocked from working on US (+1) numbers."

    Seems there is a good market opportunity for similar tools supporting US (+1) numbers.

    1. newyork10033

      Re: Quite convenient .. NSO is blocked on US (+1) numbers

      No doubt configured through an INI file with the option:

      known_enemy_of_usa=yes

  5. Winkypop Silver badge
    Coat

    You know you’re evil when…..

    Facebook are angry at you for spying….

    1. Abominator

      Re: You know you’re evil when…..

      Then it's got to be pretty bad what you are up to.

  6. lglethal Silver badge
    Trollface

    "it rejected 15 per cent of new business opportunities for the same reason."

    But the other 85% of customers with human rights problems were fine because they offered us more money...

    1. Anonymous Coward
      Anonymous Coward

      15% each time they filled in the form

      So... 15% of new business opportunities forgot to tick the "I'm not evil box".... the first time they tried to buy the software...

  7. buiv

    Why are American +1 numbers banned but every other nation's numbers are allowed?? Does those numbers have special immunity?? Or possible theory:- American 3 letter agencies funded the NSO group secretly to some extenet and allowed them selling Pegasus program to countires they had deals with.

    1. Pseu Donyme

      I wondered about that too: whether snooping the mentioned miscreants with few allies is proper and legal surely cannot depend on the country code not being "+1".

      1. Someone Else Silver badge

        Or...the thing about not snooping on +1 numbers is pure and utter bollocks.

    2. skwdenyer

      Top terrorist tip: get a US mobile phone :)

      1. katrinab Silver badge
        Trollface

        Or a British Virgin Islands or Cayman Islands phone.

        There are 25 countries and territories in the North American Numbering Plan.

    3. The Man Who Fell To Earth Silver badge
      Black Helicopters

      Or

      The Israeli government told NSO they'd better not piss the US off too much, so have a blanket policy to ban +1 numbers and have a backway for "appropriate" customers to get exemptions.

    4. doublelayer Silver badge

      I suggest three alternatives more plausible (to me at least) than that the NSA and its ilk outsourced something we know they like to do themselves. In increasing order of likeliness:

      1. Israel supports them (obviously), so asked for a few countries to be left off the list unless they do an additional review.

      2. When they were claiming not to do any business in the U.S. to avoid a lawsuit, they added it themselves to use as an argument.

      3. They're lying and no such exception exists now or ever. These are criminals who aren't in court, so nothing prevents them from tossing out falsehoods.

    5. Anonymous Coward
      Anonymous Coward

      There's probably a .ini file that controls which numbers the software allows. I imagine that if you buy the software you can edit it to reconfigure to not attack +39 numbers instead of +1 numbers if you like.

    6. Kabukiwookie

      Not as if there's bo precedent, with a company called Crypto AG in Switzerland:

      https://www.schneier.com/blog/archives/2020/02/crypto_ag_was_o.html

    7. big_D Silver badge

      More likely, Apple, Facebook and Google are incorporated in America. That means that if they are active in the US, they are an easier target to prosecute in the US...

      Although that no longer seems to be true, no that the US courts have rejected their alleged diplomatic immunity.

    8. hoola Silver badge

      Nah, much more simple, everyone who has a +1 number must be "good" and everyone else a potential baddie......

  8. Doctor Syntax Silver badge

    It seems the US govt need to make up their minds as to whether mobile phones are too secure or too insecure. It's no good complaining one thing on one occasion and the other on another: they're the same phones.

    1. Clausewitz 4.0
      Devil

      Offensive Technology

      Works like this:

      USA can control all the offensive technology and hackers able to produce them - mobile phones are too secure.

      USA CANNOT control all the offensive technology nor hackers able to produce them - mobile phones are too insecure.

  9. ThatOne Silver badge
    Devil

    Now *that* is a marketing campaign!

    > American diplomats' iPhones reportedly compromised by NSO Group

    Pure genius. I can't think of any better advertisement than that! I'm sure prospective clients are storming their offices by now.

    1. Version 1.0 Silver badge

      Re: Now *that* is a marketing campaign!

      I've never seen a story about a phone that can not be hacked. Even 50 years ago someone could climb up the pole and tape a couple of wires onto your phone line and record everything. Both Russia and America are reported to have hacked the transatlantic cables. Maybe we need to go back to the days of two cans and some wet string - at least then you can see anyone hanging another tin can on your string.

      1. Clausewitz 4.0
        Devil

        Re: Now *that* is a marketing campaign!

        I politely disagree. Nowadays we have technology to achieve that. Unfortunately such phones cannot be used as toys - weather apps, games apps, etc..

        But strictly for secure communication, yes, it can be done.

        1. CrackedNoggin Bronze badge

          Re: Now *that* is a marketing campaign!

          Said the man in the middle.

  10. Anonymous Coward
    Anonymous Coward

    Though shall not spy on your allies

    unless WE do the spying, in which case it's not spying, it's pro-actively protecting our citizens against aggressive and illegal... etc, etc, etc.

  11. Anonymous Coward
    Anonymous Coward

    in other news

    the folk behind this spyware have recently announced they'll cut Polish gov 3-letter agencies access to this useful piece of soft (which the Polish government 'furiously' (cross my heart and hope to die) claimed not to possess and make use of, nosir, we would never, etc, etc. Apparently the agencies have been tasked with spying on some media folk. Don't know why everybody feigns shock and indignation though, it's not unusual for most, if not all govs to be double-faced liars.

    1. Clausewitz 4.0
      Devil

      Re: in other news

      So it were the Polish 3 letters agencies doing the diplomatic snafu.

      Now I understand why the Americans freak out on the slightest possibility of not having the best tools available for them to operate.

      And how much Israelis are lap-dogs of USA.

      In-House tools solve all that for everyone.

  12. Nifty Silver badge

    NSO statement: "Fact: Data is collected only from individual, pre-identified suspected criminals..."

    So the NSO is publicly labelling 9 diplomats as suspected criminals?

    1. Clausewitz 4.0
      Devil

      Maybe NSO can rebrand and just say:

      - Folks, come all of you aboard ship, we can target Mother Teresa if you like to - NSO tools are just plain old fashioned (new tech) international espionage

      * I am not quite certain of the legal consequences they may face doing that, being a company and not part of the government or military

      1. First Light Silver badge

        That would be some pretty impressive tech since Mother Teresa has been dead since 1997 . . .

    2. big_D Silver badge

      And the French President.

      When it first broke, they claimed it was only used to spy on terrorists, drug traffickers and paedophiles... I assume that NSO executives would face slander charges, if they set foot on French soil...

  13. Abominator

    Have been reading around about their tools. One of their zero days was sending a zip file over iMessage, which was then without clicking opened by the OS and scanned. Inside was s script which then ran and downloaded malware and installed itself.

    The problem these days is software tries to do too many things. It's like the animated messages you can buy packs off. I have no choice and something gets sent to me and is run on my phone. The sandboxes for these Web 2.0 are completely lacking.

    1. ThatOne Silver badge
      Flame

      Think of all those @%#& "developers" who are convinced "web apps" are a good idea, when their only use is to better hack people.

      To create sandboxes (which would be quickly bypassed anyway) you first need to be aware of the risks, and "web app" lovers are totally oblivious. Their main argument is "yes, but shiny!"

      Toddlers unite! Fight for your right to play with fire!

  14. Aussie Doc Bronze badge
    Facepalm

    Hmmm

    "...criminals and pedophiles."

    Say what?

    1. Ken G
      Trollface

      Re: Hmmm

      If you're trying to hide from the government, you must be doing something filthy!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022