• Constanze Kurz, netzpolitik.org, Germany
• Adam Haertlé, ZaufanaTrzecia Strona, Poland
• Bill Marczak, Citizen Lab, Canada

In the meeting, the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware elected Raphaël Glucksmann as a fourth Vice-Chair.

As Adam Haertlé explained, with Pegasus, an attacker becomes an omnipotent administrator of the taken over device. The operator steals the identity of the victims. Authentication cookies can be used to break into social network accounts held on a phone.

This is also confirmed by Bill Marczak, whose Citizen Lab has already analyzed numerous cases of Pegasus operations. In the case of encrypted messengers such as WhatsApp or Signal, this can be used to bypass what is actually a tap-proof connection. Attribution of the infections is challenging, but possible, he said. It is done by analyzing clusters of attacks that give clues about the possible same operator. Technically, however, it is almost impossible to track whether the attacker is actually a government. NSO also set up proxy servers for its customer, through which Pegasus forwarded data from the spied-out phones. Together with information from leaked NSO contracts, a picture emerges. Do these proxy servers possibly have other functions? Police agencies and intelligence services in almost all EU countries are NSO customers, he said. After the insolvency of the German state Trojan manufacturer FinFisher, the Israeli company enjoyed a virtual monopoly in the EU states.

It is possible to manipulate the entire phone, added Kurz. In the meantime, a lucrative market has emerged for the trade in security vulnerabilities, which manufacturers like NSO exploit. In addition to iPhones, Android phones are similarly affected, she said. Parliamentarians should also look at relevant companies about which less is known. It is also better to focus on niche products to defend against such attacks, she said.

At Apple, 90 percent of the market for iPhones is accounted for by only about 15 devices, Haertlé explained. That’s why it’s easier for companies like NSO to develop attack weapons for them, he said. With Android, he said, there are many more different devices and operating system versions to tailor mercenary spyware to. He himself has not yet seen a Pegasus variant for the Android operating system. However, the latest, expensive models from Samsung are mentioned in NSO advertising brochures as being infectable. Maintenance and quality assurance are also necessary, which leaves traces. Fingerprints can be found, for example, which can be traced back to command & control servers rented from cloud providers. The software is especially interesting for countries that don’t have the resources to build their own, he said. Officially, NSO sells its Pegasus licenses only to governments, Haertlé said. In Mexico, however, they could have ended up in the hands of mafia groups. The NSO Group knows more about this. Tapped data could also run through the company’s servers, even if the company denies this.

See here the stream of today‘s hearing.