Comment on FT/NSO/Cloud Article July 19th 2019

650 words, 2 12 minutes.

Article

Financial Times article “Israeli group’s spyware ‘offers keys to Big Tech’s cloud’”, Mehul Srivastava in Tel Aviv and Tim Bradshaw in London, July 19th 2019.

https://www.ft.com/content/95b91412-a946-11e9-b6ee-3cdf3174eb89

Comment

This comment is provided on the basis that the article is factually correct and the details within are technically accurate.

The article claims to describe a recent product demonstration of the Pegasus Malware software by NSO Group:

  • The article explains a targeted users smartphone is compromised by NSO software.
  • The cloud services login information is then copied from the phone.
  • That information is used by NSO to access that users cloud data from remote servers controlled by NSO.
  • The user is not alerted or prompted about this access, even if they have enhanced security enabled, like 2FA (SMS notifications).
  • The cloud information, which could be messages, photos, files, can then be accessed by NSO clients at any time.

The FT story frames this as a problem with cloud services, but the root of the problem is the vulnerability of modern smartphones and the applications we use on them. If someone controls your device, they have access to everything the device has access to.

Smartphones and their applications are vulnerable to attack from malware. We have seen quite how vulnerable they can be recently when a security flaw in the WhatsApp application could be used to inject bad software into the phone without the user having to lift a finger.

That story by the same author is here: https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab

If someone can take control of your smartphone then generally they will have access to the cloud services you use with it. What makes this story more interesting is that access to your cloud data can continue at the hacker’s convenience, no matter what you do with your phone afterwards. Even if you delete the applications or switch the phone off.

I would make 2 points about this:

  1. Both the smartphones themselves and the applications installed on them need to be designed and built with more attention paid to security. In particular what we call “modes of failure”. This is where the designers of these products plan for security failures and think about not just how to try and avoid them but also how to contain them when they happen. The failure of 1 application should not lead to the compromise of the entire phone and all the user’s data across all the services they use. The challenge for the developers of these products is to do this without making those products difficult and tedious to use. Nobody likes having to enter their password constantly or to be interrupted in some way when trying to use their phone. This is particularly true for mobile devices which are all about convenience.

  2. Most people are not a target for the clients of NSO group. For most users conducting their personal business and social life on their phone, NSO and their clients are not what we call an appropriate Threat Model. Of course, if you are conducting secret business, or work for or against a government, or if you are a criminal, then you have a different Threat Model. In that case, you should be taking more care with your information. You will be prepared to put up with some inconvenience in order to have more security.

Finally, the cloud providers will now make improvements to the methods they use to try and detect anomalous activity (such as access from these unauthorised servers). They will continue their review of the security of the applications they make running on the user’s phone, to try and prevent them being a source of vulnerability. Last of all they will continue to review how they can strike a balance between convenience and security for their users who just want to enjoy their lives free of worry about their private data.

Nick Hutton

Engineer, Investor, Founder, Product Manager

London, England https://blog.eutopian.io