Governments should ban the sale, export, transfer, and use of surveillance technology until human rights safeguards are in place. Lama Fakih, Crisis and Conflict director and head of the Beirut office at Human Rights Watch, was targeted with Pegasus spyware five times between April and August 2021. Pegasus is developed and sold by the Israel-based company NSO Group.
The software is surreptitiously introduced on people’s mobile phones. Once Pegasus is on the device, the client is able to turn it into a powerful surveillance tool by gaining complete access to its camera, calls, media, microphone, email, text messages, and other functions, enabling surveillance of the person targeted and their contacts. “Governments are using NSO Group’s spyware to monitor and silence human rights defenders, journalists, and others who expose abuse,” said Deborah Brown, senior digital rights researcher and advocate at Human Rights Watch. “That it has been allowed to operate with impunity in the face of overwhelming evidence of abuse, not only undermines efforts by journalists and human rights groups to hold power actors to account, but also puts the people they are trying to protect in grave danger.” Fakih, a dual US-Lebanese citizen, oversees crisis response from countries as far ranging as Syria, Myanmar, Israel/Palestine, Greece, Kazakhstan, Ethiopia, Lebanon, Afghanistan, and the United States. This includes documenting and exposing human rights abuses and serious international crimes during armed conflicts, humanitarian disasters, and severe social or political unrest. This work may have attracted the attention of various governments, including some that are suspected NSO clients, Human Rights Watch said. “It is no accident that governments are using spyware to target activists and journalists, the very people who uncover their abusive practices,” Fakih said. “They seem to believe that by doing so, they can consolidate power, muzzle dissent, and protect their manipulation of facts.” On November 24, 2021, Apple notified Fakih via email, iMessage, and an alert on the AppleID login screen that state-sponsored attackers may be targeting her personal iPhone.
The Human Rights Watch information security team established that Fakih’s current and former iPhones had been infected with Pegasus after they performed forensic analysis on the devices. Amnesty International’s Security Lab peer reviewed the analysis and confirmed the findings. Fakih’s phones were infected with a “zero-click” exploit, meaning that her devices were compromised without the need for any action by Fakih such as clicking on a link. This is an advanced and sophisticated attack technique that is effective at compromising devices, while also being very difficult for the target to detect or prevent.
The targeting of Human Rights Watch with Pegasus adds to the ever-growing list of human rights activists, journalists, politicians, diplomats, and others whose devices have been compromised by the spyware in violation of their rights. In July 2021, a consortium coordinated by Forbidden Stories, a Paris-based media nonprofit, with the technical support of Amnesty International, exposed that Pegasus software had been used to infect the devices of dozens of activists, journalists, and opposition figures in multiple countries.
The consortium identified potential NSO clients in Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE). Over the past three months alone, investigations have revealed that Pegasus spyware was used to infect the devices of six Palestinian human rights activists, four Kazakh civil society activists, eleven US Embassy officials in Uganda, two Polish opposition figures, a member of an independent UN human rights investigation team for Yemen, a human rights activist in Bahrain, a human rights activist in Jordan, and thirty-five journalists and members of civil society in El Salvador, among others. In response to evidence that Pegasus has been used to target human rights defenders, journalists, and dissidents, NSO Group has said repeatedly that its technology is licensed for the sole use of providing governments and law enforcement agencies the ability to lawfully fight terrorism and crime, and that it does not operate the spyware it sells to government clients. NSO Group responded to Human Rights Watch’s request for comment saying that it is “not aware of any active customer using [its] technology against a Human Rights Watch staff member” and that it would open an initial assessment into our allegation to determine if an investigation is warranted.
The company said it takes “any allegation of the misuse of [its] system against a human rights defender most seriously,” and that such misuse would violate their policies and the terms of its contracts with customers. It referred us to its Whistleblower Policy and Transparency Report, which outline how they respond to such allegations. Recent actions by governments and others against surveillance firms are positive steps, but coordinated and more ambitious government regulation is needed to rein in the burgeoning surveillance technology industry that includes NSO Group and others, Human Rights Watch said. Governments should implement a moratorium on the sale, export, transfer, and use of surveillance technology until human rights safeguards are in place. “Governments need to act on the damning evidence of rights abuses that the unbridled sale of surveillance technology unleashes around the world,” Brown said. “Human rights defenders are calling for regulation, major companies are suing, while governments’ failure to take decisive action against the spyware industry constitutes a dangerous threat to fundamental human rights.” For technical analysis of the targeting of Fakih, details of the development of surveillance technology, and recent actions by companies and governments against spyware companies, please see below. Recent Actions Against Spyware Companies In recent months, companies and governments have begun to take steps against spyware companies. On July 19, 2021, on the heels of the Pegasus Project reporting, Amazon Web Services announced it had disabled cloud accounts linked to NSO Group. On November 3, the US Commerce Department announced its decision to add NSO Group and Candiru, another Israel-based company that produces spyware, to its trade restriction list (Entity List), for “acting contrary to the foreign policy and national security interests of the United States.” The decision prohibits the export from the US to NSO Group and Candiru of any type of hardware or software without a special license from the US Commerce Department. While the decision does not legally prohibit any material support (financial or technical), it effectively blacklists the two companies in the US. On September 9, 2021, the European Union’s updated rules for the export of surveillance technology went into effect.
The regulation does not go as far as human rights groups had wanted, for instance by banning the sale of surveillance technology to abusive governments. But it requires the EU Commission to publicly report the number of export license applications for each type of surveillance technology, for each member state, and the destination of the export. It also adds human rights risks as a criterion to be considered when granting an export license.
The impact of the new regulation should be maximized through expansive interpretation and rigorous application, Human Rights Watch said. In November, Apple began notifying users whom it suspects may have been targeted by a state-sponsored spyware attack, leading to the notification that Fakih received. On November 23, 2021, Apple filed a lawsuit against NSO Group and its parent company for the surveillance and targeting of Apple users. This follows a lawsuit by WhatsApp over allegations that NSO Group spyware was used to hack 1,400 users of the app in 2019. Long History of Abuse Using Spyware Human rights organizations, academics, and journalists have been reporting on government use of commercial spyware to violate rights for more than two decades. Commercially sold surveillance technology includes hardware, software, and services to enable covert and non-covert surveillance by and of digital systems with the goal of monitoring, extracting, collecting, and analyzing data. As people’s dependence on digital tools and technologies has grown exponentially over the past two decades, so has many governments’ interest in surveillance technology.
The development of ever more advanced and intrusive surveillance technology has also increased the risk its misuse poses to human rights. Commercial surveillance technology can perform a variety of functions, including surreptitious data extraction from personal devices; location tracking, which can contain sensitive and revealing insights about a person’s identity, location, behavior, associations, and activities; deep packet inspection, which enables the monitoring, analysis, and redirection of internet traffic and can be used to infect devices with malware and block them from accessing certain websites; and facial and affect recognition technology, which seeks to capture and detect a person’s facial characteristics or infer their emotions or intentions from facial expressions, based on highly questionable classification systems. Many companies selling commercial spyware are based in the US, Canada, Europe, the UK, and Israel, though the opacity under which the commercial surveillance industry operates makes it impossible to know the full scope or scale of its reach. Targeting the Devices of a Human Rights Watch Staff Member Apple notified Lama Fakih, Crisis and Conflict director at Human Rights Watch, via email, iMessage, and an alert on the AppleID login screen that state-sponsored attackers might be targeting her iPhone on November 23 and 24, 2021. Abir Ghattas, associate director for information security at Human Rights Watch, confirmed the legitimacy of Apple’s notifications, then performed forensic analysis on Fakih’s current iPhone and previous iPhone that were associated with the same AppleID to establish whether the devices had been infected. Human Rights Watch analysis indicated that two devices (iPhone 12 and iPhone XS) were infected with NSO Group’s Pegasus spyware. Examination of the logs showed traces of processes on both devices that Amnesty International Security Lab’s research previously connected to NSO’s Pegasus. Human Rights Watch shared the forensic data with Amnesty International’s Security Lab, which peer reviewed and independently confirmed the findings (see key technical findings below). Recommendations To address the high risk of abuse associated with all surveillance technology, Human Rights Watch recommends: Key Technical Findings from Human Rights Watch’s Forensic Analysis Fakih’s two devices contained traces of Pegasus infection. Forensic traces from the devices indicate that both phones were compromised using a vulnerability in iMessage.
These traces are consistent with the use of the NSO Group’s Megalodon/FORCEDENTRY zero-click exploit, which has previously been reported by Amnesty International and Citizen Lab. In September 2021, Apple patched Megalodon/FORCEDENTRY in iOS 14.8.
The attacks in this report coincided with the time period when this vulnerability is known to have been exploited. Targeting iPhone XS The iPhone XS was used between January 2019 and July 2021. It was replaced by an iPhone 12 in July 2021.
The XS device was infected with Pegasus on three occasions: Table 1 shows records of suspicious processes found on the iPhone XS attributed to Pegasus. Human Rights Watch’s analysis is based on known indicators of processes linked to Pegasus.
There may be other instances of infections using Pegasus processes that have not yet been identified. Date (UTC) Event 2021-04-06 05:16:33 Traces related to iMessage exploitation observed before Pegasus processes ran on the device 2021-04-06 05:17:30 Process: MobileSMSd 2021-04-06 05:17:34 Process: ABSCarryLog 2021-04-06 05:18:13 Process: bfrgbd 2021-04-07 17:07:33 Process: bfrgbd 2021-06-03 07:29:51 Process: JarvisPluginMgr 2021-06-03 07:29:59 Process: wifip2ppd 2021-06-03 07:30:42 Process: frtipd 2021-06-13 14:33:17 Process: frtipd 2021-06-23 07:30:46 Process: gatekeeperd 2021-06-23 07:31:28 Process: logseld 2021-06-23 07:30:46 Process: vm_stats 2021-06-23 11:48:56 Process: logseld 2021-06-23 15:51:40 Process: logseld 2021-06-23 20:09:53 Process: logseld Targeting iPhone 12 The iPhone 12 was successfully infected with Pegasus on July 5, 2021, and August 23, 2021. Table 2 shows records of suspicious processes found on the iPhone 12 attributed to Pegasus. Date (UTC) Event 2021-07-05 06:47:10 Traces related to iMessage exploitation observed before Pegasus processes ran on the device 2021-07-05 06:47:11 Process: gatekeeperd 2021-07-05 06:47:20 Process: CommsCenterRootH 2021-07-05 06:47:36 Process: mobileargd 2021-07-05 11:45:25 Process: mobileargd 2021-07-05 12:09:47 Process: mobileargd 2021-08-23 14:15:41 unnamed process linked to Pegasus Analysis of the extracted phone data, specifically an iOS file called “com.apple.identityservices.idstatuscache.plist,” which contains a list that indicates when apps like Facetime and iMessage first established contact with other registered Apple IDs, revealed an entry showing an email address, provided below, that connected with Fakih’s Apple ID over iMessage. Fakih is not familiar with this address and never communicated with it, which makes it a suspicious account.
The email address also matches the patterns used to register iCloud accounts in other known Pegasus attacks. Research into the infrastructure Pegasus relies on suggests that NSO Group may create those email and iCloud accounts on behalf of their clients. A similar technique of compromising iPhones with Pegasus using the Megalodon /FORCEDENTRY exploit was documented in cases that Citizen Lab has linked to Saudi Arabia, a suspected NSO client. However, it is possible for other NSO clients to use the same technique. Determining that a government is an NSO Group client is challenging because the company does not publish its client list and it is rare for governments to confirm they purchased Pegasus. However, the existence of a Pegasus operator in a country, confirmed cases of devices being targeted with Pegasus, and a pattern of unlawful and arbitrary surveillance of their citizens and external critics are good indicators that a government may be a client.
The email address is included in this report in case it is useful for others who are also investigating Pegasus attacks. User: nielscherer[at]gmail[dot]com Date: 2021-06-29 06:33 UTC Use of Pegasus in Lebanon Fakih is the first publicly reported confirmed case of Pegasus being used to target a worker for a nongovernmental organization in Lebanon. Previous known targets in Lebanon include: Resources for Checking Whether Devices Have Been Infected with Pegasus: For questions or to be in touch about the Human Rights Watch technical analysis, please contact firstname.lastname@example.org.
Read the full article at the original website