Apple has released an emergency software update to fix a security flaw in its iPhones and other products researchers found was being exploited by the Israeli-based NSO Group to infect the devices with its Pegasus spyware. The security exploit exposes “widespread abuse that we have associated with NSO Group and other companies like it,” says Ronald Deibert, director of the University of Toronto’s Citizen Lab, which discovered the security flaw. “This is … the most important crisis around global civil society right now.” Over 1.65 billion Apple products in use around the globe have been vulnerable to the spyware since at least March.
AMY GOODMAN: This is Democracy Now!, democracynow.org, The War and Peace Report. I’m Amy Goodman, with Juan González.
Apple has released an emergency software update to fix a security flaw in its iPhones and other products researchers found was being exploited by the Israeli-based NSO Group to infect the devices with its Pegasus spyware. Over 1.65 billion Apple products in use around the globe were vulnerable to the spyware since at least March. Apple said vulnerable devices could be hacked by receiving a malicious PDF file that users don’t even have to click, known as “zero-click” exploit. The flaw was discovered by the University of Toronto’s Citizen Lab, which found the hack in the iPhone records of a Saudi political activist. Earlier this year, a massive data leak revealed Pegasus software had targeted the phones of thousands of journalists, activists and political figures around the world for foreign governments and NSO Group clients.
We’re ending today’s show with Ronald Deibert. He is the director of the Citizen Lab at the University of Toronto. He’s also author of the recent book Reset: Reclaiming the Internet for Civil Society.
Ron Deibert, thanks so much for joining us at this early hour —
RONALD DEIBERT: Thank you for having me, Amy.
AMY GOODMAN: — as you speak to us from Vancouver. Can you talk about the significance of this flaw, how it was discovered, and what it’s doing to so many billions of — to 1.6 billion Apple products?
RONALD DEIBERT: Sure. Thank you for having me, Amy.
We examined the phone of a Saudi activist, who is part of a research study that we are running, in March 2021 and determined that their iPhone had been hacked with NSO Group’s Pegasus spyware. NSO Group is a mercenary surveillance company based in Israel that has been the subject of numerous prior Citizen Lab reports. We have shown that their technology, which is marketed to governments to assist in law enforcement and national security investigations, is in fact widely abused. It’s used to target broad sections of civil society, including journalists, human rights defenders, lawyers and others. This was yet another case of an abuse of this type of spyware.
This particular exploit that we discovered on the Saudi activist’s phone was extremely sophisticated. It is what’s known as a zero-click zero day. And by that, I mean that the surveillance technology could be implanted on a target’s device without any visible interaction on the part of the user, no evidence that this is happening. It exploits a flaw in Apple’s iMessage application, that even at the time Apple did not know about. So this means that any government client using NSO Group’s spyware could silently take over any Apple device in the world. And as you say, there are 1.65 billion Apple users around the world. And this affected all Apple iOS, macOS, watchOS devices.
We notified Apple of the discovery, and they moved very quickly, within six days, to push out this emergency software update, which takes care of the problem. But we estimate that this has been active since about February 2021. So, what this case illustrates is, again, this widespread abuse that we have associated with NSO Group and other companies like it, their technology.
JUAN GONZÁLEZ: And, Ronald Deibert, could you talk about — a little bit more about NSO Group’s track record and in other issues of cyber espionage?
RONALD DEIBERT: Sure. So, we and others, our partners at Amnesty International, other research groups, have been tracking, broadly speaking, the commercial spyware market for many years now. And NSO Group first came on our radar, you will recall, back in 2016, when we discovered it was being used by the United Arab Emirates to target a human rights defender named Ahmed Mansoor. Ever since then, we and others have documented extensive abuses of this company’s technology.
So, not surprisingly, when you have no regulation over a marketplace like this, and a company really is doing no due diligence — they’re just simply in it for the profit — you will have extensive abuse, because they’re selling to government clients that lack oversight over their security agencies, that lack transparency, public accountability. Most of them are kleptocrats or dictators, countries like Saudi Arabia, which we know has a terrible human rights track record. They will take this technology and go after their adversaries, whoever they may be. That could include you or Amy, in fact. We have seen extensive targeting of journalists using NSO’s technology.
Really, it’s not surprising that we are able to do this, although we have an extremely talented technical team at the Citizen Lab that does this investigation. When this type of technology is sold to government clients and is abused in this way, obviously, watchdog organizations like this are likely going to spot it. So, this underlines the urgency of this unregulated marketplace. I think now it’s become more than obvious that there are extensive damages associated with this industry that need to be cleaned up very quickly. And the only way to do that, frankly, is by some kind of international regulation.
AMY GOODMAN: And you mentioned UAE. We had a headline today about the Justice Department charging three former U.S. intelligence and military officials —
RONALD DEIBERT: Yes.
AMY GOODMAN: — after they admitted to helping the United Arab Emirates build a hacking program. Talk about the dissidents that are targeted in this and how this fits into this other story.
RONALD DEIBERT: Well, the individuals that you mentioned, who were former NSA engineers working for this startup in the UAE, actually targeted us at the Citizen Lab, we discovered, as part of the whistleblower leak associated with that.
So, basically, what’s happening here is, you know, all of us carry with us, 24 hours a day, these devices in our pockets. They’re engineered very well, for the most part, but they contain various software flaws, inevitably. That’s the nature of the ecosystem that we live in. And governments have a very large appetite to hack into those devices, because they’re so rich with details about anyone’s lives. Now, this means that governments that, you know, don’t follow the rule of law or respect human rights, if they have these in their arsenal, they’re going to go after anyone they consider to be a regime critic. And that’s what’s happening right now. So that means journalists, lawyers, activists, people who have fled their countries out of fear of the regime, managed to move safely to a country like Canada, they are not immune from this new type of transnational repression. So, what companies like NSO Group are offering up really is a kind of despotism as a service.
JUAN GONZÁLEZ: And I wanted to ask you — we have less than a minute left, but what does it say about the world that we’re living in today that we need groups like yours, Citizen Lab, and the independent actions of some companies, like Apple, to actually try to rein in what is occurring, rather than the actual governments and agencies that are supposed to protect the public?
RONALD DEIBERT: Well, that’s an excellent question, Juan. And, unfortunately, it’s a bit of a dark answer. As you know, the world is sliding into despotism and authoritarianism, even within liberal democratic countries. And we need to look no further than within the United States and the troubling events of recent times. All governments are interested in his technology. Some of them may have legitimate needs for this type of thing, because they’re doing their investigations. But, as we know, there is so much corruption around the world, so many governments that lack public accountability and transparency, so many intelligence agencies that are doing horrible things, largely out of control. This simply fuels that fire. This is, in my opinion, the most important crisis around global civil society right now. We can’t solve all the other problems if people are being spied on willy-nilly like this.
AMY GOODMAN: We want to thank you so much, Ronald Deibert, director of the Citizen Lab at the University of Toronto and author of Reset: Reclaiming the Internet for Civil Society. We’re going to do Part 2 of the conversation, and we’re going to post it online at democracynow.org. How do you protect yourself?
And a very happy birthday to Sam Alcoff! That does it for our show. Democracy Now! produced with Renée Feltz, Mike Burke, Deena Guzder, Messiah Rhodes, Nermeen Shaikh, María Taracena, Tami Woronoff, Charina Nadura, Sam Alcoff, Tey-Marie Astudillo, John Hamilton, Robby Karran, Hany Massoud, Adriano Contreras. Special thanks to Julie Crosby. I’m Amy Goodman, with Juan González.