âThereâs no check on this,â said Bill Marczak, a senior fellow at the Citizen Lab at the University of Torontoâs Munk School of Global Affairs. âOnce NSOâs systems are sold, governments can essentially use them however they want. NSO can say theyâre trying to make the world a safer place, but they are also making the world a more surveilled place.â
The NSO Groupâs capabilities are in higher demand now that companies like Apple, Facebook and Google are using stronger encryption to protect data in their systems, in the process making it harder for government agencies to track suspects.
The NSO Groupâs spyware finds ways around encryption by baiting targets to click unwittingly on texts containing malicious links or by exploiting previously undiscovered software flaws. It was taking advantage of three such flaws in Apple software â since fixed â when it was discovered by researchers last month.
Credit NSO Group
The cyberarms industry typified by the NSO Group operates in a legal gray area, and it is often left to the companies to decide how far they are willing to dig into a targetâs personal life and what governments they will do business with. Israel has strict export controls for cyberarms, but the country has never barred the sale of NSO Group technology.
Since it is privately held, not much is known about the NSO Groupâs finances, but its business is clearly growing. Two years ago, the NSO Group sold a controlling stake in its business to Francisco Partners, a private equity firm based in San Francisco, for $ 120 million. Nearly a year later, Francisco Partners was exploring a sale of the company for 10 times that amount, according to two people approached by the firm but forbidden to speak about the discussions.
The companyâs internal documents detail pitches to countries throughout Europe and multimillion-dollar-contracts with Mexico, which paid the NSO Group more than $ 15 million for three projects over three years, according to internal NSO Group emails dated in 2013. Calls and emails to Mexicoâs embassies in San Francisco and Washington were not returned.
Zamir Dahbash, an NSO Group spokesman, said the sale of its spyware was restricted to authorized governments and it was used solely for criminal and terrorist investigations. He declined to comment on whether it would cease selling to the U.A.E. and Mexico after last weekâs disclosures.
For the last six years, the NSO Groupâs main product, a tracking system called Pegasus, has been used by a growing number of government agencies to target a range of smartphones â including iPhones, Androids, and BlackBerry and Symbian systems â without leaving a trace.
Among the Pegasus systemâs capabilities, NSO Group contracts assert, are the abilities to extract text messages, contact lists, calendar records, emails, instant messages and GPS locations. One capability that the NSO Group calls âroom tapâ can gather sounds in and around the room, using the phoneâs own microphone.
Pegasus can use the camera to take snapshots or screen grabs. It can deny the phone access to certain websites and applications, and it can grab search histories or anything viewed with the phoneâs web browser. And all of the data can be sent back to the attackerâs server in real time.
In its commercial proposals, the NSO Group claims that its tracking software and hardware can install itself in any number of ways, including âover the air stealth installation,â tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.
Much like a traditional software company, the NSO Group prices its surveillance tools by the number of targets, starting with a flat $ 500,000 installation fee. To spy on 10 iPhone users, NSO charges government agencies $ 650,000; $ 650,000 for 10 Android users; $ 500,000 for five Blackberry users; or $ 300,000 for five Symbian users â on top of the setup fee, according to one commercial proposal.
You can pay for more targets. One hundred additional targets will cost $ 800,000, 50 extra targets cost $ 500,000, 20 extra will cost $ 250,000 and 10 extra costs $ 150,000, according to an NSO Group commercial proposal. There is an annual system maintenance fee of 17 percent of the total price every year thereafter.
What that gets you, NSO Group documents say, is âunlimited access to a targetâs mobile devices.â In short, the company says: You can âremotely and covertly collect information about your targetâs relationships, location, phone calls, plans and activities â whenever and wherever they are.â
And, its proposal adds, âIt leaves no traces whatsoever.â