Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy by Laurent Richard & Sandrine Rigaud - review by Michael Burleigh

Michael Burleigh

Quis Custodiet?

Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

By

Macmillan 336pp £20
 

One of the least noticed gambits of Liz Truss’s spells as international trade secretary and then foreign secretary in 2019–22 was her quest for a free-trade agreement with Israel. It was to be as asymmetrical as most of the trade deals agreed since Brexit. Truss was prepared to move the UK embassy to Jerusalem – putting the UK in the select company of Guatemala, Honduras and Trump’s USA – and to ‘revisit’ the two-state solution. Rishi Sunak has since ditched these reckless proposals.

The main prizes for the UK were to be joint ventures in defence and cyber warfare. Although a very small nation, Israel is among the leading powers in cyber technology, along with China, Russia, the USA and the UK. Israel’s main tech hub in Herzliya receives one fifth of global private investment in cybersecurity, from such firms as Cisco, IBM and Qualcomm, among others. Start-ups with a valuation of $1 billion or more, otherwise known as ‘unicorns’, abound in the country.

This reflects not only Israel’s loose regulatory framework – the handiwork of Benjamin Netanyahu – but also the presence of a large pool of talented software engineers produced by Unit 8200, a secretive military intelligence agency which releases around a thousand alumni into the job market each year. These young people, known locally as ‘big brains’, are so proficient that when Apple opened its largest research and development facility, it did so in Herzliya, 7,500 miles from the company’s Californian base. On leaving the military, these graduates go on to work in the huge cybersecurity sector. Most work in cyber defence, for Israel is subject to 700,000 or so cyberattacks per week. Five per cent go over to the dark side of offence.

The presence of Apple’s research facility in Israel is ironic, since the corporation’s iPhone is at the heart of this fascinating, shocking and remarkable book. It is about a tech unicorn called NSO, named to evoke America’s huge National Security Agency (NSA). It is not hard to see why young people chose to work for this company, since it offered ten times army pay to the freshest of recruits ($25,000 a month).

The brains behind NSO are not big at all. Two serial chancers, Shalev Hulio and Omri Lavie, started NSO after a failed punt on an app that enabled people to source clothing worn by stars of films and television. They are roly-poly, slobbish, smiley men with very good sales patter rather than sleek Bill Gates or Jeff Bezos types.

After meeting Niv Karmi, a former Unit 8200 officer, the duo developed a program called CommuniTake, which enabled technical support staff at digital and telecoms companies to remotely take control of customers’ mobile devices in order to help them change the ring tone and suchlike. This was the crucial breakthrough. Before long intelligence agencies allegedly came calling.

Karmi helped devise ways of surreptitiously accessing mobile phones. The ‘craft’ lay not in the relatively simple malware, which could be inserted into any device, but in the cunning with which not just the initial but also repeat entries to the phone were effected, since Apple and the like constantly refine and update their own heavily encrypted cyber defences. The weakest points were iMessage (which everyone should delete) and Apple Photos, followed by Apple Music. With a nod to the Trojan Horse, NSO called their system Pegasus, a mythical steed that flew through the ether. Happily for Lavie and Hulio, this technical development coincided with an explosion in mobile phone use.

Combating organised crime and terrorism was the nominal justification for Pegasus, for something so sordid required a moralistic vindication. NSO was ‘on a life-saving mission’. The strategic vulnerability of Israel was a handy excuse, while the riposte that any critics were ipso facto anti-Semites proved useful.

There was a general air of scrupulousness too. Israel has nominally strict telecoms regulations, and the Israeli Ministry of Defence was required to approve NSO’s export licences. These could be granted to government law enforcement agencies in any country save those subject to UN arms embargoes and with a +1 dialling prefix (the USA). In reality, enforcement was poor and the prime minister’s office could override the Ministry of Defence. There is more than a suggestion here that Mossad used offers of NSO ‘help’ (at a price) as part of its covert diplomacy.

NSO’s first big sale was to Mexico, which signed a $15 million deal for the equipment and a training team to show agents how to use it. NSO put in place a separate local team to handle the promiscuous bribery of Mexican officials. Subsequent contracts signed with the Mexican army were worth $350–400 million, and further ones were agreed with Mexico’s twenty-four state governments. Other major deals followed: with Azerbaijan, Hungary, India, Morocco, Poland, Rwanda, Saudi Arabia and the UAE, among other countries (forty in all).

What customers were buying was an ‘anonymizing transmission network’ that inserted malware into mobile phones by getting users to click on a link within a text message. This was not fail-safe, since the sceptical target could simply delete the unopened message – as I did when my phone was attacked by a Saudi state agency after I wrote disobliging things about Crown Prince Mohammed bin Salman in a British newspaper (happily, I had earlier read a Washington Post report about Toronto’s Citizen Lab, which was investigating NSO).

The next stage in the program’s evolution, called zero-click exploits, was much more effective: it enabled Pegasus to hijack a phone while the target was merely surfing the internet. Everything on the phone could be covertly exfiltrated, including emails, text messages, photos, contacts and call logs, while the microphone and camera could be switched on too. Other refinements included preventing a phone from reporting a software crash (a telltale sign that a ‘network injection attack’ is under way) back to Apple engineers. Later iterations not only inserted malware without leaving much of a trace but also erased earlier evidence of Pegasus technology on the device.

The incredible research into NSO that underpins this outstanding book began when the two authors, both French journalists, and two cyber researchers in Berlin were given a list of fifty thousand mobile phone numbers that had been targeted by NSO. A very small and tight-knit team of investigative journalists working at the NGO Forbidden Stories then began identifying a thousand owners of these phones, not all of which were actually hacked.

NSO’s victims, most of whom were being spied on without judicial warrant, included President Emmanuel Macron and five members of his cabinet, a former prime minister of Belgium, the current prime minister of Spain and several high-profile Catalans. Forbidden Stories and their team of forensic hackers focused on the journalists, lawyers and NGOs who seemed to figure very prominently among those people NSO’s state clients wished to spy on.

This had nothing to do with organised crime or terrorism, as one can glean from the fact that Princess Haya of Jordan (along with her divorce lawyer Fiona Shackleton) was targeted, courtesy of her soon to be ex-husband, Sheikh Mohammed bin Rashid Al Maktoum, prime minister of the United Arab Emirates. So was Roula Khalaf, the current editor of the Financial Times, and the wife of the slain journalist Jamal Khashoggi. Among those who joined NSO’s late-minted ethical advisory board after the company was largely bought by the London-based venture capital group Novalpina was Cherie Blair KC, whose husband is a frequent visitor to Israel.

Some of NSO’s human targets had already been beaten or tortured in, for example, Morocco (for oppositional activity or revealing property deals involving the royal family), where five thousand phones were invaded. In Mexico, where over 150 journalists (including those investigating drug cartels) have been murdered by both cartels and the police since 2000, fifteen thousand phone numbers were on NSO’s list. Among NSO’s targets in Mexico, alongside lawyers and journalists, were the driver, the cardiologist and the wife of the politician Andrés Manuel López Obrador (who was elected president in 2018), along with three of his children.

The intrepid authors needed to persuade individuals, who were often being harassed and persecuted, to allow experts to go into their phones in search of evidence of NSO activity. Once the telltale signs had been identified, and with the malware being traced back to suspiciously identical servers, Forbidden Stories shared its findings with the Washington Post, Le Monde, Die Zeit, The Guardian, Süddeutsche Zeitung and twelve other media outlets. Security was so tight that NSO did not get a whiff of what was about to hit them. D-day came in mid-July 2021.

NSO might have toughed out this scandal but for the fact that their products were used to spy on US diplomats at the embassy in Uganda. Lavie and Hulio were banned from entering the United States and all imports of the technologies used in Pegasus were prohibited. Apple launched a multi-billion lawsuit. NSO collapsed, taking down Novalpina with it. An EU committee, under the leadership of the Dutch liberal MEP Sophie in ’t Veld, is currently working up a pan-European ban on the kind of spyware developed by NSO. Of course, not a peep about any of this has come from the UK’s Conservative government, which still wants a free-trade agreement with Israel and close relations with the illiberal regimes who were NSO’s clients.

Sign Up to our newsletter

Receive free articles, highlights from the archive, news, details of prizes, and much more.

Follow Literary Review on Twitter