If you thought that the superpowers had an oligopoly on using the internet to spy on its citizens, you were mistaken. Our closest south of the border neighbor has stepped up and proven that even the poorest of nation states can afford specialized hacking tools and shadowy hacker code mills. And they know how to use them to keep tabs on journalists, lawyers, and activists, and even their kids. It just goes to show that nobody is safe from government spies, even children in third world countries.
The Citizen Lab, an interdisciplinary hacking team at the University of Toronto that focuses on the nexus between politics and cyberspace, released the results of an investigation into cell phone hacking of media, public health, human rights and anti-corruption groups in Mexico. The attacks took place over the course of two years, primarily focused in two periods during which journalists and activists accused the Mexican government of participation in human rights abuses, extra-judicial killings, bribery, and corruption.
The infrastructure used, known as “Pegasus,” was attributed by Citizen Lab to NSO Group, an Israel-based company that sells malware. NSO claims that it only sells to government agencies to help them combat terror and criminality, that they don’t operate their product for their government customers, and that their clients promise to use the product lawfully, and only for “the prevention and investigation of crimes.”
How Pegasus works is that the government agency who is running the operation tricks the target into clicking a link via text message or email, which directs the phone to a server controlled by Pegasus. The server checks the phone operating system and sends the correct malware, which installs itself onto the phone. Once installed, the malware remotely monitors the phone, including all keystrokes.
Citizen Lab documented seventy-six Pegasus attacks to at least eleven targets, including one child. The vector used was text messages designed to elicit a response. Messages included “troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER alerts, warnings of kidnappings, and other threats,” as well as “fake bills for phone services and sex lines.”
Citizen Lab admits that it has no direct proof of Mexican government agency involvement, but the circumstantial evidence is pretty damning. The infrastructure and SMS content is Mexico specific, the targets were all investigating Mexican government corruption, and several Mexican government agencies are NSO customers. It is at least theoretically possible that someone other than the Mexican government ran these hacks, but since NSO only sells to governments, at a minimum, a government agency would be guilty of irresponsibility in losing this malware to thieves.
The first lesson today is that it isn’t just superpowers and basement dwellers who are the threat anymore. Third party malware vendors who hide behind legality and exercise no control over their product sell to any government they are allowed. And as we all know, every government feels the same way about privacy. They don’t acknowledge it exists. And some nations are much more likely to throw dissenters into wood chippers. Don’t let that be you.
The second is, again, that cell phones are unsafe. They are computers. Your fancy encrypted chat application is useless if someone can see everything you do on the phone because they have compromised the operating system. So is your VPN. And not clicking on blind links alone anymore isn’t enough, because as discussed in LN’s coverage of Vault 7, various bad actors have infected routers all over the world with malware which can redirect you to those same malware sites.
Here is what you can do with your cell phone to make yourself safer. First, don’t click on blind links from anyone. Second, get a quality virtual private network (VPN) from a vendor you trust, that doesn’t log connections or traffic. Preferably one with servers overseas. Third, only use your cell phone data plan. Doing this will bypass all wifi routers, and only utilize the mobile phone company network. The VPN protects you from the phone company sniffers, and the phone company network protects you from everyone else, except the superpowers, who have proven that they can compromise enterprise network routers. This solution is even John McAfee approved. It won’t keep you out of a government re-education camp if the communists take over D.C., but it will help a great deal to keep your banking password safe and help prevent you from being targeted by third world dictators who you made fun of on Facebook.