Malware Merchant NSO Group Caught Leaving Harvested Location Data Exposed

(Mis)Uses of Technology

from the oh-well-'little-people'-aren't-the-end-users-so-who-cares dept

Israeli surveillance tech firm NSO Group is something else. (Pejorative, yo.) It set up shop in a contested country where it’s not all that paranoid to say everyone is out to get them. (But it’s still a little paranoid, if not a lot racist.) That being said, Israel doesn’t have a lot of nearby allies. And its ongoing conflict with Palestine hasn’t made it any new friends.

You’d think a government contractor operating out of this space would be more judicious with its sales efforts. But finding new customers seems to be more important to NSO Group than defending its own country against attacks. NSO has sold its pervasive surveillance products — ones that leverage popular messaging apps to create spy-holes in end-to-end encryption — to anyone who wants them, including those that would turn these tools against Israeli citizens, journalists, and activists.

NSO has enabled a global war on dissent and criticism. It’s not the only company that takes a hands-off approach to sales — justifying the money in its pocket with claims it’s nothing more than an exploit-hawking middleman. This has earned it some justifiable disdain. It has also earned it lawsuits, including one filed by a company too big to ignore: Facebook.

Multiple governments have purchased exploits from NSO, resulting in a worldwide war on journalists and activists. This makes NSO richer. But it doesn’t make the company any smarter. NSO and Israel briefly joined forces to engage in domestic surveillance, utilizing NSO’s malware to facilitate COVID contact tracing — an effort swiftly blocked by an Israeli court.

NSO hasn’t slowed down its surveillance efforts — the ones deployed by its customers. But it has again managed to generate unfavorable headlines and coverage. The company, whose offers of contact tracing were rejected by an Israeli court, hasn’t dialed back its efforts to place people under surveillance — supposedly for the public good.

But its exploits have their own security flaws. While it was trying to sell governments its contract tracing goods, it failed to secure some of the data it had been gathering in hopes of vertically integrating its spy tech and its “concern” for the general population’s health. Zack Whittaker reports for TechCrunch:

NSO, a private intelligence company best known for developing and selling governments access to its Pegasus spyware, went on the charm offensive earlier this year to pitch its contact-tracing system, dubbed Fleming, aimed at helping governments track the spread of COVID-19. Fleming is designed to allow governments to feed location data from cell phone companies to visualize and track the spread of the virus. NSO gave several news outlets each a demo of Fleming, which NSO says helps governments make public health decisions “without compromising individual privacy.”

But in May, a security researcher told TechCrunch that he found an exposed database storing thousands of location data points used by NSO to demonstrate how Fleming works — the same demo seen by reporters weeks earlier.

NSO has responded to the hole it didn’t close until notified by TechCrunch — months after the first notification by the security researcher. It says the data seen in the breach isn’t “real and genuine data.”

Well, we’ll see if that’s true. At this point, this appears to be bullshit. As Whittaker notes, NSO’s statement conflicts with news reports about NSO’s use of location data sold to it by third-party brokers who gather location info from phone apps. NSO used this data to “train” its contact tracing AI. It’s still “real and genuine data,” even if NSO wasn’t (yet!) using it in real-word applications.

TechCrunch asked researchers at Forensic Architecture, an academic unit at Goldsmiths, University of London that studies and examines human rights abuses, to investigate. The researchers published their findings on Wednesday, concluding that the exposed data was likely based on real phone location data.

Whatever the real-world applications by NSO, the fact is NSO utilized data of thousands of individuals from multiple countries (Rwanda, Israel, Saudi Arabia, UAE, Bahrain) to train an AI it was pitching to world governments — a pitch that likely did not inform potential end users NSO would be buying data in bulk from brokers who are generally unconcerned about local data privacy laws.

NSO may be trying to rehabilitate its image by offering its considerable surveillance power to the fight against COVID, but its efforts show it’s really still just in the business of collecting everything it can while expanding its user base to whoever’s willing to buy — even if it includes foreign enemies.

A failure to secure a database — even if it’s only filled with “trial” data — is a monumental self-own. This indicates NSO isn’t nearly as careful as it should be, considering the wealth of data/communications it helps government agencies siphon from targets’ devices. When millions of people around the world are just grist for the surveillance mill, it rarely seems imperative to protect the data you’ve harvested from them. The only thing that matters to NSO is surveillance and the profit made. Collateral damage doesn’t affect its bottom line — not when there’s a host of human rights violators lining up to buy your goods.

Filed Under: data breach, exploits, hacking, location data, security, surveillance
Companies: nso group