Note: This is a port of my twitter thread

At the end of October 2019, WhatsApp (owned by Facebook) sued NSO. The complaint covered multiple different legal attacks (including a reference to the CFAA) but the technical exhibits consolidated a lot of public technical information on NSO that I thought was worth digging into.

Two exhibits - a user manual and a contract with Ghana - reveal quite a bit on NSOs system design and thinking. Unless labeled otherwise, screenshots are from the user manual and not the contract.

First off, the user manual describes the different attack methods available in Pegasus, NSO’s primary tool. The user manual mentions multiple attack methods such as over the air zero click, phishing messages, attacks over GSM abusing fake BTS (Base Transceiver Station) and physical attacks using data cables.

Over-the-air attacks are what NSO vulnerabilities are famous for.

For many attacks, phishing is effective, if the victim is convinced to press on a link.

In cases where the government can use fake base stations or acquire physical access to the machine, NSO also has physical layer vulnerabilities.

A common problem when attacking Android devices is device fragmentation. For many remote exploits, the attackers will have to customize the exploit for each platform. Also, every Android phone has its own quirks and bugs the developers have to work around.

Android fragmentation is an issue also for offensive programmers.

NSO doesn’t take the hard path and says they won’t support non Chromium based browsers.

At the time, NSO specified up to 8 weeks to handle new target devices. I have a hard time believing this is the required timeframe, it’s likely a large buffer for HR reasons or because it takes time to acquire phones.

This time scale isn’t very surprising for enterprise deployments.

The tool itself has a laundry list of features. Like other mobile malware, Pegasus can silently activate the user’s microphone to listen in to passive communication.

NSOs feature list also explicitly mentions the ability to silently activate the users microphone.

Let’s skip ahead to the contract, which also contains technical information. Looking at the contract, at the time of this document, NSO did not know how to make their malware survive factory resets on iPhone, nor extract WhatsApp data from iPhones.

At this time, the malware was far from all powerful and in some cases could be uninstalled just by running a factory reset.

Like many other malware, Pegasus extracts pretty much all information stored on the phone. SMSs, iMessage, call logs and more are all fair game.

Last, their cellular (SS7) capabilities deserve their own thread by experts. Their SS7 capability list reads like they explicitly allow for cases where control messages are sent across operator networks.

At the time, SS7 capabilities were pretty rare.

A serious problem for any mobile malware is sending the information home when a network connection is not available. Also, unlike PC malware, the phone’s battery life is very sensitive to network communication, as is the user’s phone bill (for some countries).

What Pegasus does is typical, it buffers information until the phone is near a rapid network, such as Wifi. If the buffer fills up before that time, the malware will override old data.

NSOs collection buffer makes it clear that operators need to pick the data they collect carefully if the phone may be away from network access for large periods of time.

Every good operator needs a way to hide communication traces. It’s not clear how many hops NSO feels are required but probably more than one.

It’s always nice when vendors invent fancy names for common tech. In this case, a chain of proxies in different geographical areas.

Also, according to the contract, the client is responsible for their own operational security. The target may notice if the spying software ends up in their billing record.

NSO takes care that Pegasus covers its tracks, but they absolve responsibility in case of operator mistakes/stupidity.

I’m curious if NSO cares about android antivirus or they simply think to themselves: “whatever, they all suck”.

Malware typically kills itself when security software is detected or when it can’t reach its C2 server. Pegasus does both.

The difference between most malware and commercial offerings is typically the UI and backend. NSOs user manual shows that it offers more than just a typical RAT control panel but also many sophisticated intelligence queries such as geo-fencing alerts and alerts on targets meeting up with each other.

Backend analysis is just as important as collection and sometimes more important.

Like other enterprise software, NSO provides an installation manual. I’m not surprised NSO specifies every last bit of their install process. Because as is common in the enterprise world, what isn’t defined is left up to chance. I’m sure they have customers who would try to cheap out on internet access and have no redundancy, or run the servers somewhere with bad electrical routing - leaving themselves open to sily failures that may expose them to their targets.

Very strict system requirements make it clear that the Pegasus system isn’t small or simple, nor is it a simple C2 server.

These requirements also extend to Opsec. Reading the contract, governments are encouraged to hide their tracks even when spying inside their own nation.

Prepaid SIM cards are becoming a hassle to buy, maybe also for governments :)

Moving on to the contract, NSO seems to be prepared for the Israeli Ministry of Defence unilaterally removing their export license.

A unique problem for western offensive tool vendors is what happens if the government unilaterally revokes their export license.

Along with technical restrictions on what countries you are allowed to target.

When you buy from Israel - you buy Israel's legal restrictions

I noted I would focus on technical information, but at the end, I should just mention - 25 devices at 8 million dollars feels like a steal.

alt_text

alt_text

In this case, we see the contract specifies a total of 25 concurrent implants. From other sources, NSO supports two methods of operation. One, as specified in this contract, allows for X number of concurrent malware implants. Another is a magazine metaphor, you are provided with N attacks you can use as you wish.

References: