Digital forensic reports have revealed with high certainty that the phones of at least two senior Israeli officials were hacked in some capacity using spyware technology.
The information was provided by an Israeli cybersecurity firm that examined the officials' phones in the wake of recent reports that the Israel Police had inappropriately used the infamous NSO group's Pegasus spyware. Yet in this case, the findings do not point to Pegasus technology – which forces us to ask: How will such invasions of privacy be detected in the future, and will the public ever know how many others were victim to Pegasus spyware?
The committee appointed to look into reports that the Israel Police used the spyware to hack into a number of civil servants and public figures’ phones, hasn’t yet approached the NSO group. However, experts tell Haaretz that the committee will not be able to confirm or refute the hacking allegations without NSO’s cooperation.
This is because the police's intelligence unit – the unit that reportedly used the spyware illegally – could in theory delete the logs that document their actions, just as chats or message history can be deleted from one's cell phone. However, documentation of police surveillance using Pegasus spyware cannot be erased or edited from the logs of the Pegasus operating system and much like cell phone companies have access to their users' conversations – NSO has access to all the Pegasus logs. The committee's cooperation with NSO is thus essential to finding out whether the spyware was used for surveillance purposes and, of course, on whom.
NSO sent a formal letter to Calcalist on Thursday, confirming that while the police may be able to delete their activity logs, they cannot delete or edit the logs within the Pegasus software. So far, the committee has looked at the phones of 26 civil servants that Calcalist listed as hacking targets. The list included director generals of government ministries, advisors to former Prime Minister Benjamin Netanyahu and his son Avner, as well as city mayors and business people. According to the results of the investigation – which were submitted to Prime Minister Naftali Bennett and Attorney General Gali Baharav-Miara - only three of the 26 listed people had been targeted with the spyware, and in only one of those cases did the police manage to successfully install the software on the individual's phone.
The police maintain that in all these cases, the use of spyware had been authorized by a court order. However, if the committee seeks to expand the investigation, or is concerned that officers with access to the system could have deleted their logs, it will have to directly approach NSO. NSO said this week that while the company is willing to assist with the committee's investigation, they have yet to be approached for help.
“It's an act that should take a few days at the most, and any simple technologist can carry it out for the team. NSO only needs to give them access,” an expert source said on the matter. The inquiry committee, headed by Deputy Attorney General Amit Merari, was appointed by Israel's previous attorney general, Avichai Mendelblit.
- Pegasus Scandal: NSO Threatens to Sue Israeli Newspaper
- Pegasus Scandal Is a Massive Can of Worms About to Erupt All Over Israel’s Elites
- How to Check if Your Cellphone Is Infected With Pegasus Spyware
The police say their records show that only three of the 26 people that Calcalist named were actual Pegasus targets. Yet, no matter who is believed for now, the question remains: how and when will we know the truth?
The committee could continue trying to obtain official information, but so far the police have been anything but accommodating, and with NSO this may not lead to any meaningful findings.
Another possibility would be conducting forensic examinations on the phones of all 26 listed targets in the hopes of finding evidence of hacking by Pegasus spyware. Though Bill Marczak of Toronto University's Citizen Lab tells Haaretz that detecting whether spyware was installed on a specific phone isn't so simple.
According to Marczak, it depends on the examination method, the time elapsed since the spyware was installed, and whether the user has erased information on the device or carried out a factory reset. But more importantly, it depends on the type of phone in question.
Marczak claims that “Regarding the method we use in Citizen Lab, assuming that factory reset was carried out, I don't think it's possible to completely erase the evidence of a Pegasus infection.”
Though regrettably, he says there’s only a slim chance of detecting Pegasus software on an Android device, as the latter “keeps very few logs.”
Over the last six months, Amnesty Tech has offered a Mobile Verification Toolkit – which can assist both Android and iPhone users in detecting whether their phones have been compromised by Pegasus.
“Sadly, Android devices are much less easy to view than their iOS-based cousins,” the MVT-Android site explains. Android keeps very little useful diagnostic information to carry out an initial selection and detection, which limits its detection ability. Another problem is that the phone requires a higher than usual technical know-how.
Marczak says there are other ways to attempt to detect a Pegasus hack, such as the one used to detect Pegasus software on dozens of Al Jazeera journalists’ phones: “If you’re afraid your phone has been compromised, connect to your office Wi-Fi. The IT people can probably go over the Wi-Fi logs or domain names identified as related to Pegasus.” Of course, Marczak says, this depends on the relevant time range and whether the entered IP addresses are saved.