Deleted Logs? How Israel Can Discover the Truth About Pegasus

No one has talked to NSO to verify allegations — but only they can provide the Israeli public with the truth, experts say

Send in e-mailSend in e-mail
A smartphone with the website of Israel's NSO Group which features 'Pegasus' spyware, July.
A smartphone with the website of Israel's NSO Group which features 'Pegasus' spyware in July. Credit: Joel Saget / AFP

Digital forensic reports have revealed with high certainty that the phones of at least two senior Israeli officials were hacked in some capacity using spyware technology.

The information was provided by an Israeli cybersecurity firm that examined the officials' phones in the wake of recent reports that the Israel Police had inappropriately used the infamous NSO group's Pegasus spyware. Yet in this case, the findings do not point to Pegasus technology – which forces us to ask: How will such invasions of privacy be detected in the future, and will the public ever know how many others were victim to Pegasus spyware?

The committee appointed to look into reports that the Israel Police used the spyware to hack into a number of civil servants and public figures’ phones, hasn’t yet approached the NSO group. However, experts tell Haaretz that the committee will not be able to confirm or refute the hacking allegations without NSO’s cooperation.

This is because the police's intelligence unit – the unit that reportedly used the spyware illegally – could in theory delete the logs that document their actions, just as chats or message history can be deleted from one's cell phone. However, documentation of police surveillance using Pegasus spyware cannot be erased or edited from the logs of the Pegasus operating system and much like cell phone companies have access to their users' conversations – NSO has access to all the Pegasus logs. The committee's cooperation with NSO is thus essential to finding out whether the spyware was used for surveillance purposes and, of course, on whom.

NSO sent a formal letter to Calcalist on Thursday, confirming that while the police may be able to delete their activity logs, they cannot delete or edit the logs within the Pegasus software. So far, the committee has looked at the phones of 26 civil servants that Calcalist listed as hacking targets. The list included director generals of government ministries, advisors to former Prime Minister Benjamin Netanyahu and his son Avner, as well as city mayors and business people. According to the results of the investigation – which were submitted to Prime Minister Naftali Bennett and Attorney General Gali Baharav-Miara - only three of the 26 listed people had been targeted with the spyware, and in only one of those cases did the police manage to successfully install the software on the individual's phone.

The police maintain that in all these cases, the use of spyware had been authorized by a court order. However, if the committee seeks to expand the investigation, or is concerned that officers with access to the system could have deleted their logs, it will have to directly approach NSO. NSO said this week that while the company is willing to assist with the committee's investigation, they have yet to be approached for help.

“It's an act that should take a few days at the most, and any simple technologist can carry it out for the team. NSO only needs to give them access,” an expert source said on the matter. The inquiry committee, headed by Deputy Attorney General Amit Merari, was appointed by Israel's previous attorney general, Avichai Mendelblit.

Confirming Pegasus

The police say their records show that only three of the 26 people that Calcalist named were actual Pegasus targets. Yet, no matter who is believed for now, the question remains: how and when will we know the truth?

The committee could continue trying to obtain official information, but so far the police have been anything but accommodating, and with NSO this may not lead to any meaningful findings.

Another possibility would be conducting forensic examinations on the phones of all 26 listed targets in the hopes of finding evidence of hacking by Pegasus spyware. Though Bill Marczak of Toronto University's Citizen Lab tells Haaretz that detecting whether spyware was installed on a specific phone isn't so simple.

According to Marczak, it depends on the examination method, the time elapsed since the spyware was installed, and whether the user has erased information on the device or carried out a factory reset. But more importantly, it depends on the type of phone in question.

Marczak claims that “Regarding the method we use in Citizen Lab, assuming that factory reset was carried out, I don't think it's possible to completely erase the evidence of a Pegasus infection.”

Though regrettably, he says there’s only a slim chance of detecting Pegasus software on an Android device, as the latter “keeps very few logs.”

Over the last six months, Amnesty Tech has offered a Mobile Verification Toolkit – which can assist both Android and iPhone users in detecting whether their phones have been compromised by Pegasus.

“Sadly, Android devices are much less easy to view than their iOS-based cousins,” the MVT-Android site explains. Android keeps very little useful diagnostic information to carry out an initial selection and detection, which limits its detection ability. Another problem is that the phone requires a higher than usual technical know-how.

Marczak says there are other ways to attempt to detect a Pegasus hack, such as the one used to detect Pegasus software on dozens of Al Jazeera journalists’ phones: “If you’re afraid your phone has been compromised, connect to your office Wi-Fi. The IT people can probably go over the Wi-Fi logs or domain names identified as related to Pegasus.” Of course, Marczak says, this depends on the relevant time range and whether the entered IP addresses are saved.

Click the alert icon to follow topics:

Comments

SUBSCRIBERS JOIN THE CONVERSATION FASTER

Automatic approval of subscriber comments.
From $1 for the first month

SUBSCRIBE
Already signed up? LOG IN

ICYMI

The Orion nebula, photographed in 2009 by the Spitzer Telescope.

What if the Big Bang Never Actually Happened?

Relatives mourn during the funeral of four teenage Palestinians from the Nijm family killed by an errant rocket in Jabalya in the northern Gaza Strip, August 7.

Why Palestinian Islamic Jihad Rockets Kill So Many Palestinians

בן גוריון

'Strangers in My House': Letters Expelled Palestinian Sent Ben-Gurion in 1948, Revealed

AIPAC

AIPAC vs. American Jews: The Toxic Victories of the 'pro-Israel' Lobby

Bosnian Foreign Minister Bisera Turkovic speaks during a press conference in Sarajevo, Bosnia in May.

‘This Is Crazy’: Israeli Embassy Memo Stirs Political Storm in the Balkans

Hamas militants take part in a military parade in Gaza.

Israel Rewards Hamas for Its Restraint During Gaza Op