The Israelis Behind History's 'Most Sophisticated Tracker Program' That Wormed Into Apple

Global media tried over the weekend to figure out who is NSO of Herzliya, the company that forced Apple to make a frantic security update.

Human rights activist Ahmed Mansoor shows Associated Press journalists a screenshot of a spoof text message he received in Ajman, United Arab Emirates, on Thursday, Aug. 25, 2016. Mansoor was recently targeted by spyware that can hack into Apple's iPhone handset. The company said Thursday it was updated its security. The text message reads: "New secrets on the torture of Emirati citizens in jail."
Jon Gambrell, AP

On August 10, Ahmed Mansoor, a human rights activist in the United Arab Emirates, received a text message that invited him to click on a link that would reveal new information about torture in jails in his country. 

Mansoor, who has been a repeated target of the regime, grew suspicious and turned over the message to researchers from Citizen Lab. 

Mansoor’s gut feeling was right. The link would not have led him to information on torture but rather would have taken advantage of three flaws that Apple was not aware of to surreptitiously hack his iPhone, turning it into the perfect spying device.

Human rights activist Ahmed Mansoor speaks to Associated Press journalists in Ajman, United Arab Emirates, on Thursday, Aug. 25, 2016. Mansoor was recently targeted by spyware that can hack into Apple's iPhone handset. The company said Thursday it has updated its security.
Jon Gambrell, AP

The researchers discovered that the malware enabled recording conversations, accessing photos, text messages and geographic location, and control of the phone such as remotely operating the camera or loudspeaker. The program was connected to 200 different servers, some of them leading to a Herzliya-based company called NSO Group and to software it developed called Pegasus. 

Lookout, a company involved in discovering how NSO’s malware operates, was impressedy. “It’s the most sophisticated tracking software we have encountered, that completely takes over the device with just one click of a link,” one person at the company said.

The logo of the Israeli NSO Group company is displayed on a building where they had offices until few months ago in Herzliya, Israel, Thursday, Aug. 25, 2016.
Daniella Cheslow, AP

Lookout said another advantage was the company’s ability to maintain secrecy:  Pegasus hacks the device without its owner being able to detect its existence, and can only be detected by a lab.

For the past six years, almost all global technology companies have offered hefty cash prizes to hackers who could detect bugs in their systems and warn them – save for Apple. Its iOS platform is considered particularly secure and many people handling sensitive data choose Apple products for this reason. Apple’s announcement over the weekend about an urgent software update due to security problems showed that the company finally realized that no one is safe in the new spying age.

Omri Lavie, Shalev Hulio and Niv Carmi founded NSO in 2009, naming it from the initials of their first names. Carmi left shortly thereafter over disagreements with his partners. Meanwhile, a  group of investors, headed by Eddy Shalev, a founding partner of Genesis Partners, took a 30% the company for just $1.8 million. When Francisco Partners, a California private equity firm, bought NSO in 2014 they bought it for $130 million. Reuters reported last year that the fund was looking to sell NSO for $1 billion.

NSO, based in Herzliya Pituah, employs 200 people, more than twice as many as two years ago. NSO’s annual revenue is estimated at $100 million.

“We insisted that all intellectual property remains in Israel, that the development center remains in Herzliya and not move to Silicon Valley or anywhere else outside Israel,” Hulio, the CEO, wrote on Facebook after the acquisition. 

NSO’s asserts that the technology is meant to help fight crime and terror. “The company develops products to help governments fight crime and terror. The company only sells to authorized government bodies, subject to all security export laws,” the company said in a statement.

It also stressed that it sells the technology but doesn’t operate the systems for its customers.  

“The contracts signed with clients require strictly legal use of the technology, only for investigating and preventing crime and terror.”

But its Pegasus product may have been put to unauthorized uses. Israeli media reported in 2012 that Pegasus was sold to the Mexican government for $15.5 million to help it fight the country’s drug cartel. But The New York Times said last week that the software was also used to spy on Rafael Cabrera, a Mexican journalist who uncovered conflicts of interests among the country’s ruling family.

In other cases, according to the report, NSO’s tools were adapted for use against targets in Yemen, Turkey, Mozambique, Kenya and the United Arab Emirates. 

The Israeli government regards its tracking software  as no less than a weapon, whose exports are supervised by the Defense Ministry. The ministry lets NSO sell the software only to countries with good relations with Israel and not to businesses.

Israel is a star of the global interception and tracking industry. According to Bloomberg, there are some 230 companies, prominent among them being Israeli Verint, European Nokia-Siemens, French QOSMOS and Amesys, American Blue Coat and SS8, Italian Hacking Team and British Gamma. 

Other prominent Israeli companies are Alut, Cellebrite and Elta, as well as Israeli-American Narus, which Lockheed Martin acquired. Israeli company Nice Systems last year exited the defense market, which generated limited profitability for it and unflattering headlines about problematic regimes using its products.

Lavie and Hulio, 35, have been starting up companies since their high school days in Haifa. 

Hulio served six years in the army, half in intelligence and later as a search-and-rescue commander. In reserve duty, he has joined all of Israel’s overseas rescue missions in recent years, including in Nepal, Haiti and Turkey. 

Lavie served in artillery before studying business administration at the University of Haifa, while Hulio started studying law at Herzliya’s Interdisciplinary Center. But they both dropped out in favor of entrepreneurship.

They founded their first startup, MediAnd, which helps viewers locate and buy items appearing on the screen, in 2007. It closed after three years, ending in a court case with the third founder, Yael Lerner Levy. 

They founded their second startup, CommuniTake, a year later to help cellular operators remotely identify problems and support. The two left it following disputes with their cofounders and then founded NSO.

In 2013 they teamed up with Avi Rosen, the former vice president for development at Cyota, Education Minister Naftali Bennett’s security information company that was sold to RSA for $145 million in 2005. The three founded Kaymera Technologies, which develops cellular security solutions, in other words security from spyware like NSO’s. 

“Anybody who sees the capability of NSO systems immediately thinks of ways to protect themselves against similar capabilities,” Rosen, Kaymera’s CEO, told Bloomberg in 2014.

Kaymera has developed secure smartphones for governments and private customers worldwide, with annual sales estimated at $15 million. The company has raised $13 million, $10 million of that in February. Its investors include Hong Kong-based GOEC Go Capital Ventures and Israeli angels Yariv Gilat and Eddy Shalev, who has accompanied the entrepreneurs the entire way. 

Kaymera is located in Herzliya Pituah, in the same building as NSO. However, the company asserts Hulio and Lavie are not involved in Kaymera’s daily operations.