Two U.S. government agencies have warned journalists, dissidents, and others about commercial surveillance software, saying the tools “access and retrieve virtually all content on a phone.”
In a recently released one-page document, the Department of State and the National Counterintelligence and Security Center advise potential targets of commercial surveillance software to take several measures to protect themselves. The warning comes after reports last year about the Pegasus surveillance tool sold by Israeli company NSO Group being used to spy on journalists, politicians, human rights activists, and other people.
Much of the advice from the two agencies repeat suggestions that cybersecurity experts have been making for years. Among other things, the agencies call on potential surveillance targets to update device operating systems and mobile apps regularly, be suspicious of links and attachments from unknown senders, encrypt their devices, and use virtual private networks.
“While these steps mitigate risks, they don’t eliminate them,” the document says. “It’s always safest to behave as if the device is compromised, so be mindful of sensitive content.”
The agencies noted that commercial surveillance software could install malware on smartphones and give attackers access to text messages, files, chats, commercial messaging app content, contacts, and browsing history.
Some cybersecurity experts said many of the agencies’ recommendations are things smartphone users should already be doing. Some are “simply good cyber hygiene,” said Nasser Fattah, North America Steering Committee chairman at Shared Assessments, an organization focused on reducing cyber risk.
However, the recommendation to cover the camera on a smartphone may be difficult for most users, he told the Washington Examiner. “As we know, most if not all smartphone cases are designed to expose the camera, not cover it,” he said.
Other recommendations, such as disabling geolocation in apps and installing a VPN, may be a heavy lift for the average smartphone user, Fattah added. “Thus, for those phone users that do not understand the technical lingo or suspect foul play on their smartphones, the best course is to simply seek professional technical support,” he said.
The good news for many smartphone users is that some commercial surveillance software such as Pegasus is expensive, he noted. Some reports suggest Pegasus costs $5,000 or more to install, plus additional fees to target devices. The cost “might explain why the attacks are very targeted,” he added. “For this reason, I don’t expect regular smartphone users to be victims of Pegasus.”
The advice from the agencies is helpful, said Dan Piazza, technical product manager at Stealthbits Technologies, a cybersecurity software vendor.
“If individuals follow all of these guidelines, then they will have a large step up with regard to protection,” he told the Washington Examiner. “When it comes to targeting individuals, threat actors want easy targets. Once they realize their target has hardened their device and security posture, they typically move on to the next target.”
Still, the advice should have included a couple of more items, he added. Device users should use multifactor authentication and password managers, as he noted that such tools could stop a considerable number of attacks.
Still, it may be difficult for people to determine if they’re getting targeted for surveillance, especially those not covered by enterprise cybersecurity tools, Piazza added.
“Threat actors get smarter and more effective each year, meaning it’s become increasingly difficult to detect a breached device or account,” he said. “In general, if a device is behaving oddly — slow, apps not working as expected, intermittent network connectivity issues — then it’s worth investigating for potential compromise.”
However, others said many people shouldn’t worry about being the victim of a targeted surveillance campaign.
If you aren’t in the targeted groups, don’t handle classified government data, or don’t handle corporate secrets, then your life probably doesn’t merit the expense of something like the NSO Group-class malware,” said Allan Buxton, director of forensics at cybersecurity vendor SecureData.
Less expensive spyware tools are also readily available, however, with people using it to track spouses or other people, he noted. He recommended that people follow the agencies’ recommendations, including maintaining physical control of their devices.
In addition, many people already freely share personal information online, Buxton told the Washington Examiner.
“The first question people should ask themselves is, ‘Do I really merit the expense of surveillance?’” he said. “If you’re active on social media, broadcasting your location and activities, or sharing work details on a public page, anyone wanting to surveil your activities may already have plenty.”
