Defending Against Pervasive Spyware

The revelation that Israeli company NSO Group’s spy software Pegasus was targeting the smartphones of activists, journalists and business executives sent a shockwave through the international press.

The spyware successfully infiltrated the mobile devices of more than 50,000 people, from Mexican president Andrés Manuel López Obrador to reporters from CNN to Claude Mangin, the French wife of a political activist jailed in Morocco.

Simply put: if spyware can infect and infiltrate the world’s elite on every corner of the planet, that means the threat to organizations and individuals must be taken seriously. Spyware impacts everyone.

Moreover, in today’s work-from-anywhere world, mobile devices are critical to any job, and the ability to access email, customer information and proprietary data while on the go is non-negotiable.

Mobile Devices are Mission-Critical

Because of the wealth of data that can be accessed from a mobile device, companies must treat these devices as mission-critical to business continuity.

This means having control and visibility into what is happening on a mobile device, so they can prevent spyware attacks from compromising critical data.

Shawn Smith, director of infrastructure at application security provider nVisium, pointed out that the transition to a remote work style has changed the attack vector for spyware slightly.

“For example, in the past, all the networking gear in an office would be tightly controlled, monitored and patched for security issues as needed,” he said. “However, in a world where employees can work from anywhere, their home networking equipment becomes a new security issue.”

Smith said with such a wide variety of equipment that can be used, often in an unmaintained and unsecured state, this makes the issue of spyware much harder to defend against.

“You have to double your efforts on the security and encryption of the devices you can control, such as the employee’s corporate computer, and rely less on the network monitoring approach that was used in the past,” he said.

Aiming at the Wrong Target

For Kevin Dunne, president at Pathlock, a provider of unified access orchestration, too many businesses are still focused on their servers and workstations as the primary targets for hacking and espionage.

“Mobile devices are now used broadly and contain sensitive information that needs to be protected,” he said, noting spyware is primarily targeting these mobile devices and providing critical information to unauthorized parties.

That means businesses should be taking a closer look at their mobile device security strategy.

“In the past, users could be trained to avoid spyware infections by looking out for suspicious SMS messages and making sure not to click on links from any numbers they did not recognize,” Dunne explained. “However, spyware attackers have now engineered zero-click attacks which are able to get full access to a phone’s data and microphone or camera by using vulnerabilities in third-party apps or even built-in applications like Apple Music.”

He said organizations need to make sure they have control over what applications users download to their phones and can ensure they are up-to-date so any vulnerabilities are patched.

Dunne also pointed out that as the number of applications installed on a mobile device continues to grow, the number of potential entry points and threat vectors for spyware attackers will also balloon.

“Companies will look closely into mobile device management and anti-spyware solutions for iOS and Android, as they try to come to grips with the increasing number of threat vectors,” he said. “In particular, zero-click attacks will become a large area of risk, as they remain mostly undetectable without advanced solutions and increased levels of control.”

It was a Good Idea at the Time …

Setu Kulkarni, vice president of strategy at NTT Application Security, said now’s the time to get behind Apple and others (including Google) as they up the stakes against what was originally intended to be “spyware” for societal good.

From Kulkarni’s perspective, the line between acceptable surveillance (if there is such a thing) and privacy intrusion is very thin.

“In the most recent case, Pegasus being used to target political opponents is well within the realm of crime and should be dealt with as such,” he pointed out. “For Apple and other manufacturers, this is a moment of reckoning to get further entrenched with the governments to create more checks and balances while they make their platform more impenetrable to bad actors.”

For lawmakers, this is a moment of reckoning, as well, to create consequences for misuse of such utilities.

Kulkarni said he hopes this does not end up with such drastic measures taken that an otherwise legitimate tool is unusable. NSO claims that it provides cyber intelligence for global security and stability; Kulkarni emphasizes that lawmakers have a duty to keep society safe.

“Ultimately, for NSO, Apple and law enforcement agencies–the lesson is that with great power comes great responsibility,” he said. “It is time to step it up and find a way forward where NSO, Apple and law enforcement agencies can further improve their collaboration, rather than take a step back.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 302 posts and counting.See all posts by nathan-eddy