The big picture: Many of us use our phones without living in constant fear that our personal data could be stolen, but a new report should be a big eye opener for many, including big tech. The claims goes that an authentication technique that is used on almost any big cloud service can easily be bypassed by a tool designed by an Israeli company surrounded by controversies related to its ethics.
Earlier this year, news broke that a vulnerability in WhatsApp allowed a spyware tool to be injected into phones with a simple call that wouldn’t need to be answered and also wouldn’t leave any trace. The software was architected by a secretive Israeli firm called NSO Group, who is also behind the infamous Pegasus spyware, with a history of selling this kind of tools to governments and intelligence agencies.
A new report from Financial Times says the very same company who was essentially selling the keys to our digital lives has been touting new capabilities for its flagship spyware tool Pegasus to potential buyers. Where previously it was only able to harvest data from the phone’s storage, apparently it can now steal a user’s data from various accounts made on Apple, Microsoft, Facebook, Amazon, and Google’s cloud services.
The spyware tool is said to have received a significant upgrade that allows it to access things like location history, archived messages, and other online data not synced on the phone. While it’s not clear how exactly this is achieved, FT speculates that once Pegasus is on the target phone, it is able to essentially clone the authentication keys of services like Facebook Messenger and Google Drive and sync it with a surveillance server, where it can be then used to imitate the phone down to a tee, location included.