US authorities on Wednesday put the Israeli maker of the Pegasus spyware on a blacklist of restricted companies, taking aim at software central to a scandal over surveillance of journalists and officials.
The company, NSO, was engulfed in controversy over reports that tens of thousands of human rights activists, journalists, politicians and business executives worldwide were listed as potential targets of its Pegasus software.
Smartphones infected with Pegasus are essentially turned into pocket spying devices, allowing the user to read the target’s messages, look through their photos, track their location and even turn on their camera without them knowing.
“These tools have… enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent,” the US Commerce Department said in a statement.
Washington also targeted Israeli company Candiru, as well as Singapore-based Computer Security Initiative Consultancy PTE (COSEINC) and Russian firm Positive Technologies that were accused of trafficking in hacking tools.
The companies’ addition to the so-called “entity list” means exports to them from US organizations are restricted. For example, it is now far harder for American researchers to sell them information or technology.
NSO fired back at the decision, saying its “technologies support US national security interests and policies by preventing terrorism and crime.”
“We will advocate for this decision to be reversed,” a NSO spokesperson told AFP, adding its compliance controls have resulted in “multiple terminations of contacts with government agencies that misused our products.”
‘Zero-click’ attack Critics say the widespread availability of software like Pegasus now allows even cash-strapped authoritarian governments to effectively purchase their own answer to the United States’ National Security Agency, with highly invasive surveillance powers.
“NSO Group’s spyware is a tool of repression, which has been used around the world to violate human rights,” Danna Ingleton, deputy director of Amnesty Tech, said in a statement.
“This dangerous industry is out of control, and this must spell the end of the impunity spyware companies have so far enjoyed,” Ingleton added.
A key problem is that companies that supply spyware are left to judge what is an appropriate use of their technology and whether buyers can be trusted to honor restrictions.
“It’s pretty clear that most governments ignore those constraints and do what they believe to be in (their) self-interest,” said Oliver Tavakoli, chief technology officer at cybersecurity company Vectra.
UN experts have called for an international moratorium on the sale of surveillance technology until regulations are implemented to protect human rights following the Pegasus scandal.
Following the initial concern over Pegasus, a subsequent wave of worries emerged when iPhone maker Apple released a fix in September for a weakness that can allow the spyware infect devices without users even clicking on a malicious message or link.
The so-called “zero-click” is able to silently corrupt the targeted device, and was identified by researchers at Citizen Lab, a cybersecurity watchdog organization in Canada.