10/17/2022

An international consortium of journalists exposes a shocking cybersecurity threat in this riveting investigation. Richard and Rigaud, the founder and editor-in-chief, respectively, of Forbidden Stories, a nonprofit committed to pursuing and publishing the unfinished work of reporters who have been murdered, jailed, or otherwise threatened, explain that in 2020, their organization and Amnesty International received a leaked list of 50,000 cell phone numbers selected for possible targeting by Pegasus, a cybersurveillance system capable of hijacking any mobile device connected to Wi-Fi “without raising the tiniest of red flags.” NSO Group, the Israeli company that developed Pegasus, claimed the software was only licensed by sovereign states and “used for law enforcement and intelligence purposes,” but investigators eventually discovered that the list included phone numbers belonging to human rights advocates, nearly 200 journalists, French president Emmanuel Macron, and Hatice Cengiz, the fiancée of murdered Saudi journalist Jamal Khashoggi, among others. Richard and Rigaud briskly detail how reporters and cybersecurity experts determined which devices had actually been attacked or infected, debunking NSO cofounder Shalev Hulio’s repeated claims that Pegasus had not been used against Khashoggi or his loved ones. Lucid explanations of technical and legal matters and vivid profiles of crusading journalists enrich this cautionary tale of technology run amok. (Jan.)

Paced like a thriller, this is an exposé of invasive malware, and a cautionary tale.”
—The Economist

“The story of how investigative journalists exposed the frightening abuse of software that can infect your phone…It makes for absorbing reading…A celebration of journalism and hacking being used to unmask the bad guys.”
—The Guardian

“Pegasus is an alarming and urgent book—an engrossing thriller about cybersurveillance software so sly and powerful that it can take over your cell phone without your knowledge. This is terrifying stuff. Richard and Rigaud reveal how authoritarian regimes can use Pegasus software to spy on dissidents, human rights activists, journalists—and virtually anyone with a mobile phone.”
—David Zucchino, Pulitzer Prize-winning author of Wilmington’s Lie

“Paced like a thriller, Pegasus reveals a manifested dystopia where repressive governments purchase digital bolt-cutters to break into the phones of their critics and adversaries. But it also details the power of investigative journalists to expose a 21st-century arms market whose wares are aimed at civil society.”
—Spencer Ackerman, Pulitzer Prize-winning journalist and author of Reign of Terror

★ 2022-10-26
A troubling exposé of invasive malware meant to spy on criminals but that instead targeted journalists and politicians.

In 2013, Israeli firm NSO Group developed Pegasus, spyware easily introduced into mobile phones, and made a fortune selling it to governments that had no intention of applying it to its nominal targets: “terrorists, criminals, and pedophiles.” As French journalists Richard and Rigaud write, a leaked data dump that landed on their desks showed that Pegasus—created after Apple refused to allow law enforcement agencies a back door into its phones, reasoning that “the black hats were sure to get them, too, and could then do damage to innocent people”—was used by governments against journalists and activists critical of their regimes. By the authors’ account, the Saudis used Pegasus to track murdered journalist Jamal Khashoggi. “Traces of evidence in the Android phone belonging to Khashoggi’s wife, Hanan, suggested she had been targeted by Pegasus spyware before his murder but did not prove a successful infection,” they write. Other journalists in places such as Mexico and Azerbaijan were also targeted, often before being jailed or killed, as were political opponents of the governments of India, Hungary, and Morocco, among others. Distributing the work of electronic forensics to identify the targets in that leaked database, Richard and Rigaud recruited numerous partners, including the Guardian and the Washington Post, coordinating a series of stories that showed how Pegasus was distributed through holes in the phones’ security. As the latter publication revealed, “When iMessage was just an Apple version of SMS, it was pretty locked down…but once the app allowed iPhones to download video and GIFs and games, it became significantly less secure.” Apple and Android phones have since become more secure, but the black hats are usually a step ahead.

An urgent cautionary tale for those who “hope to forestall the Orwellian future” of cybersurveillance.