4 things to learn from the smartphone security breaches in Mexico.

First, everyone is susceptible to and a potential target of mobile surveillance, including chidren.

This past summer, an announcement hit the international news wire declaring the mobile devices of twenty-two prominent Mexicans were discovered to be infected with sophisticated malware known as Pegasus. The list of targeted individuals included journalists, lawyers, public health workers, anti-corruption specialists, international investigators and members of the Mexican government. The perpetrators of the espionage program even went so far as to hack the phone of the adolesent son of one of the compromised journalists. A journalist historically critical of Mexican President, Enrique Pena Nieto. All the individuals targeted have one thing in common: they have either been critical of or represent a threat to the current Mexican administration, the Institutional Revolutionary Party (PRI).

Bear in mind, the software was built by and acquired from the NSO Group – a stealthy Israeli tech company that operates in the shadows, yet claims to have a stringent vetting process and sells exclusively to government clientele to “monitor terrorists and criminals”. Once activated on a device, the spy software allows a hacker to gain “root access” to compromised devices. Meaning, in addition to being able to access content residing on an infected phone, the microphones and cameras can be used to capture data within its vicinity (aka, Proximity Data), without the owner of the device ever knowing.

So, the second lesson; regardless of the “intended purpose” of any monitoring software, misuse should be assumed.

I grew up during the cold war when spies had to elaborately plan to capture conversations of interest. Once a target was identified, it was necessary to gain access to a location where the individual would be. Prior to the target arriving, eavesdropping equipment would need to be meticulously installed and tested. This effort took a lot of human power. In today’s ever-connected world, almost everyone on the planet carries around a device that can easily be hijacked and repurposed for eavesdropping, making the old method of “planting a bug” obsolete. In addition to utilizing the built-in audio and video capabilities, the internal GPS of a mobile phone can be used to reveal the location of an individual, even if the phone has been turned off. It is easy to see why mobile phones are rapidly becoming the “target of choice” when it comes to spying on someone.

Third lesson, getting malware onto digital devices is child’s play for sophistated hackers and it often comes down to social engineering.

To gain control of the targeted mobile phones in Mexico, the hackers used social engineering and phishing techniques via text messages. Each of the twenty-two targeted individuals in Mexico received texts enticing them to click on a link accompanying the message. The few who managed to avoid committing to the links would receive new, repeated attempts in a matter of days.

It is easy to read the details and rush to judgement regarding the foolishness of someone clicking on a link sent from an unknown number. But who amongst us can honestly say they have always avoided clicking on a link from an unidentified number? After all, the human mind has evolved over millions of years to fill in blanks and make assumptions when information is missing. Further confirmation, Intel Security did a survey of over 22-thousand people which revealed 97% were unable to correctly identify a well-crafted phishing email.

There are a lot of unknown facts associated with the situation in Mexico but certain things we do know. Mexico has admitted being a client of NSO. Back in 2012, the government reported it had signed a $20 million deal with the company. It is also widely known the software was distributed to multiple government entities throughout the country making the enforcement of proper government phone security usage difficult to manage. Even with this information, there is still no concrete evidence anyone in the Mexican government misused the software. As time goes on, we may learn additional details about the situation or we may continue to be left in the dark. President Nieto has publicly stated there is an ongoing internal investigation on the matter but many are skeptical.

Finally, legitimate global technology companies making surveillance software are growing and the industry is highly profitable.

I hope the situation in Mexico will serve as a wake-up call to everyone. Important trends have come to light because of the situation and we all need to pay attention to smartphone security. Global technology surveillance companies do exist and their capabilities are being utilized to spy on people around the world. Bloomberg estimates there are 230 companies around the world in the data interception and tracking industry. The number of companies specializing in espionage via personal technology is growing and will continue to grow. The value of the NSO Group increased from $120 million in 2014 to over a $1 billion in 2017. Undoubtedly, new players will emerge given the potential financial incentives. The fact remains, if someone wants to hack you and they have either money or technical skill, you will get hacked.

The motto of the NSO Group is “To Make the World a Safer Place". After learning about the situation in Mexico and its global implications, do you feel the world is a safer place?

Back to Blog