According to a new report from the Citizen Lab, some of the most distinguished journalists and activists of Mexico have been marked by a colossal spyware campaign.
The campaign was suspected to have operated from August 2015 and July 2016 and contained 76 separate spyware-laced SMS messages sent to 11 different targets. A notable victim was TV journalist Carmen Aristegui and her son. It is uncertain why she and the others were targets of this spyware, however there is speculation that it is related to their investigation of the "Casa Blanca" scandal.
The messages delivered themselves through many different disguises. For example, one message presented itself as "message not sent" or another would pop up as an Amber Alert. Other messages even embarked the contentious route and delivered themselves as the US Embassy’s visa division or a dispossessed friend leaving details about a funeral. Upon clicking the message, the spyware quietly installed itself onto the device after bypassing a trio of previously disclosed iOS vulnerabilities.
Citizen Lab suspects that the Israeli spyware vendor NSO Group is responsible for the campaign because the resemblance of the codes on the spyware and the location where the host domains were stored.
— Virus Bulletin (@virusbtn) June 19, 2017
The company grew it's prestige when a similar software was discovered on the iPhone of human rights activist Ahmed Mansoor in the United Arab Emirates. It's been circulating that the group is on sale for roughly $1 billion.
The discovery incited an emergency patch by Apple to seal all the unusual exploited IOS vulnerabilities. However, because the Mexican campaign took place before the patchwork, that left all the IOS vulnerabilities exploitable.
According to NSO Group's Claims and Oversight, "NSO's mission is to help make the world a safer place, by providing authorized governments with technology that helps them combat terror and crime." Although there would be limitations on it's uses in countries like Iran or North Korea, Mexico is not forbidden from it's services. According to the New York Times, there is a record that shows $80 million of NSO sales to distinct Mexican federal agencies. The legality of authorizing the campaign is undetermined, but an anonymous expert reported to the Times that a federal judge would not approve such a request.
Is it fundamentally permissible for spyware companies such as NSO to offer their services to government agencies without legal authorization, or should the company and Mexican federal agencies face consequences for their actions?