NCSC Outlines Tips to Mitigate Commercial Surveillance
The National Counterintelligence and Security Center (NCSC) on Friday warned about the risks posed by commercial spyware to smartphones.
Recent revelations around commercial spyware like the NSO Group’s Pegasus, especially following news that it was used to hack the phones of several American diplomats, has prompted a government response over the last few months.
The US blacklisted the company in November, something which forbids it from selling in the US but also US firms from selling technology to the company.
Now government agencies like the National Counterintelligence and Security Center (NCSC) are warning civilians about spyware like Pegasus and how to prevent their own devices from becoming compromised.
While Pegasus and NSO aren’t explicitly named, it’s certainly hinted. A bulletin released on Friday discussed capabilities of “commercial surveillance software,” including its ability to record phone calls, track a user’s location, and access text messages, files, and browser activity.
“Companies and individuals have been selling commercial surveillance tools to governments and other entities that have used them for malicious purposes,” the bulletin reads, “Journalists, dissidents, and other persons around the world have been targeted and tracked using these tools, which allow malign actors to infect mobile and internet-connected devices with malware over both WiFi and cellular data connections.”
While it’s highly unlikely that an average citizen could find their phone infected by malware like Pegasus – the malware has mainly been used to spy on dissidents, journalists, and politicians – the guidance still contains some best practices designed to enhance cybersecurity awareness.
NCSC, which is part of the Office of the Director of National Intelligence, recommends users:
- Regularly update their device operating systems and mobile apps.
- Be suspicious of content from unfamiliar senders, especially those with links or attachments.
- Don’t click on suspicious links or emails or attachments.
- Check URLs before clicking links.
- Regularly restart mobile devices – this can help remove mobile implants.
- Encrypt and password protect your device.
- Maintain physical control of your device whenever possible.
- Use trusted Virtual Private Networks.
- Disable geolocation options and cover camera on devices.
Not all of these recommendations may be necessary for every user; threat models vary and it’s worth noting that some of these practices may be overboard for some. As NCSC notes, even following the steps to a ‘T’ may not totally eliminate risk entirely. The last line of NCSC's guidance may only pertain those in high risk scenarios: "It's always safest to behave as if the device is compromised, so be mindful of sensitive content."
While commercial surveillance malware like Pegasus isn’t new, in the eyes of experts, the sophistication around the exploit used by the spyware is unrivaled.
Project Zero, Google’s crew of zero day threat researchers, called FORCEDENTRY, the exploit that Pegasus uses, one of the most technically sophisticated exploits they’d ever seen in a deep dive published in December. It’s largely because the spyware relies on a zero-click exploit, something that as the name suggests, doesn’t require human interaction to work. There is no way to prevent exploitation; there’s no phishing email or link to be wary of, the exploit works in the background. All an attacker would need to target a user with Pegasus is their phone number or AppleID username.