Pegasus, the “Evil Twin” and Why You Probably Need a Security Consultant

For over a decade, Dan Harris and others have been writing in this space to warn that you should be “paranoid” about your data security when you travel to China. In this post, from 2010, Dan wrote, [When in China] “I assume my hotel room is bugged and my Internet is monitored. I assume the worst and I take every measure I can to be careful.”

Me too. I used to travel to China all the time, and when I visited Beijing, I usually stayed in the same conveniently located 5-star hotel. Where I was always assigned the same room. What are the odds of that, you say? Around 258-to-1, if I had only stayed there twice, and I stayed there dozens of times. I guess the budget of the Public Security Bureau (PSB) doesn’t extend to wiring all the rooms for sound (and pictures?!?).

Last month a story broke about an Israeli company called NSO Group and its Pegasus spyware application. In case you missed the story, Pegasus spyware is purportedly sold to government agencies only. It infects a target’s phone and sends back data, including photos, messages, and audio/video recordings. Basically, it copies all the content on the target’s phone.

You can imagine the sales pitch: “This application will let you identify terrorists and other threats to your domestic security. We don’t sell it to anyone but government clients, so you know the bad guys don’t have the same capability. Oh, and it’s untraceable, so even if people figure out they’ve been hacked, they won’t know who hacked them.”

Certainly, that sort of “God’s eye view” inside electronic devices is nice to have if you’re in the anti-terrorism or crime prevention business. But who imagines that governments draw the line at surveillance of suspected terrorists? Certainly the U.S. government has been happy to execute warrantless surveillance on U.S. citizens within U.S. borders for decades, mostly with the willing assistance of U.S. telecoms carriers. Recently it was revealed that the Trump administration (via the Department of Justice) spied on at least five U.S. journalists who worked for media outlets President Trump believed were his “enemies”.

And the media outlets that broke the story about Pegasus found that in a sample of 1,000 of the telephones that had been hacked (the total is believed to exceed 50,000) were those belonging to hundreds of politicians and government workers — including three presidents, 10 prime ministers, and a king — plus 189 journalists, and 85 human rights activists. Enemies of the state, in other words. Or to put it another way, enemies of … someone who had a very powerful surveillance tool and wanted to keep an eye on things.

And of course, as weak as your protections are in the United States, in China (and places like it), they’re nonexistent.

Around 10 years ago, on one of my many trips to Beijing, I was introduced to an Israeli security consultant, presumably ex-Mossad, who made his living developing data encryption solutions. Several months after our first meeting, I ran into “Lev” again, in the lobby of my hotel. He did a double-take and said, “What are you doing here?” I replied, “Er, I’m staying here, Lev. I always stay here.” He seemed to grudgingly accept my story, and said, “I never stay in the same hotel twice.”

He then told me how on a previous trip to Beijing, his client had called him in the hotel to invite him to lunch. Oddly, Lev didn’t bring his laptop along, and after lunch was finished, he found his client trying to delay his return to the hotel. Finally, Lev said, “Look, I really have to go.” When he returned to his room, his laptop was gone. The PSB had been unable to crack it during the 90 minutes he had been out and had simply taken the laptop to try to finish the job.

“What happened then,” I asked.

“They returned it later in the day,” he said. “Without apology.”

“So, do you think they cracked it,” I asked.

“Never in a million years could they crack it,” he replied, with the closest thing he could manage to a smile. Which is why Lev was in Beijing in the first place; selling his company’s “uncrackable” technology to some of the many people who would prefer to keep their secrets from the Chinese government or whomever.

A similar story was told to me by a lawyer friend who was traveling on business in Japan, where he was representing a group that was not beloved by the Japanese government (but nonetheless was entitled to judicial due process, one might have thought). My friend returned to his hotel room after a meeting and encountered a pair of Japanese men in suits (my friend presumed they were agents of the Security Bureau of the National Police Agency) perusing the screen of the laptop my friend had left open on the desk. “We’re checking the network,” these Men in Black said (in good English!), and strolled out past him, cool as could be.

My friend had left nothing worth finding in his room, and like me, he assumes his hotel rooms are wired for sound (at the very least).

In an article I read about the Pegasus Project, the author (a former reporter for The Wall Street Journal) noted that he had recently hired a former government surveillance expert to train him in evading surveillance. He wrote: “We traipsed across London discussing possible scenarios, but my lasting impression was this: every day across the major cities of the world, there are teams of four or five who are following businesspeople, political figures and journalists to ascertain whom they’re meeting with and what they’re saying to each other. When I asked this expert’s colleague about how he might gain access to my phone if hired for the job, he explained that one way would be to follow me into a tube station with a backpack broadcasting a powerful WiFi signal with the same name as my mobile service provider’s WiFi in the underground. When my phone connected to it, not realizing it was a fake, it would instantly become compromised with malware. I heard from one political dissident about a suspicious motorcycle parked in front of his London house. When the police checked it out, they found a WiFi router connected to the bike’s battery with the same name as his home’s WiFi. There’s a name for this attack: “evil twin”.

Even if you carry “clean” laptops and use “burner” phones when you travel internationally (which in my very inexpert opinion puts you in the top one percent of security conscious businesspeople), would you fall for this? I thought so.

If you have secrets, you almost certainly need to up your security game. If you have really important secrets, you should probably hire a security consultant who can help you figure out how to keep your secrets safe(r).