In the cat-and-mouse game we are all apparently playing when it comes to keeping our information safe online, Israeli security company NSO is reportedly advertising to governments that its Pegasus software is able to crack encrypted cloud storage, including iCloud, OneDrive, and Google Drive.
A report from The Financial Times says the company, known for its previous malware attack capabilities related to WhatsApp, is able to harvest both information on users' devices and data stored in popular cloud services, though the company has denied it markets any such technology.
In a statement to AppleInsider, the company said "We do not provide or market any type of hacking or mass-collection capabilities to any cloud applications, services, or infrastructure."
It hasn't, however, denied it has such technology, and The Financial Times report indicated the Pegasus software has been found on devices in the wild. I reached out to the company but did not immediately receive a response.
First, a little good news. In order for the technology to work, the company would have to have root access to your device. That means in order to install software that gives it control over your iPhone or Android, it needs access to the core subsystems on the device, as opposed to simply downloading a normal app.
Since NSO maintains it only provides software to government agencies, it's highly unlikely your device is at risk unless it falls into the hands of law enforcement or an intelligence agency.
If that's the case, there's a good chance your iCloud account is not your biggest immediate concern.
The government wants to keep an eye on your data.
But there's bad news, and it's actually a pretty big deal. NSO says it only markets its technology to governments, which is, I guess, some consolation that at least it's not likely to end up in the hands of criminal hackers. But is that really any less disconcerting?
Because what it really means is that your government is constantly looking for ways to invade your privacy. The only reason a product like this would exist is because governments aren't fans of encryption, because it means they can't access the contents of your mobile device or cloud storage.
Well, you might say, surely the government only wants to get the information from bad guys, right? Except that doesn't matter. Encryption that can be freely broken when its used by bad guys isn't actually encryption. It's an illusion.
And the illusion isn't protecting us from anything.
The illusion of privacy.
Ironically, most of us walk around with the illusion of privacy, or protection, every day. The fact that most of us haven't had our information breached is simply a factor of random luck. It's basically because no one has tried.
It would be like painting the outside of a deadbolt lock on your door, and then reassuring yourself that you're safe. You're not, but you feel like you are because no one has ever broken into your home.
But they could, if they just tried even a little.
That's basically the state of affairs when it comes to your personal information if end-to-end encryption has a back door, or can be broken by a government using a master key or brute force software. (Those are hardware or software tools that either enter a global "unlock" password that works on every device, or tools that enter password options in sequence until one works.)
Device makers like Apple, Samsung, and Google are constantly working to counter advances in breaking the encryption used to secure your smartphone or cloud storage account, but it's more and more clear that government is working just as hard to retain the ability to stick its nose into your stuff.
Google responded with a statement from a spokesperson:
"We've found no evidence of access to Google accounts or systems, and we're continuing our investigation. We automatically protect users from security threats, and we encourage them to use tools like our Security Checkup, 2-step verification, and our Advanced Protection Program, if they believe they may be at especially high risk of attack."
I also reached out to Apple, Microsoft, and Dropbox to ask if they believe their systems are at risk of being compromised, but did not receive a response before publication.
It's up to you to protect your data.
Look, your data is in high demand. Companies like Google and Facebook make enormous profit by targeting you with ads that it determines are relevant based on the information it collects. Bad actors want very much to access sensitive information like banking and credit card credentials, or even medical records.
Those would be bad enough, but at least in those cases there are protections that can counter their attempts. Public opinion and the free market can intervene when companies go too far, and the law offers some level of redress when the bad guys attack.
What's far scarier is the idea that the government is very much just as interested in making sure it can get your information if it wants.
Update: Google responded with a statement.