The silent smartphone hackers

Many computer-security companies trumpet their skills and accomplishments. Some take another tack altogether, like NSO Group.

This Israeli start-up no longer operates a website. But it has peddled its wares to the Mexican government, gotten on the radar of Central Intelligence Agency officials and recently was bought by an American private equity firm.

A key selling point: NSO claims it can help monitor smartphones of people targeted by government agencies.

One person who recently saw a demo by the company said its technology silently took over a BlackBerry device. On LinkedIn profiles, its engineers also claim an expertise in Google’s and Apple’s mobile operating systems.

NSO operates in a special niche among the many companies operating in the field of smartphone security, a topic expected to be a focus of the annual Black Hat security conference in Las Vegas this week. It represents a new push by governments to keep up with the proliferation of smartphones.

A controversial part about companies like NSO is that they usually rely on exploiting security holes in consumer software to help law enforcement and spies.  For the companies to continue operating, these security holes need to be left unpatched.

Surveillance companies counter they help authorities track criminals using encrypted communications who sometimes rapidly change phones.

Ghost in the machine

“We’re a complete ghost,” NSO co-founder Omri Lavie told Defense News, a military trade publication, last summer. “We’re totally transparent to the target, and we leave no traces.”

Lavie and other NSO employees declined repeated interview requests. But the Journal pieced together some details about the company, based on company disclosures lingering on the web, people close to the firm and foreign press reports.

The company “is a leader in the field of cyber warfare,” according to a slide linked to from Lavie’s personal website. “Our offering includes coverage of the most popular handset operating systems [and] surgical activity monitoring solution exclusively for the use of government, law enforcement and intelligence agencies,” the slide says.

NSO technology “allows remote and stealth monitoring and full data extraction from remote targets devices via untraceable commands,” the slide says.

Francisco Partners bought the company for $US110 million this spring, a person familiar with the deal said. Francisco Partners, which didn’t return repeated requests for comment, has invested in companies such as Blue Coat, whose product include Internet filtering tools.

“It’s a homeland security type company,” the person said of NSO. This person said it uses suitcase-size devices to intercept mobile phone traffic.

Other details about NSO’s technology remain a mystery. Last  week, the Wall Street Journal reported that researchers at the cybersecurity firm Accuvant found how to hack a phone using fake cell towers the size of a small laptop.

Defense News, and a person familiar with the firm, said the company puts “unauthorized” code on mobile phones over the air on Android, BlackBerry and Apple devices.

The Journal couldn’t independently verify whether the code actually helps law enforcement conduct surveillance.

But people that have expressed concern about NSO’s capabilities include developers on message boards and CIA officials, according to one former US official familiar with the exchange.

In the Defense News article, the company said it had been granted an export license to a government agency in Mexico.

The person familiar with NSO’s recent sale to Francisco said the company “sells all over the world, only to government entities