Video URL: https://www.youtube.com/watch?v=wPdVMdFCMj8
the jurgen experience and so you go from this to i mean i don't want to make this big leap into the jeff bezos thing but it is um it's it's very fascinating to me you were involved in finding out how jeff bezos's phone got hacked and you were involved in connecting it to the saudis and that whole thing how did this all come about well i i have promised i wrote one um op-ed for the daily beast about this and in that op-ed at the end i say i'll never say another word on this case because i'm turning it over to the federal government now it's a few years ago so i what i can share is only that which has been public and a lot wasn't public but uh the the uh circumstance did involve mbs who's the prime you know the the prince of saudi arabia and he did send a a text with a video to jeff bezos they knew each other they had met they had exchanged phone numbers and embedded in that video was a a system that downloaded something that then later connects to a website and downloads something more sinister like pegasus 2 which is a a a system that governments around the world use to get into your phone and then they have full control of your phone so it doesn't immediately connect it doesn't download immediately because it's a bigger package what what you're getting in your first uh incursion into a phone uh or laptop or ipad or whatever you're getting a uh a very small file a little executable file that then later reaches out uh via the internet and that executable file could be a website it could be and does it exist only on the physical phone itself or is it is it in the operating system and if you change phones and like upload to the cloud and then re-upload do you or re-download on a new phone does that does that spy software make it onto your phone again probably not but we don't know completely whether it does or it doesn't when a government wants you like the us government or saudi or basically there
are there are two kinds of countries in the world when it comes to uh to incursions into uh smartphones there are original developers the united states china soviet union and israel so they're original developers of programs that do these things and then there are the purchasing countries uh mexico saudi arabia and all 190 other countries by the way i say 190 do you know there isn't even a consensus about the number of countries in the world countries can't even agree on that is that because of like taiwan and taiwan's a good example yeah so um so the best way i can put it to you is that if a government wants you from an informational point of view once you get into your phone they have you uh these systems are extraordinarily robust powerful as i learned more and more about them it's not actually my area of expertise cyber security but as i had to learn more about it for myself and for clients when the saudis wanted to get into a phone they could what if you're dealing what if you're communicating rather only through direct encryption devices or applications rather like signal yeah it's a very good question so if signal uh encrypts the the package going back and forth between the two devices over the internet so if you have uh interception between device a and device b it'll be encrypted and but that's not what happens with things like pegasus 2. pegasus 2 is a very high end system and it's in your phone just like you're in your phone everything you can do on your phone i can do from 7 000 miles away in some saudi government office wow and so signal doesn't help you with that i do think however by the way signal is a is a foundation it's not a for-profit company so i'm glad to to promote it i do think they have something very valuable on signal and that is disappearing messages which is you can if you and i were exchanging signal communications we could set in one week make all this disappear in one hour make all this disappear up to four weeks that's very valuable because otherwise our text messages look
i i was tasked to do this for myself when the saudi thing started which is i have to think about everything that's on my phone holy every communication i had you know for years every text i sent every photo every argument every joke that would be taken out of context you know it's a very hard thing to do because we're it's we're like a mind we're collecting all of this data right in the phone and so signal is valuable i think signal's a good a good service and uh but it doesn't solve the problem if a government wants you uh if a government wants information uh they they can get it through programs like uh like uh pegasus too right well how does pegasus 2 get on your phone well different ways it is a no-click uh incursion meaning you don't have to click on anything uh you you might you know typically you would get a text and you would open that text and that would download the little executable file or you would watch a video and it would be in the video but now the newest uh pegasus systems they don't even need you to do anything uh they can send you a message on whatsapp and even if you never even if you delete it even if you never open it they can get in your phone what if you don't use whatsapp it's a help by the way i i don't recommend whatsapp why is that because whatsapp has had a um for some reasons that i don't want to share and for some reasons that i do want to share whatsapp has had a particularly uh vulnerable circumstance with regard to uh with regard to uh people getting into other people's phones now having said that there are thousands of people right now all over the world working on nothing but getting into the new iphone operating system and then there's thousands of people at apple working on nothing but being sure that the new operating system is impenetrable and this just is a you know is an arms race that's going to go on it's going to go on forever so you you were saying that don't if you get a message through whatsapp but what if you don't get a message through whatsapp is that executable if just a blank text message comes your way and you don't open it less than that
unfortunately you can get nothing at all with pegasus 2 you can get nothing at all they can enter a telephone number and they can get into your phone nothing at all no text messages so you have no idea whatsoever that's correct and that's a problem with you know zero day exploits which is you don't know what happened and you go on for months and months and months not knowing that somebody's in your phone uh is a is a problem and how do you find out if someone's in your phone well depends on on the circumstance in in in the case you described uh i was notified by originally by somebody in cia then notified uh eight times by the fbi about the what information they had learned and then we began to do uh to do uh you know work on the phone itself and you learn about it in those ways which is very difficult by the way because pegasus too i feel like i'm giving a commercial for pegasus too but most people can't really can't buy it anyway but pegasus 2 is not sitting in an armchair waiting for you to arrive hey i'm over here it is extremely well hidden uh right down at the very core levels of a of a phone or or an ipad and uh but there are strategies for uh for finding it and they're challenging and they're evolving all the time there are you know whole organizations like uh citizen lab and a and a really great expert anthony ferrante who used to work for obama at the white house on this kind of stuff he's now in private practice they've had a lot of success they even have found uh pegasus ii in the wild meaning before there was a reason to be suspicious they've identified it and uh it's a tricky game because it let's say you were targeted by the mexican government which happened a lot to people and you you have it on your phone and you think you are being monitored in some ways so you get rid of your phone you turn it off you put it in the top drawer well pegasus will say hey this activity has just stopped self-delete it'll self-destruct so now you you don't even have any evidence that it ever happened even if you could get an fbi involved so pegasus
sends a signal to the person that's using the spyware to tell you that that phone is not active any longer well they know they they see immediately hey joe isn't texting his friends anymore so they know that right away so they execute it independently nope it can happen internally because what happens remember when it's when it's turned off or the battery is taken out or a wide variety of things can happen that uh you know with a quote uh suspect phone it will self-destruct on its own after a few days of no contact that's one of the things they market i got all their marketing material uh and at the time you know when we were really doing this investigation we were getting a lot of content from around the world it is uh it's sold by a company called nso which is in israel based in israel and uh it's a very dark game all over the world uh involving governments and other powerful people and uh you know pho most people say well what do i care nobody wants to get into my phone and they're right but if you are a person who is subject to uh to the interest of government anywhere in the world uh it's very hard to have privacy so if you don't get a message through whatsapp what are the other vulnerabilities like could you get a message through twitter can you get a message yes you could get a regular instagram you could get a regular text a regular text pegasus one which did require that the user click on something but pegasus 2 is a no-click exploit nothing has to happen so someone can just send you a text you don't even have to open it not even send you less than that what i'm saying is that the high-end pegasus system that's used by saudi arabia and other countries all they need to do is have your phone number that's it nothing more so they have your phone number they have access to all your photographs your messages everything turn on your phone as a microphone right now in this room turn on your phone as a camera right now and even it's so it's so smart let's say it makes an audio uh recording of a phone call and it doesn't download it right now it
waits until the phone is quiet and it's you know late night in in the target destination like in your home it's late night and then it downloads it at night so that you don't even see a reduction in performance right and then people who are sort of watching the the cost don't see spikes of all kinds of activity in the case you talked about uh gigabytes of data was taken out of that phone gigabytes yeah how many gigabytes are on the phone no idea i don't know uh so so anyway yeah the the the short punch line on this is that there is no way to there's a lot of products being sold that do the best they can but depending on who wants you there really is no way uh you know if the central intelligence agency wants to get into somebody's phone overseas they can do it now is there a difference between operating systems like is there more of a vulnerability to android than there is to iphone i hear again not an expert but i hear that there's more vulnerability to uh to iphone but that might be because they are the ones that are targeted most often and that thousands of people are working on all the time yeah that was my question like what about one of those uh de-googled android phones that are becoming more probably better but i don't know you don't know because there's a lot of people that are swearing by those now that have moved to these operating systems that have been manipulated to the point where they don't send information you can't get tracked gps doesn't work all that stuff yeah it's good to have the you know the least the the lowest number of apps you can have on a phone the better if you're talking about just using it for phone calls the challenge i have because i get you can imagine every product is brought to me usually given to me for free to try hoping that clients will want it or that my company will want it i see everything but the challenge is it's a moving target so if somebody says today oh we've got something great for such and such two weeks later people have been able adversaries have been able to work on it and it's an arms race and so it's sort of like saying hey i got this great new thing you know a catapult and i can throw fiery bombs
over the wall of the castle that's not so interesting anymore now that we have tanks these things continue to evolve do you anticipate there ever being a time where they can circumvent that and there will no longer be exploits like that or is this just a new reality that people have to live with i anticipated going in the other direction which is that it it becomes far more accessible for far more people and that anything we do you know online is is subject to to being intercepted and seen more and more you know a lot of people like i have clients who could be targeted by china could be targeted by russia could be targeted by france could be targeted by the united states by other companies by powerful adversaries and they often say well i just treat every communication as if it could be heard uh but the reality is that as human beings on a phone call we are unguarded right you don't want to have a phone call with me or a conversation that's that's completely guarded like this all the time and so the reality is that this is going to be a vulnerability in in people's lives uh period and it's going to expand expand sure and do you think it's going to expand to the point where regular people have access to everyone else's phone in all their data i think it will expand to where uh motivated people and not governments could get access to other people's data and you know there are even laws uh there's some in the uk where you know why should people be able to have a secret encrypted communication what are they trying to hide government is challenged by it right yeah i've seen those people in power are challenged by that stuff and so well because we we might want to have a communication that the government isn't part of that would be the reason but uh but people in power don't like it and so slowly it will erode that way as well