How many law-abiding persons are being hacked on their smartphones or at risk? Is it a few thousands? Or is it millions? Are you among them?
Last year alone, the sitting prime ministers of Spain, of the UK, and of Finland, the head of opposition of Greece and of Poland, and Hungary, have been spied on their smartphones, undetectably, for months on end, and most likely with full access to all data, microphone and camera. Even the son of the new prime minister of Israel, and the editor of the Financial Times suffered the same fate.
The rapporteur of shocking 150 pages draft report on spyware presented last November by a dedicated EU Parliament committee, whose rapporteur summed it up as “much, much worse than Watergate”.
As terrible as this is for our democracies, it's just the tip of the iceberg, because victims are most likely in the hundreds of thousands and those at risk in the millions, as we argue below.
Nearly everyone with power or money is a target or victim, including nearly all elected officials, diplomats, businessmen, journalists, activists, their organizations, and their close associates inter-governmental organizations.
The number of those hacked or at risk is not easy to quantify or even approximate, by design. That’s because, security agencies go to great lengths to maximize the number of criminals and terrorists over-estimate the security of secure mobile solutions so that they can continue their legitimate interception, while spyware and secure IT companies like Apple play along, for profit reasons.
But once in a while, some hard verified data comes around. The lawsuit that Facebook has against NSO Group provides details and proofs of 1400 WhatsApp hacked worldwide in the course of just 2 weeks. The NSO Group, just one of a dozen spyware firms in Israel alone, testified last June to the 42-strong PEGA EU Parliament Committee of spyware that over 12,000 citizens each year are hacked via their Pegasus system.
But those numbers (1) do not include dozens of other similar spyware companies that rent or sell to nations and private groups; (2) nor do they include those hacked by security agencies of powerful nations like the US, China and Russia; (3) nor hundreds or thousands of other entities to discover, buy, steal, or just rent access to illegitimately hacking of high-profile users, as shown by Shadow Brokers and Vault 7 scandals, as consequence of the surreptitious way in which powerful nations ensure their "backdoor" access.
Last October Kaspersky declared it had found and “fully deconstructed” the most advanced German and UK spyware, FinFisher, enabling them to fully re-use it. The same could have been done by others. Already ten years ago powerful national security agencies like, and to a lesser extent some semi-private spyware companies, had capabilities to turn targeted endpoint surveillance into a highly scalable enterprise via systems and programs, like the newer versions of the 2008 NSA FoxAcid and NSA Turbine.
Furthermore, a vast majority of these cyber crimes go undiscovered for years, if ever, as they often leave no trace, as outlined above. When discovered, they are nearly always kept secret as both victims and attackers gain from keeping them unreported. Victims are not required to disclose. The hacking of state officials is often classified as state secret.
Apple declared in 2021, the attacks should not worry because exploits: “cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, the overwhelming majority of our users”. Their use of the term “overwhelming” is compatible with hundreds of thousands of devices hacked, which would amount to 0.01% of the 1.5 billion iPhones out there.
The New York Times reported in 2018 about NSO Group: “Clients could then pay more to target additional users, saving as they spy with bulk discounts: $800,000 for an additional 100 phones.”, which brings the price to €8,000 per target (Though the price is apparently higher nowadays). And that’s for the Rolls-Royce of hacking tools!
From the above, we can therefore estimate that the number of victims are in the many hundreds of thousands every year, while those at risk are in several millions world-wide.
As opposed to what security agencies, smartphone makers and uncritical media want us to believe those most at risk have known the truth for some time now. Pre-Covid surveys by UBS and by Northern Trust found that the 16 million wealthiest persons in the World and family offices regard cybersecurity as their n.2 or their n.1 concern, respectively.
So, are you currently, now, being hacked on your smartphone?
No way to tell for sure or even in high confidence if you are currently being hacked, or have been, as those hacks are often undetectable and leave no trace. You may be able to know if you hire more or less expensive forensic services, in very many cases you cannot, including if using the most advanced service that are not commercially available. Some of the bets ones are also free if you are politician or journalist, like Citizen Lab or Amnesty International.
How likely is it that you have been hacked in the recent past or will be hacked in the near future?
If you are among hundreds of thousands in the World of the most interest of a powerful nation state, there is nearly nothing you can do, and you are most likely hacked at any given time.
There are 400,000 persons that have more that $30 million in assets and a similar number of top executives whose hacking can be turned into profit. There are also millions highly or moderately influential politicians, elected officials and journalists that nations states and companies would like to spy on and be able to blackmail.
The marginal cost for an organizer state or non-state hacking entity to hack you is quite low, as we wrote below. So if you are among those, you and/or your close personal and professional associates are either hacked or at high risk.
If a shrewd competitor or someone really does not like you wanted to hack you, they would go through hack-for-hire services in the private or rogue nation state agencies, and spend in the order of single digit to triple digit amounts, through two-step removed intermediaries.
Roughly, if you have a high amount of money, power or influence, you probably are or will be hacked, undetectably, for months on end, and most likely with full access to all data, microphone and camera.