What is Pegasus and how is it used for espionage?

Government-sanctioned cyber surveillance is back in the news after a briefing by The Guardian and 16 other media organizations that highlighted how commercial malware is being used by authoritarian regimes to harass activists, politicians and journalists. The commercial malware used is called Pegasus and is sold for millions of dollars by the Israeli company NSO Group.

Pegasus, the most sophisticated malware we know, can record calls, copy messages, and secretly take pictures of the owner (and people nearby) on any jailbroken device.

What is Pegasus?

In short, Pegasus is a commercial spyware. Unlike malware used by cybercriminals to make money by stealing and deceiving their victims, Pegasus is designed exclusively for espionage. After he secretly infected a smartphone (Android or iOS), he can turn it into a full-fledged surveillance device. SMS messages, emails, WhatsApp messages, iMessages, etc. Open for reading and copying. It can record incoming and outgoing calls and also steal all photos on the device. In addition, he can activate the microphone and / or camera and record what is said. When you combine this with the ability to access past and current location data, it becomes clear that those listening on the other end know pretty much everything there is to know about whoever they’re targeting.

You should know that if a government agency targets you with software like Pegasus and you insist on keeping your smartphone, there is little you can do to stop it.

The first versions of the Pegasus were spotted in the wild back in 2016, so this is nothing new. Since then, however, its capabilities and sophistication have grown significantly. Not everyone can get a copy of Pegasus – it’s not something sold on eBay or even on the darknet. The NSO Group only sells it to governments and costs millions to buy.

Fortunately, this means that it is not in the hands of cybercriminals or terrorists. In fact, the NSO Group markets Pegasus as “a technology that helps governments prevent and investigate terrorism and crime to save thousands of lives around the world.” Sounds noble. Except, of course, that being “government” is not a guarantee of character, morality, or restraint. Some of the governments that use Pegasus to target journalists, business leaders, religious leaders, academics, and trade unions include Hungary, Mexico, Saudi Arabia, India, and the United Arab Emirates (UAE).

The NSO Group admits that its real client list includes more than 40 countries, but in its defense says it is checking clients’ human rights records. He also notes that the Pegasus “cannot be used for cyber surveillance in the United States, and no foreign customer has ever received the technology that allows them to access phones with US numbers.”

Gary Sims / Android Authority

0 day vulnerabilities

All software has bugs called bugs. It is a fact. It is also a fact that the number of errors is directly proportional to the complexity of the software. More code means more bugs. Most bugs are just annoying. Something in the user interface is not working as expected. A feature that does not work as expected under certain circumstances. The most obvious and annoying bugs are usually fixed by authors in small “point releases”. You find bugs in games, operating systems, Android apps, iOS apps, Windows apps, Apple Mac apps, Linux, and just about everywhere.

Unfortunately, using open source software is not guaranteed to be bug-free. All software has bugs. Sometimes the use of open source will exacerbate the problem, as key projects are often supported at best by a small group (or even one person) who work on the project after returning home from their regular job. Recently, three security bugs were discovered in the Linux kernel that have been around for 15 years!

And the real problem is security bugs. The UI has a problem, it will be fixed, no problem. But when a mistake can weaken the security of a computer, the situation is even more serious. These bugs are so serious that Google has a reward program that pays people who can demonstrate a security breach on Android, Chrome, or Google Play. In 2020, Google paid out a whopping $ 6.7 million in reward. Amazon, Apple and Microsoft have similar models.

See also: Best Android Security Apps That Are Not Antivirus Apps

While well-known techs spend millions fixing these security bugs, there are still many unknown vulnerabilities lurking in Android, iOS, Windows, macOS and Linux code. Some of these vulnerabilities are zero-day vulnerabilities, a vulnerability that is known to a third party but not known to the author of the software. This is called day zero because the author did not have days to solve the problem.

Programs like Pegasus exploit zero-day vulnerabilities, as do other malware authors, iPhone hackers, and Android users.

Zero-day vulnerabilities are not easy to find, much less exploited. However, it is possible. The NSO Group has a dedicated team of researchers who research and analyze every detail of operating systems such as Android and iOS to identify weaknesses. These weak points then turn into a means of penetrating the device, bypassing all normal security measures.

The ultimate goal is to use day zero to gain privileged access and control over the device.

The ultimate goal is to use day zero to gain privileged access and control over the device. After privilege escalation, a door opens that allows Pegasus to install or replace system apps, change settings, access data, and activate sensors that would normally be prohibited without the consent of the device owner.

To exploit zero-day errors, an attack vector is needed; a way to get into the door by exploit. These attack vectors are often links sent in SMS or WhatsApp messages. Clicking on the link takes the user to the page that contains the original payload. The payload has one purpose: to try to exploit a zero-day vulnerability. Unfortunately, there are also contactless exploits that do not require user interaction. For example, Pegasus actively exploited bugs in iMessage and Facetime in 2019, which meant it could install itself on a phone simply by calling the target device.

Connected: Is it a good idea to sell your privacy for a cheaper phone?

One way to estimate the size of the zero-day problem is to look at what was found, since we don’t know what was not found. Android and iOS have their share of known security vulnerabilities. Publicly disclosed cybersecurity vulnerabilities are assigned a Common Vulnerability and Exposure (CVE) number. In 2020, Android logged 859 CVE reports. IOS had fewer reports, 304 in total. However, out of those 304, 140 were allowed unauthorized code execution, more than 97 for Android. Four reports were for iOS Privilege Assessment and three were for Android Privilege Assessment. The point is, neither Android nor iOS is inherently secure and immune to zero-day vulnerabilities.

How to protect yourself from spyware

Gary Sims / Android Authority

The most decisive and least practical thing to do is to give up your phone. If you’re really worried about being spied on, don’t give the authorities the access they’re looking for. If you don’t have a smartphone, Pegasus has nothing to attack. A slightly more practical approach might be to leave your phone at home when you go outside or attend important meetings. You also need to make sure that other people in your area don’t have their smartphones either. You can also turn off things like your smartphone’s camera, as Edward Snowden demonstrated in 2016.

If this all sounds too harsh, there are a few practical steps you can take. However, you should be aware that if a government agency targets you with software like Pegasus and you insist on keeping your smartphone, there is little you can do to stop it.

The most important thing you can do is update your phone. For Apple users, this always means installing iOS updates as soon as they become available. For Android users, this means choosing a brand with a good history of releasing updates first, and then always installing new updates as soon as they become available. When in doubt, pick a Google device as they tend to receive updates the fastest.

See also: Everything you need to know about Google hardware

Secondly, never click, and I mean never, ever click on a link that someone sent you unless you are 100% sure, no doubt that the link is genuine and safe. If there is even a slight doubt, do not click on it.

Third, don’t assume you’re immune if you’re using an iPhone. Pegasus targets iOS and Android. As mentioned above, there was a period in 2019 when Pegasus actively exploited vulnerabilities in Facetime, which allowed it to silently install on iOS devices. You might want to watch this video about how the Chinese government used iOS vulnerabilities to spy on people.

Finally, be alert, but remain calm and balanced. It’s not the end of the world (yet), but ignoring it won’t help either. You might think you have nothing to hide, but what about your family or friends? Journalists, business leaders, religious leaders, academics and union representatives are not so rare that they don’t have friends or family. As the slogan of the Second World War said: “Free lips sink ships.”

Back to top button