If you are reading this article, you likely already have an idea of the Israeli NSO group’s technology that can hack practically any smartphone in the world without the knowledge of its user. Pegasus’ impact is so widespread, and the software behind it is so sophisticated that it almost seems like the brainchild of a Bond villain. Yet, it is genuine, and many governments and nefarious organizations worldwide have used it to spy not only on allied and rival governments but also on its citizens, especially journalists and activists.
The spyware was unveiled solely due to a failed installation attempt on a human rights activist’s iPhone. In August 2016, Arab activist Ahmed Mansoor received a link promising to reveal “secrets” about ongoing torture in UAE prisons through a link. Suspecting the message of foul play, Mansoor sent the link to Citizen Lab, which investigated the connection with the collaboration of Lookout. They revealed the shocking truth that if the activist would have followed the link, it would have jailbroken the phone and planted the spyware deep within the system.
Jailbreaking an iPhone is a process similar to rooting an Android device. A user can gain the necessary privileges to modify the device’s system files, ordinarily unavailable or strictly read-only.
The Israel-based NSO group closely adheres to its narrative that the spyware was developed strictly to curb terror and crime to save lives and create a better and safer world. How much truth there is to the said narrative? Beyond the exceptions, which includes highly informed or influential people, it is far outside the scope or capability of our judgment. However, as with every creation with the power of altering the world forever, its impact can never be limited to something purely positive or negative, irrespective of the original intent. More often than not, there would be a very significant portion of both in terms of the outcome.
The NSO Group has been actively involved in licensing Pegasus to various foreign government entities such as intelligence and law enforcement agencies only after thorough vetting. However, said vetting has not been sufficient enough to stop nefarious organizations from exploiting the frightening capability of the spyware. Examples include in Mexico, where drug cartels and government employees in their payroll have been involved in threatening and spying on Mexican journalists.
Often when incredibly sophisticated technology finds its way into various government entities, instead of catering to the interest of the people as a whole, the utility of such systems start favouring the interests of a select few high ranking individuals. This is especially true for autocratic governments across the world. Licensed Pegasus software in the hands of such governments, for instance, Saudi Arabia, is far from an improvement. The software was used to spy on Jeff Bezos after he had exchanged WhatsApp messages with the crown prince as well as Washington Post journalist, Jamal Kashoggi, who was later killed in Turkey.
How does Pegasus infect a device?
Instead of targeting a selected device or operating system, the software can identify the type of device it is on and execute a suitable exploit to plant itself into the system. To do so, often, Pegasus requires zero user interaction. In other words, a victim’s smartphone can be infected even if they never interact with the device to allow such an installation. iPhones constitute the brunt of the machines infected with Pegasus, with iMessage and Apple Music being significant offenders in the process. However, the security vulnerability has been fixed, starting with iOS 14.
Pegasus on Android devices:
Google refers to the Android version of Pegasus as Chrysaor, the brother of the winged horse Pegasus in Greek Mythology. On Android, the spyware retains its original objective. However, it uses a different angle to gain access. Pegasus attempts to gain root access, failing which prompts the user for various permissions on the device, which might allow it to harvest any available data.
If the “zero-click” method fails, the attacker can use Social Engineering or Phishing techniques to infect a device, such as instructing the victim to click on a link which would then proceed to install the spyware. If all else fails, the attacker can still rely on manually installing Pegasus through physical access to the target device, which can be completed in under 5 minutes. Once the spyware has been successful in infecting a system, it can snoop on virtually everything, ranging from photos, videos, voice recordings and browser history to contacts, call logs, emails, messages, WhatsApp, Telegram, etc. Pegasus is also designed to be undetectable with traditional antivirus software. In order to avoid alerting any abnormal network activity mechanisms, it only periodically transfers data over the internet from the victim’s device to the attacker’s server.
However, perhaps what makes Pegasus such a terrifying creation is its capability to execute remote commands from the attacker in the victim’s device without their knowledge and self-destruct without a trace should the requirement arise. This essentially means that as long as Pegasus is alive in the machine, the microphone, camera, files stored in the system, etc., belongs to the attacker to do with as he/she pleases and once the requirement has been fulfilled, vanish without a trace. Through its entire operation, the victim would have no clue about the tremendous amount of data extracted out of their device right under their nose.
But indeed, installing such a complex piece of software should be a monumental challenge. According to various reports, all that is required to infect a mobile device is its phone number. Once the number has been fed into the system, it handles the rest on its own. Typically the time taken by Pegasus for a successful attack ranges from just a few minutes to a few hours.
Measures to combat Pegasus
Where less sophisticated computer viruses can be tackled with sound security practices, Pegasus cannot. It exploits kernel-level vulnerabilities to gain access to a device. For iOS, major kernel vulnerabilities and their short description includes,
· CVE-2016-4655: Information leak in kernel
· CVE-2016-4656: Kernel memory corruption leads to jailbreak
· CVE-2016-4657: Safari WebKit memory corruption which allows the attacker to gain access when the victim clicks on a link in the browser.
Oddly enough, it has been reported that the spyware does not function if the default browser has been altered at any point in time. This is true for Android users as well. If the default browser has ever been changed from Safari (iPhone) or Chrome (Android) to a separate browser, Pegasus will fail in infecting the device since it depends on the original OS-specific browser for its functioning.
Pegasus remains an innovative tool created by incredibly talented individuals in the field which truly has tremendous potential to bring about more excellent safety and accountability in the world. However, when individuals or groups, organizations or governments weaponize such a tool to achieve frightening consequences, the impact on the planet is one of destruction, injustice and hostility. For instance, the first large-scale use of something as revolutionary as nuclear power was not to light homes or drive innovation. Instead, it was weaponized and used to completely level two cities in Japan, leaving a death toll in the millions, and even more wounded, homeless, and generations permanently poisoned from overexposure to radiation.
A tool is simply a catalyst to bring about action or change. As humans of civil society, it is our responsibility to respect the tremendous potential of the gifts we receive from technological innovation and wield them where it might save more lives than it takes.