What is Pegasus and how is it used for spying?

Government-sanctioned cyber surveillance is on after a disclosure. back on the news The guard and 16 other media organizations exposing how commercial malware is being used by authoritarian regimes to target activists, politicians and journalists. The commercial malware used is called Pegasus and is sold for millions of dollars by an Israeli company called NSO Group.

Pegasus, the most sophisticated malware we know, has the potential to record calls, copy messages, and stealthily film the owner (and those nearby) on any compromised device.

What is pegasus

In short, Pegasus is commercial spyware. Unlike the malware cyber criminals use to make money by stealing and defrauding their victims, Pegasus is designed solely for espionage. As soon as it secretly infects a smartphone (Android or iOS), it can become a full-fledged monitoring device. Text messages, emails, WhatsApp messages, iMessages, and more are all open for reading and copying. It can record incoming and outgoing calls as well as steal all photos on the device. It can also activate the microphone and / or the camera and record what is said. Combine that with the ability to access past and present location data, and it’s clear that those listening on the other end will know almost everything about anyone who is being attacked.

The earliest versions of Pegasus were spotted in the wild back in 2016, so this is nothing new. However, his skills and aspirations have grown enormously since those beginnings. Not everyone can get hold of a copy of Pegasus – this isn’t sold on eBay or even the dark web. The NSO Group only sells it to governments and it costs millions to buy.

Thankfully, this means it is out of the hands of gangs of cyber criminals or terrorists. In fact, NSO Group markets Pegasus as “technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the world.” Sounds noble. Except, of course, that being a “government” is not an assurance of character, morals, or self-control. Some of the governments that Pegasus is using to target journalists, business people, religious leaders, academics and union officials are Hungary, Mexico, Saudi Arabia, India and the United Arab Emirates (UAE).

NSO Group admits that their actual client list spans over 40 countries, but in their defense they say they are reviewing clients’ human rights records. It also points out that Pegasus “cannot be used to conduct cyber surveillance within the United States and no foreign customer has ever been granted technology to enable them to access phones with US numbers”.

0 day vulnerabilities

All software has bugs known as bugs. It’s a fact. It is also a fact that the number of errors is directly proportional to the complexity of the software. More code means more errors. Most of the bugs are just plain annoying. Something in the user interface that doesn’t work as expected. A feature that may not work properly under certain circumstances. The most obvious and annoying errors are fixed by the authors in small “point versions”. Bugs can be found in games, in operating systems, in Android apps, in iOS apps, in Windows programs, in Apple Mac apps, in Linux – practically everywhere.

Unfortunately, using open source software is not a guarantee of an error-free experience. All software has bugs. Sometimes the use of open source even exacerbates the problem, as key projects are often looked after to the best of their knowledge by a small group (or even a single person) who work on the project after returning from their regular job. Recently, three security-related bugs were found in the Linux kernel that had been there for 15 years!

And it’s security-related bugs that are the real problem. The UI has a bug, it will be fixed, no problem. But when a bug has the potential to weaken a computer’s security, the situation is more serious. These errors are so serious that Google offers a reward system that pays people who can prove a security weakness in Android, Chrome or Google Play. In 2020, Google disbursed a whopping $ 6.7 million in rewards. Amazon, Apple, and Microsoft all have similar schemes.

See also: The best non-antivirus security apps for Android

While the big tech names are spending millions trying to fix these security-related bugs, many unknown vulnerabilities still lurk in the code of Android, iOS, Windows, macOS, and Linux. Some of these vulnerabilities are 0-day vulnerabilities – a vulnerability that is known to third parties but not known to the software author. It’s called 0 day because the author had zero days to fix the problem.

Software like Pegasus thrives on 0-day vulnerabilities, as do other malware authors, iPhone jailbreakers, and those who root Android devices.

Finding a 0-day vulnerability is not easy, and exploiting it is even more difficult. However, it is possible. The NSO Group has a specialized research team that examines and analyzes every minute detail of operating systems such as Android and iOS to find vulnerabilities. These weaknesses are then converted into ways to dig into a device, bypassing all normal security.

The ultimate goal is to use the 0 tag to gain privileged access and control over a device. Once the rights escalation is achieved, the door will be open, allowing Pegasus to install or replace system applications, change settings, access data and activate sensors that would normally be prohibited without the express consent of the owner of the device.

To exploit the 0-day bugs, an attack vector is required; a way for the exploit to get a foot in the door. Often times, these attack vectors are links sent in SMS messages or WhatsApp messages. Clicking the link takes the user to a page that contains an initial payload. The payload does one job: to try to exploit the 0-day vulnerability. Unfortunately, there are also zero-click exploits that do not require any interaction with the user. For example, Pegasus actively exploited bugs in iMessage and Facetime in 2019, which meant it could install itself on a phone by just making one call to the target device.

Related: Is it really a good idea to sell your privacy for a cheaper phone?

One way to gauge the size of the 0 day problem is to look at what was found, since we don’t know what was not found. Android and iOS both have their fair share of reported security vulnerabilities. Publicly disclosed cybersecurity vulnerabilities are assigned a Common Vulnerabilities and Exposures (CVE) number. For 2020, Android recorded 859 CVE reports. iOS had fewer reports, a total of 304. Of those 304, however, 140 allowed the execution of unauthorized code, more than 97 from Android. The point is, neither Android nor iOS are intrinsically secure and immune to 0-day vulnerabilities.

How to protect yourself from spyware

The most drastic and inconvenient thing is to leave out the phone. If you are seriously concerned that you are being spied on, then do not give authorities the access they are looking for. If you don’t have a smartphone, Pegasus has nothing to attack you. A more practical approach might be to leave your phone at home when you go out or go to sensitive meetings. You also have to make sure that other people around you do not have their smartphones. You can also disable things like the camera on your smartphone, as Edward Snowden famously demonstrated back in 2016.

If this all sounds too drastic, there are some handy steps you can take. However, you need to know that if a government agency attacks you with software like Pegasus and you insist on keeping your smartphone, there is little you can do to stop it.

The most important thing you can do is keep your phone up to date. For Apple users, this means that iOS updates are always installed as soon as they are available. For Android users, this means first choosing a brand that has a good experience with posting updates and then always installing the new updates as they become available. When in doubt, choose a Google device as these are the quickest to update.

See also: Everything you need to know about Google hardware

Second, never click on a link sent to you by someone unless you are 100% sure that the link is real and secure. If there is even a small doubt, don’t click on it.

Third, if you are an iPhone user, do not think that you are immune. Pegasus targets iOS and Android. As mentioned earlier, there was a period in 2019 when Pegasus was actively exploiting vulnerabilities in Facetime that allowed it to install on iOS devices undetected. Check out this video on how the Chinese government exploited security flaws in iOS to spy on people.

Finally, be vigilant, but stay calm and level-headed. It’s not the end of the world (yet), but ignoring it doesn’t help either. You may think you have nothing to hide, but what about your family members or friends? Journalists, business people, religious leaders, academics, and union officials are not so rare that they have no friends or family. As the WWII slogan said, “Loose lips sink ships”.