Pegasus: you can run but you can’t hide
20-7-2021
Translation: Veronica Bielawski
Pictures: Thomas Kunz
An Israeli company is selling spyware to governments. Governments are using it against innocent individuals, journalists and other «problematic» actors. Can you fully protect yourself from this software that even manages to hack iPhones? No chance. But you can play it safe.
Journalists worldwide are shocked: there’s a piece of software on the semi-open market that allows any buyer complete access to iPhones, Android devices and Blackberries. This was revealed by a network of journalists operating under the name Forbidden Stories, in collaboration with the Amnesty International Security Lab and other partners. Journalists see this as a threat to themselves and their sources.
Disclaimer: you can rest rather easy. This piece of software, which is called Pegasus, isn’t a tool for mass surveillance. So, you’re not in acute danger. Pegasus was created by an Israeli company called NSO Group. It’s used by governments – officially, to combat terrorism and crime. Unofficially, it’s been used for years to monitor journalists who are critical of the government, dissidents and other actors deemed «problematic» by the government. Each target of Pegasus is hand-picked. As an average inhabitant of Switzerland, you’re quite certainly not a target.
Regardless, it’s a good idea to protect yourself against such attacks – the technology Pegasus uses can be weaponised by hackers or states for other attacks. So, there’s no guarantee that you’ll never be attacked or spied on with the same technology that’s being used by NSO Group and its clients. While it isn’t open source, the technology exists. And this alone makes it a risk.
So, here are preventive measures to guard against this previsouly unseen form of attack.
Pegasus: analysis of a hack
Pegasus hacks your smartphone. The world press has zeroed in on iPhones, but NSO claims it can monitor any smartphone running on any platform. At the moment, it’s not possible to verify if this is true. So far, Forbidden Stories and its partners – international media houses such as the Süddeutsche Zeitung and the Guardian – have failed to provide technological evidence. So far. This incident with Pegasus, its partners and the technology is sure to keep us busy for a while.
What is known is roughly how Pegasus works. This is enough to develop initial defence strategies. But it can also inspire attackers to exploit the same attack method – a so-called attack vector.
How Pegasus works (an overview)
For a successful attack, the hacker needs your phone number and an active Internet connection. In addition, the target device must be infected with the Pegasus client.
The phone number is entered into a command and control server (CnC), which connects the smartphone to Pegasus.
The CnC server is under the hackers’ control. In the case of Pegasus, these hackers are the «selected government partners» who purchased Pegasus from NSO Group. NSO Group claims not to be involved in direct monitoring – it only sells the software. It further claims to have no insight into what it’s customers then do with it.
A target’s smartphone can become infected in several ways:
- Malicious link: a link that claims to be a prize, voicemail or anything else, but actually leads to you downloading or executing malicious code on your phone. You can receive these links in a text message, e-mail or any messenger.
- IMSI-catcher: your phone’s connection to the nearest cell tower is redirected. This is done using a third-party device – an IMSI catcher – which poses as a cell tower. Your phone connects to the third-party device, which infects the traffic with malware and then maintains it by connecting to the real tower. NSO Group sells this type of device.
- iMessage: the problem with iMessage is so complex that it can’t be explained in a simple sentence. Hence the «iMessage: the problem child» section below.
iMessage: the problem child
There’s a reason why the media is so focused on Apple: the iMessage app plays a key role in the infection of iPhones. Apple’s ecosystem is closed, meaning it can’t be viewed from the outside. This creates a platform that trusts other devices in the ecosystem. And this means the principle «trust, but verify» sometimes goes under.
In the iMessage app, messages that are sent via the iMessage network are given a lot of trust. Apple does secure what it can in the background, but the lack of transparency and the great interest of hackers can’t simply be dismissed. Security researchers aren’t impressed – as Patrick Wardle puts it, «Apple’s self-assured hubris is just unparalleled.» Patrick Wardle is an ex-NSA employee and the founder of the Mac security company Objective-See. According to Wardle, it’s the corporation’s ego and its fear of openness and negative headlines that make a cooperative relationship between Apple and researchers impossible.
But despite its «self-assured hubris» Apple isn’t sitting idly by and does keep working on security developments behind closed doors. The corporation recently introduced a system called BlastDoor, which is supposed to increase the integrity of iMessages.
But it appears Apple is too late. «It’s pretty clear that NSO can beat BlastDoor,» Bill Marczak of Citzen Lab tells the Guardian.
He explains that Pegasus infections have been detected up to and including iOS version 14.6, which is, as of 20 July 2021, the current version of Apple’s operating system. It’s likely that other hackers already are or will be taking advantage of this attack vector.
Since the spyware is presumed to be installed within iMessage’s chain of trust, it’s a so-called zero-click exploit, i.e. a successful attack that doesn’t require any human interaction. Put simply, this means that software can install itself via iMessage without you clicking anything – because iMessage trusts the sender, who also uses iMessage. Your iPhone believes that messages between the two devices and Apple’s ecosystem are being exchanged in trust. If something were unsafe, mechanisms like BlastDoor should intervene.
In a statement to the Washington Post, Apple appears confident in its victory: «Attacks like the ones described . . . often have a short shelf life,» says Ivan Krstić, Head of Apple Security Engineering and Architecture. He adds that Apple is constantly fighting such machinations with new developments.
What happens once you’re infected with Pegasus?
The exact mode of operation with all the technological details is still unknown. Here’s what we do know: Pegasus downloads itself by itself and installs itself by itself. What exactly Pegasus does during installation is not known. But at the end of the installation process, Pegasus has root access to your phone. This means the Pegasus client can access everything and do everything, as instructed by the CnC server.
So, Pegasus tricks the internal security measures of the smartphone’s system. By feigning a chain of trust, the download is trusted and the malicious code executed. And just like that, Pegasus arrives in the safe environment of your smartphone. Any and all shields against the outside are irrelevant, as they’ve been bypassed.
Once installed, Pegasus or other similar software can rage freely in your system. Security updates get disabled, since Apple or Google could potentially close the vulnerability exploited by Pegasus. With that, the operators of the CnC server can control your phone completely remotely. They can turn on the camera or microphone, read your e-mails or send messages to your contacts. You can think of it as handing an intelligence agency your smartphone – unlocked – and telling them to knock themselves out. This means Pegasus can also read encrypted messages, so neither Threema nor Signal nor Telegram offer effective security.
Exactly how Pegasus gets into your iPhone or Android device will likely remain unknown until either a CnC server can be replicated via reverse engineering or a real CnC server is either sold or hacked.
How to protect yourself
Again, you’re unlikely to be in acute danger of a Pegasus infection. It’s doubtful that your evil ex will be able to contact NSO Group and gain access to Pegasus just like that. And even if a business relationship were established, Pegasus isn’t cheap. The prices are unknown, but all reports point to several thousands of francs per person bugged. This also makes it unlikely that the Visp regional police will use Pegasus to arrest Raron’s local weed dealer.
Still: this type of attack is out there, and it can install any software it pleases without requiring any input from you.
So here are a few safety tips:
- Always keep your phone up to date. Whether Android or iPhone, install updates immediately.
- Don’t click on links from unknown senders.
- Reboot your smartphone regularly. Some malware can’t survive a reboot.
- In general, be careful when installing new apps. Does the app really need all the permissions it asks for?
- Connect to public Wi-Fi networks that you trust only. You should generally avoid foreign, public networks, but who really does that?
- Use a VPN when appropriate. There are countless providers, including Swiss companies like SnowHaze, which I personally trust.
Keep in mind that this isn’t absolute protection, especially not against something as powerful as Pegasus. But if you stick to this approach, you should be pretty well off.
Let’s focus on Apple, since it’s often mentioned as the gateway and has the biggest piece of the smartphone-market pie. It’s recommended that you as a user don’t trust iMessage and FaceTime. In a bout of helpfulness, Apple has published a guide for the iPhone.
- Go to Settings.
- Go to Messages.
- Turn off iMessage.
- Go back to Settings.
- Go to FaceTime.
- Deactivate FaceTime.
Even though Pegasus isn’t a mass surveillance tool, there is a remote possibility that you could be infected with NSO’s spyware. Activist and hacker Etienne «Tek» Maynier, a staff member of the Amnesty International Security Lab, has released the Mobile Verification Toolkit (MVT). You can use it to check your device for Pegasus.
Journalist. Author. Hacker. A storyteller searching for boundaries, secrets and taboos – putting the world to paper. Not because I can but because I can’t not.
