NSO Group’s Pegasus spyware is making headlines again after it was reported that a number of governments around the world have been using it to hack the smartphones of activists, politicians, journalists, and more.
A list of potential surveillance targets, which includes more than 50,000 phone numbers, was leaked and obtained by a number of news outlets over the weekend, reigniting concerns over government surveillance.
So, what is exactly is Pegasus, and who might be a potential target of an attack? How can you tell if your iPhone has fallen victim to the spyware? We’ve rounded up everything you need to know about Pegasus right here.
What is Pegasus?
Pegasus is a sophisticated spyware developed by Israeli firm NSO Group, also known as Q Cyber Technologies. It was first discovered on iOS back in 2016 when Arab human rights defender Ahmed Mansoor received a text message promising “secrets” about prisons in the United Arab Emirates.
However, cybersecurity firm Lookout, the first to investigate the spyware, believes Pegasus has been around for a lot longer than that. “We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code,” read its report at the time.
A kernel mapping table discovered in the spyware included values that dated back to iOS 7, which Apple first rolled out in late 2013. And a number of reports, including one from The New York Times, claim leaked emails confirm the United Arab Emirates has been using Pegasus since 2013.
Apple has, of course, rolled out iOS updates that fix the vulnerabilities exploited by various versions of Pegasus since then, but it seems NSO Group continues to find new routes into its firmware. And it does so, it claims, to help governments investigate crime and fight terrorism.
But that’s not strictly how Pegasus has been used so far. In its 2016 report, Lookout called Pegasus the “most sophisticated attack we’ve seen on any endpoint,” and said it was being used to “attack high-value targets for multiple purposes, including high-level corporate espionage.”
How is Pegasus distributed?
What makes Pegasus particularly special, and unlike most of the spyware we typically seen on iPhone and other smartphones, is that it uses a “zero-click” attack. That means it does not require the smartphone’s user to install a malicious app or click a nefarious link. It actually requires no user input at all.
Instead, Pegasus can be injected over the smartphone’s network, either by using a rogue cell tower, or with access to real network infrastructure. NSO Group demonstrated this in November 2019 when it exhibited a portable Base Transceiver Station (rogue cell tower) at the Milipol trade show in Paris.
The BTS was placed in the back of a van and impersonated a legitimate cell tower, forcing handsets within a certain radius to connect to it automatically. Once a connection was made, cell tower traffic could be intercepted and manipulated, allowing Pegasus to be injected into those devices.
iPhone units have also been targeted with Pegasus through iMessage and Apple’s Push Notification Service protocol. It can disguise itself as another app — one you already have installed — then transmit itself as a notification through Apple’s own servers.
So, it’s incredibly difficult to avoid being infected by the Pegasus spyware, because there’s little you can do — aside from preventing your device from connecting to cell towers at all — to avoid a possible interception. And once the software has made its way onto your device, there’s plenty it can do.
What can Pegasus do?
Pegasus has the ability to send all kinds of sensitive data back to an attacker’s servers. This includes contacts, text messages, calendar events, and passwords. It can even intercept live voice calls — including those protected by end-to-end encryption — allowing an attacker to listen in.
Pegasus also allows an attacker to take control of a smartphone’s camera and microphone, or use its GPS to track a target, without the owner’s knowledge. It is designed to evade detection by anti-virus software, and it can be remotely removed by an attacker if necessary.
Who is at risk?
As explained in the Lookout report, Pegasus attacks seem to be primarily aimed at “high-value targets,” such as activists, CEOs, journalists, lawyers, and politicians. However, the attacks are said to be distributed by governments, rather than NSO Group itself, that pay for the spyware.
In late 2019, it was reported that at least 121 people in India — including more than 40 journalists — had been hit by a Pegasus attack. Indian technology minister Ravi Shankar Prasad said that around 1,400 people around the world had been targeted around the same time.
Although it’s possible, then, that the average user might fall victim to a Pegasus attack, it is considered highly unlikely. Apple security chief Ivan Krstić told The Washington Post this week that attacks like Pegasus “are not a threat to the overwhelming majority of our users.”
How you can protect yourself
Despite being incredibly sophisticated, requiring only a phone number for access to a target’s device in most cases, Pegasus isn’t 100% effective. There are scenarios in which it fails, which means there are some things you can do that might help you avoid a potential Pegasus attack.
The simplest step you can take is to ensure you keep your iPhone up to date. Apple works to patch any vulnerabilities used by Pegasus and other threats, so a simple software update could be enough to prevent an attack. Another thing you can do is avoid using Apple’s own Safari browser on iPhone.
According to a brochure on Pegasus from NSO Group, “installation from browsers other than the device default (and also Chrome for Android based devices) is not supported by the system.” When it comes up against a third-party browser, installation is aborted and a harmless webpage is displayed.
How to tell if your iPhone is infected
Detecting a Pegasus infection used to be near impossible, so most targets never knew they were a target — or that their device was infected. But you can now use a tool, developed by researchers at Amnesty International, that can detect traces of a potential Pegasus infection.
The Mobile Verification Toolkit (MVT) works on both iPhone and Android devices, but requires a Mac or Linux device for execution. It supports a number of commands that allow you to decrypt an iTunes backup, extract artifacts, then compare them to detect signs of an attack.
The MVT is available to download from Github, where you will also find a list of detailed installation and usage instructions.
Everything you need to know about the Pegasus spyware infecting smartphones
Source: Pinays Guide
0 Comments