Knowing where threats are is a vital part of defense – whether that’s managing cybersecurity in an air-conditioned office, or commanding a nation’s military. This was the goal of Pegasus. The spyware infiltrates a dangerous individual’s device, returning every piece of information back to a government-controlled server.
Pegasus proved itself to be too powerful, however – quickly becoming abused to target journalists and crush free speech by oppressive governments.
What is a spyware? And what makes Pegasus a frighteningly good example?
Spyware’s single goal is to retrieve information. Once it’s infiltrated your device, it monitors root system files, recording anything from your keystrokes to your conversations and location.
Pegasus was born in 2011, crafted by Israeli company NSO Group. Its aim was to provide governments with a technology that helps combat terror and crime. Initially able to spy only on iPhones, NSO nonetheless utilized its founders’ links with the world-leading Israeli military and surveillance branch.
After 5 years of peaceful spying, Pegasus’ capabilities started to emerge. Ahmed Mansoor – human rights activist and vocal critic of violations committed by the United Arab Emirates monarchy – was sent a suspicious text message. It included apparent information on the torture occuring in UAE prisons, followed by a link. Mansoor sent the link over to the University of Toronto’s Citizen Lab, and in 2016 Pegasus emerged into the global spotlight.
Without devolving into an argument over whether online privacy is a human right, the major strengths of Pegasus make it one of the most powerful and intrusive pieces of spyware out there.
The original exploit chain discovered by Citizen Lab was named Trident. It describes a threefold attack pattern, making use of three previously unknown zero-day exploits in the Apple OS. The first layer saw arbitrary code execution become possible when the victim visited a web page. From there, it was possible to access the system’s memory – finally allowing malicious code to execute with high privileges.
This was rapidly patched by Apple, but Pegasus was not slowing down. Soon thereafter, they developed a zero-click attack pattern. Zero-click attacks allow malware to infiltrate a device – despite no action whatsoever on the user’s behalf. NSO Group found that malicious code could be implemented in a device via a WhatsApp call to the target – even if the target never even picked up.
Another of Pegasus’ zero-click attacks was dubbed the most technically sophisticated attack that Google had ever seen. The FORCEDENTRY iMessage attack abused iMessage’s native GIF handling. In the attack, a PDF file masqueraded as a GIF image – allowing the iPhone to read the contents of the file. This included a virtual CPU built out of boolean pixel operations. Complex stuff.
An Industry Leading Approach to Human Rights
…is the claim that NSO makes about their best-selling software. Unfortunately, Pegasus has a history of precisely the opposite. The Pegasus Project has been documenting the human rights abuses associated with the software since 2016.
Jamal Khashoggi was a political activist and journalist, a believer in how Saudi Arabia should return to its pre-1979 climate, and how women should have the same rights as men. He was a vocal critic of the ban on women driving, and the arrest of female billionaire Loujain al-Hathloul. Pro free-speech and free expression, he hoped that one day the Arab world would break free of its highly restrictive Wahabi traditions.
In 2018, Khashoggi was strangled and dismembered in Turkey’s Saudi Arabian consulate. The assassination was ordered by Saudi prince Mohammed bin Salman. Pegasus software was found in his fiance’s phone, dating back to several months before the activist’s murder. It revealed Khashoggi’s private criticisms of the royal family.
India has been accused of spying on both Pakistani officials and a female employee of the Supreme Court of India – who had previously accused Chief Justice Ranjan Gogoi of sexual harassment.
Israeli high-ranking police officials ordered the use of Pegasus in early 2022. With this, they obtained information unrelated to an ongoing investigation, later used to pressure the subject. In some cases, they obtained incriminating information from suspects’ devices, then concealed the source of the information under the claim it would expose intelligence assets.
Mexican scientists – many involved in obesity research and pushing for higher taxes on sugar – were found to be infected with Pegasus. The location of Cecilio Birto, a journalist who had published ties between local politicians and criminal groups, was found by Pegasus; then it was used to assassinate him in the hammock he lay in.
The Latest Human Rights Violation
65 individuals in Spain were recently found infected with Pegasus. All of them were vocal advocates of Catalonian independence. Despite widespread public support, the Spanish Constitutional Court has (questionably) ruled all independence attempts as non-constitutional. Police have seized voting polls and been accused of brutalizing voters. When the Catalan Parliament approved their own independence in 2017, the Spanish government simply dissolved it.
There is no protection against Pegasus software. The good news is, if you’re not a political dissident, journalist or politician, you’re probably fine. Maybe.
Pegasus is far from the only spyware out there, however, and many can be stopped in their tracks by remaining vigilant. Mansoor refused to click on a link and saved himself from a Pegasus deathknell: you can protect your company from massive data breaches in the same manner.
Be cautious around spyware prevention solutions. Many that claim to defend against spyware are in fact spyware themselves. Only use trusted vendors, and do plenty of research beforehand.
As spyware often relays your information to third-party command and control servers, a Web Application Firewall can help cut the link between spyware and its users. This solution monitors web traffic flowing between an app and the outside world. If a whitelist is implemented, then only certified connections can be made. However, many companies rely only on a blacklist, which is barely even a challenge for many pieces of spyware. Though a hybrid approach can offer the best mix of security and adaptability, all protocols need to adhere to zero trust.