How Does Pegasus Work, And How Can You Defend Against It

The beginning of the monsoon session of the parliament has been rocked by news reports of journalists, activists, politicians, medical experts and political consultants being targeted with Israeli spyware Pegasus.

According to reports from The Pegasus Project investigation, carried out collaboratively by a consortium of international news outlets, the military-grade spyware Pegasus, made by Israeli tech firm NSO Group, is now capable of compromising smartphones without any interaction from the users.

In 2019, WhatsApp revealed that a vulnerability with the messaging app was exploited to install Pegasus on the phones of 1,400 WhatsApp users by simply making a missed call. Since then, NSO's methods have gotten more and more advanced, allowing it to exploit vulnerabilities with iMessage to potentially gain access to millions of iPhones.

Already, more than 50,000 phone numbers were found in the potential target list that was accessed by the Pegasus Project.

As users of the internet and smartphones, if we are to continue using our devices and still protect our data, we will need to better understand the threat, and if there are to beat it.

Also Read: Rahul Gandhi, Prashant Kishor, IT Minister Potential Pegasus Targets: Reports

Installing Pegasus In Target's Device

The past and present reports on NSO's methods of hacking has made one thing certain - there is no fixed method of installing the malware in a device, it is rather an ever-evolving process.

Nino Stephen, a Kerala-based security analyst who has been following the Pegasus Project closely, believes that NSO adapts its methods of installing its spyware in a target's phone by constantly looking for vulnerabilities in their smartphone softwares.

"These types of companies invest hugely into developing 0-days in commonly used applications. It maybe in native applications like iMessage or 3rd party apps like WhatsApp. All these mentioned applications are complex in design and hence itself there is always a possibility in finding exploitable bugs," Stephen told BOOM.

A zero-day is a vulnerability with a software that is unknown to those who are in charge of mitigating threats to the software. Until a zero-day vulnerability is identified and tackled, the software will be open to hacks from anyone who may have identified the zero-day.

"NSO Group team probably have several zero-days in their hands to compromise a wide range of devices. It could be a phone with an old version of Android or an iPhone with the latest and most up-to-date patches," Stephen added.

Raman Chima, who is currently the Asia Policy Director and Senior International Counsel at digital civil rights non-profit Access Now, agrees with Stephen.

"All devices have vulnerabilities, not one but many. Companies like NSO race everyday throughout the year to discover these vulnerabilities, to look for exploits that would allow them to install the malware," Chima said in a conversation with BOOM.

Furthermore, exploiting widely-used and pre-installed softwares like WhatsApp and iMessage allow companies like NSO to target a much larger user base more successfully.

According to a report by The Guardian, who has been collaborating in the Pegasus Project, the spyware can also be installed over a wireless transceiver located near the target's phone.

Once Installed, What Can It Do?

"A modern mobile phone has so many features in it that it's the best candidate for spying. A person's freedom and power can be compromised if his digital assets can be compromised," says Stephen.

According to the forensic analyses of the victims' phones by Amnesty International, once Pegasus is installed, it can harvest any information from the phone.

While harvesting data such as contacts, SMS messages, instant messages, emails, photos, videos, browsing history and call history, it call also activate microphones and cameras, record calls and get location data by activating GPS.

Claudio Guarnieri, who leads Amnesty International's Berlin-based Security Lab told The Guardian that an attacker using Pegasus has more control over the phone than its user.

"When an iPhone is compromised, it's done in such a way that allows the attacker to obtain so-called root privileges, or administrative privileges, on the device. Pegasus can do more than what the owner of the device can do," he said.

How Can We Defend Ourselves Against It

On the question of how to stop such an attack from happening, Guarnieri told Guardian that "real honest answer is nothing". His concern arises from the fact that those behind the spyware are constantly looking for flaws that even the most tech-savvy users are not aware of.

However, Chima believes that certain steps can be taken to improve device security, and make it more and more difficult for attackers to find vulnerabilities to crack.

"An important part is using strong hardware and softwares with good protection. Ensure that your device is receiving regular updates from the manufacturers," he told BOOM.

"To protect your accounts, a two-factor authentication also goes a long way. Not the ones through one-time passwords that are sent to your phones, as text messages can be compromised, but through apps or security keys," he added. "Lawyers and whistleblowers should speak to professionals to better understand their specific thread models, and take precautions accordingly."

Fighting It Legally

While NSO Group's list of clients are not officially disclosed yet, given that they only deal with governmental organisations, its usage in India puts the spotlight on the Narendra Modi-led administration.

While the government is yet to provide any transparency on the use of Pegasus, it has not refuted its use either. Meanwhile, Chima believes that the use of Pegasus does not amount to surveillance, but rather hacking, which is a crime, and can thus be challenged legally.

"Technically, calling it surveillance is a lie. Use of Pegasus is not legal interception, it is hacking. You cannot break one law to facilitate another," he said. "The report by the government's own Committee of Data Protection led by Justice B.N. Srikrishna had said that the government's legal powers are out of date."

The report had noted the need of a reform of surveillance laws.

Under section 69 Information Technology Amendment Act, 2008, the government has the power to intercept, monitor or decrypt any data stored in any device for the reason of public safety and security.

However, Chima believes that for targeting journalists, activists and other politicians, the government should be required to provide answers. "This should not be the new normal, we should not be getting used to this," he added.

Chima further added that such legal battles against surveillance have already been mounted. In the Writ Petition (Civil) No. 44 of 2019, Internet Freedom Foundation and another versus Union of India, the petitioners seek to test the constitutionality of the current surveillance system in India.

Press freedom advocacy group Reporters Without Borders (RSF) are also looking to litigate against NSO Group and the use of their spywares, according to their Director of International Campaigns, Rebecca Vincent.

NSO was already sued by Facebook-owned WhatsApp in 2019 - Judge Phyllis Hamilton, who ruled that the case could proceed in a United States district court in California, said that she was not persuaded by the argument that NSO had no role in targetting the list of 1,400 WhatsApp users.

Also Read: 40 Indian Journos In Leaked List Of Potential Targets Of Pegasus Snooping

What To Do If You're A Victim Of A Hack

"There are dedicated 24X7 helplines that can assist journalists who are worried they might be under surveillance or under hack. Being proactive always helps prevent further attacks," Chima said.

Chima also forwarded us the links to Access Now's Digital Security Helpline and a Digital First Aid Kit, where users can get emergency assistance and detailed information on steps to take if their devices are compromised.

As a journalist, if you feel that your devices maybe compromised, or may have faced an attempted hack, you can also contact Electronic Frontier Foundation and the Committee to Protect Journalists for advice.