Privacy PinPoint: Pegasus Project
Pegasus' are beautiful fantasy creatures indeed, but the Pegasus Project is quite the ugly beast. Pegasus is a malware/virus created by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak that occurred just a couple of weeks ago. This malware infects iPhones and Android devices (read the vast majority of consumer smart phones) to enable operators of the tool to extract messages, photos and emails, to record calls, and to secretly activate microphones. The data leak contains a list of more than 50,000 phone numbers that are allegedly people that have been of interest to the NSO Group since roughly 2016. The presence of a phone number in this list merely indicates that, at minimum, that number is a potential target of the NSO Group - not necessarily that it has been infected yet. Forensics analysis of some of the devices attached to these numbers showed that more than half were infected with Pegasus. The list contains numbers of people who are the ruler of a country all the way down to journalists like reporters, editors, and exectuvies at New York Times. NSO group has sold Pegasus to roughly 40 unnamed ountries and says that it "...rigorously vets its customers' human rights records before allowing them to its spy tools."
There's something obviously wrong with governments and anyone else with hefty sums of money being able to buy tools that can hack the very devices which many of us rely on to keep our information, sometimes our biggest secrets are held somewhere on our smart devices - whether they be personal, financial, medical, or even business related. If the NSO Group can crack one iPhone - they can crack them all. Every iPhone is (roughly) running the same software (barring any pending updates). If someone can hack a phone that easily with Pegasus, there is a distinct possibility that they can get access to private encryption keys for services like Signal - an end-to-end encrypted communication application, as well as WhatsApp, Telegram, and others. Make no mistake, Signal uses some very advanced technologies to keep our communications private, but once someone has access to the private key (in a public/private key encryption setting) the game is won.
Many of the past iterations of Pegasus required targets to click a link in order to be infected, but the latest information on the project suggests that they can now penetrate phones with "zero-click" atacks, meaning the user does not even need to click a malicious link for their device to be infected with the malware. Apple says "...Security researchers agree iPhone is the safest, most secure consumer mobile device on the market". Even if this is true, it doesn't stop Apple from enacting new policies that scan our documents, messages, and photos like they mentioned just last week - there will be a follow on post about this.
What can we do about it? Right now, not a whole lot. If this software is as good as is claimed to be, we have a couple of options;
- Stop using our smartphones completely
- Use our smartphones with only end-to-end encrypted services and cross our fingers that we're not on the list of targets for this list (most of us are not).
- Standby for alternative smartphones/devices which employ Linux which would likely improve security against this type of attack (checkout the PinePhone by Pine64). These devices are being worked on but we wouldn't recommend them for most consumers yet.