So-called ‘Pegasus’ first made it to the headlines in 2016, however public opinion was not fully aware of how severe danger it poses to civil liberties until last year, when it was revealed that the programme was used to spy on and steal data from thousands of independent journalists and activists in dozens of countries. Last week, as a consequence of US blacklisting the company that created Pegasus, Apple sued NSO Group for breaching the privacy of Apple products’ users. The company also decided to notify via e-mail or via SMS every user who may have been a victim. It is clear that such type of spyware is very dangerous to our privacy and to our liberty. Before I elaborate on that, here’s some facts about Pegasus.
What is Pegasus?
Pegasus is a spyware developed by Israeli company NSO Group that is used to target mainly mobile phones. The company claims that the products is only sold to authorised goverments in order to crack down on organised crime like human trafficking or prevent terrorist attacks, all for the public safety (source: official site of NSO Group).
However it is known, that in many cases it is the opposition, or the journalists criticising the government who are under the surveillance. It is suspected, that even Amazon’s Jeff Bezos and French president Emmanuel Macron might have fallen victims to company’s infamous spyware. Some of the clients are also authoritarian regimes, which while having disdain for human rights, most probably won’t be held accountable for the invigillation.
How does it work and why it is particurarly dangerous?
Most of countries have secret services, which gather our private data without consent, and on the spyware market there are many products which fulfill the same goal. However the key reason why Pegasus is particurarly dangerous is its methods of infecting the devices.
Primary targets of Pegasus are mobile phones. Vast majority of mobile phones have either Android or iOS. There is no operational system which will prevent your phone from getting hacked, but there are differences between the systems, which make your device safer or less safe. One of key factors on that matter are frequent software updates. If the patches and bugfixes are coming out rarely and with a delay, then it is much easier to exploit vulnerabilities in device’s security, as they won’t be patched out anytime soon, which is unfortunately the case with Android. The only mobiles which are getting firmware (iOS) updates are iPhones, which are made by the same company – Apple. However Android can be easily modified by the producers, which tend to install a User Interface (UI). In this case, this is a disadvantage, because before each update is made available, the new version of firmware needs to be integrated with producer’s UIs, which prolongs the whole process dramatically. In addition, devices with Android tend to receive less OS updates before ending the support than iPhones.
Pegasus can infect the device via several different paths. Most obvious and plain one is sending a SMS to the victim’s phone with link, which, when clicked, hacks the device. It doesn’t sound like anything special, but if that approach fails, then the operator may attempt at taking control over the target by other, more dangerous method.
Spyware’s operator may use an exploit in device’s security in order to send a message, which hacks it without victim’s involvement. Then the software roots/jailbreaks the target, gaining control over the victim’s photos, messages, e-mails and also gaining the ability to overhear victim’s calls or what is being spoken to the device’s microphone. When a device is compromised, the victim completely loses it privacy, because the potential amount of data which can be stolen is tremendous. Up to very recently, most of people under surveillance of this program had no idea, that they might have been spied on. In case the operator finds out, that the victim might know about the breach, he may remotely delete the program from the device.
The program poses a direct threat to any user under its ‘supervision’. Spyware’s operator gains even our very intimate data, which makes it easy to blackmail the victim or their family. Also, the very fact that even disclosed information is vulnerable to the breach, can be used to our great disadvantage, as all our aims and plans, that were sent to someone are reveled to the Pegasus’s client, in present time. If a prominent government’s dissident writes to someone about their plan to for example enter a foreign embassy or consulate, the secret services may trap him and prevent him from reaching the place, if they know his plans.
It is suspected, that a Saudi dissident, Jamal Khashoggi, was spied on by Pegasus for a few month preceeding his assasination in Saudi consulate in Istanbul. When it comes to our more local, polish background, a prosecutor, who investigated whether the government’s action preceding last year’s presidential election were legal or not, received on her iPhone a message from Apple, that most probably she had been spied on, on a basis of her actions as a prosecutor.
Fortunately, not everyone may become a victim to this vicious spyware. In order, to use Pegasus on someone, a client (most of the time a country’s government) needs to but a license, which is very costly (as much as $650 000 for spying on 10 iPhones). Buying addtional license for 100 devices costs approximately $800 000. The system maintenance draws 17% of a price each year it is being used. This limits its use to key targets. If you are not important activist or a dissident, or one of themost wealthy entrepreneurs in your country you probably are not a target of Pegasus.
However, be aware that no-one in developed countries is safe from invigilation. What you should do, regardless of whether you may be a victim of Pegasus or not, is to take necessary precautions: keep your device updated, use strong passwords and safety measures and avoid suspicious links or networks in order to protect your privacy.