Note: While this is a reason as to why Apple cannot build something for scanning images on your device, it does not have to do with Apple’s CSAM tracking. This is about spyware.
Pegasus is the name of a spyware created by Israeli firm NSO Group. They create workarounds for getting information off of devices. They’ll find security flaws in operating systems, including iOS and Android, and sell access to users’ devices. This should only be to governments, not that it would be any better because of that. After all, it’s often one’s own government that people have to fear.
According to a report from Amnesty International and Forbidden Stories, called the Pegasus Project, NSO Group’s Pegasus has made its way onto thousands of devices. An alarming number of those devices aren’t owned by politicians or other likely high-profile targets, but instead journalists and activists as well. That’s the danger of tools that violate people’s privacy, they’re hard to ensure they’re used the “right way,” if there even is such a thing.
In This Article:
What is Pegasus?
Pegasus isn’t a winged horse, unfortunately. Instead, it’s spyware that can infect your phone, Android or iOS, sending information from your phone to someone else. It was created by the Israeli company NSO Group, who has created some of the most effective and prolific data extraction tools in the world. Pegasus has evolved over the years. Initially it required a spear phishing attack, that is, you had to click on a link that an attacker sent to you. Now, apparently, it has become something that can infect an iPhone or Android device with little more than a message or phone call. You don’t even have to answer or acknowledge it.
WhatsApp previously stated that Pegasus infected 1,400 phones on their network. WhatsApp is popular among Android users, who don’t have a native or widespread messaging app with the functionality of iMessage yet. That’s not the only way Pegasus can make its way onto a phone though. Amnesty International claims that it may have been used on as many as 50,000 potential targets, though can’t say if it infected each of these devices.
Pegasus is sold to governments, nation states. Countries that don’t have their own hacking tools, like perhaps the NSA or CIA might have in the United States, can buy NSO Group’s software to level the playing field. NSO Group says they control how governments use this technology, but doesn’t specify how they ensure that countries don’t violate people’s human rights. However, they can shut it down remotely if they do discover misuse, something they have done before.
Pegasus can pull just about any piece of information off of a phone, like photos, messages, and data, but it can also execute code to record phone calls and audio, or activate your camera. Frankly, it’s powerful enough to do just about anything with your phone, turning it into the ultimate spying tool. Pegasus was functionally working on iOS devices as late as last month, and likely still works.
Who Has Pegasus?
Supposedly, exclusively governments and nation states who can purchase access to Pegasus from NSO Group. However, that’s not comforting. Saudi Arabia reportedly had access to Pegasus. Dictatorships and other authoritarian regimes looking to spy on critics, journalists, protestors, women, LGBTQ+ people, just about whoever they want, could potentially access Pegasus. In fact, it wasn’t long ago that a lone man came close to leaking NSO Group’s hacking tools to the world. That was just the person they caught. Once you create a tool like this, it’s virtually impossible to keep it out of the wrong hands, no matter how hard you try.
Has it Been Misused?
I wish I could comfort you in this section, but I can’t. Thanks to the investigation of Amnesty International and Forbidden Stories, a Paris-based media non-profit, we know that far more people were victims of hacking. This includes 1,000 confirmed victims in 50 countries. The victims range from journalists, media organizations, executives, activists, and hundreds of politicians and government officials.
Many of those victims were women, specifically journalists who were critical of authoritarian regimes. Personal photos, ones they didn’t share with anyone, ended up in circulation. The goal was to show women in revealing personal photos, like in bathing suits. While these aren’t a big deal in the west, in many Middle Eastern countries, it can destroy a woman’s career and make her a high profile target for violence. Now, regimes have a way to threaten journalists, especially women, who dare to speak out against their cruelty. NSO Group refutes the claims of Amnesty International and Forbidden Stories, but the actual report is quite damning, and includes NSO Group’s response. Their “Pegasus Project” reveals thousands of victims, a few of them are highlighted in this NBC News article. The stories are harrowing, revealing an intimidation campaign that could be deadly.
Am I Safe?
Unless you are a high profile target, yes, you’re likely safe. This kind of hacking isn’t passive monitoring. That is, they’re not actively infecting everyone. Instead, it’s a highly targeted attack that either begins with one of Pegasus’ no-click attack, or a targeted spear phishing attack, which seeks to get you to click on a link or enter credentials.
Still, if you feel as though you may be a target, or you’re just worried, you can check it out for yourself. The process isn’t very easy and may involve some technical skill, but it’s low risk. That is, you won’t break anything by trying it. On iOS you’ll use a decrypted backup of your device made to your computer. For Android, you’ll use the Android Debug Bridge command line tool or a backup. Both methods involve terminal, installing Python dependencies, and then running Amnesty International’s Mobile Verification Toolkit. You can read more about how this works on their GitHub page and on their documentation. The tools work natively on macOS and Linux, and work best for a Mac scanning an iPhone, though you can use it to test Android as well.
Frankly, as long as these kind of security vulnerabilities are in the wild, you’re not completely safe. Someone could take advantage of them. Currently, however, you’re relatively safe. Hopefully Apple and Google can patch the holes in their operating systems that allowed the Pegasus spyware in.
What Can Apple Do?
The first thing Apple has to do is understand that their security is not perfect. They need to stop designing systems like their technology is completely safe. Pegasus got through the iMessage “Blast Door” and then what? It had root access to everything. Apple needs to make sure that every processes is “sandboxed,” even their own.
Furthermore, they have to stop building tools that hackers and governments can abuse. I am, of course, talking about CSAM scanning. This builds a digital spy in your device from the factory. It’s easy to use for the wrong reasons. Either a government doesn’t tell Apple what’s in the hashes, or they intercept hashes, adding their own and receiving matches from the user. Either way, it gives them constant monitoring of a user’s device. Potentially all users’ devices. This is much easier than targeting individuals for hacking and data extraction. Frankly, Apple needs to stop giving tools to the bad guys.
Until then, they need to focus on closing backdoors as soon as possible, even if they don’t think there is a leak in the wild. Apple’s usually good about this, but there have been a few exploits that Apple knew of and didn’t patch before they were used in the wild. Obscurity protected Apple’s Macs for years, and the iPhone as well. They’ve lost that protection, and need to treat every possible vulnerability like someone’s already using it. Because, frankly, they are.
What Can the World Do?
Politicians can ban the sale and export of hacking tools. It’s that simple. Ban these harmful tools, then threaten embargoes on countries that refuse to do the same. That would end the problem with a stroke of a pen. The problem is, some of these nations, like Russia and China, are too large or too powerful to react well (or at all) to an embargo. Others, like Israel, mean entering into delicate political situations. But if nations came together and pushed to ban these hacking as a service companies, they could end it. The NSO Group claims they only sell to reputable nation states and that they pull access for abuse. However, Amnesty International’s overwhelming evidence seems to paint a much more worrisome picture.
Sources:
- Amnesty International, [summary]
- Killian Bell, Cult of Mac
- Mitchell Clark, The Verge
- Daniel Politi, Slate
- Ben Lovejoy, 9to5Mac
- David Pegg and Sam Cutler, The Guardian
- Zack Whittaker, TechCrunch