Sunday, July 25, 2021

Working methodology of Pegasus spyware...

Edward Snowden has called it “the story of the year.” An Israeli spying company has been caught selling software to authoritarian regimes that have used it to surveil more than 50,000 people worldwide.

That company is NSO, founded in 2010 by former members of Unit 8200, the Israeli military’s notorious intelligence squad. Their product is called Pegasus, and it was sold to military, law enforcement, and intelligence agencies in 40 countries, among them some of the world’s worst human rights abusing governments.

Pegasus is able to attack the cellphones of targeted individuals without them realizing it, monitoring and recording their calls, texts and accessing other information stored on their devices. Dozens of human rights activists, nearly 200 journalists, several Arab royals, and more than 600 politicians are known to have had their communications spied on and compromised. Among those include French President Emmanuel Macron, Pakistani prime minister Imran Khan and president of Iraq, Barham Salih.

Close associates of the Washington Post journalist Jamal Khashoggi were also attacked and compromised just before his murder by Saudi operatives in 2018, strongly indicating that the information gleaned through Pegasus was crucial in this endeavor. NSO vehemently denied that their product was used in his assassination. Yet it also put out a statement insisting that it had no access to what its clients did with the software — two seemingly contradictory assertions.

The Pegasus story has made major waves in India, too, where it was revealed Prime Minister Narendra Modi had used it to spy on his political opponents in the run-up to the 2019 elections. The Indian Congress Party has accused the prime minister of committing treason. Also disclosed was that the government hacked the phone of a woman who accused the Chief Justice of India of raping her, a revelation undermining the entire justice system and the concept of a fair trial.

Yet a new MintPress News investigation asserts that Pegasus is merely the tip of the Israeli cyber spying iceberg and that another piece of software, Toka, is far more dangerous and outrageous. Toka markets itself as “a one-stop hacking shop for governments that require extra capability to fight terrorists and other threats to national security in the digital domain.” The company’s software is designed to infiltrate any device connected to the internet, not just smartphones.

Toka is a product of the Israeli national security state, having been co-founded by former prime minister, Ehud Barak, and was also designed by members of Unit 8200, leading Webb to suggest that it is a front for the Israeli government. (
Mnar Adley, Mintpress News, July 23rd, 2021)

How does the Pegasus spyware work, and is my phone at risk?

Paul Haskell-Dowland
Associate Dean (Computing and Security), Edith Cowan University

Roberto Musotto
Research fellow, Edith Cowan University

The Conversation, July 21, 2021

A major journalistic investigation has found evidence of malicious software being used by governments around the world, including allegations of spying on prominent individuals.

From a list of more 50,000 phone numbers, journalists identified more than 1,000 people in 50 countries reportedly under surveillance using the Pegasus spyware. The software was developed by the Israeli company NSO Group and sold to government clients.

Among the reported targets of the spyware are journalists, politicians, government officials, chief executives and human rights activists.

Reports thus far allude to a surveillance effort reminiscent of an Orwellian nightmare, in which the spyware can capture keystrokes, intercept communications, track the device and use the camera and microphone to spy on the user.

How did they do it?

The Pegasus spyware can infect the phones of victims through a variety of mechanisms. Some approaches may involve an SMS or iMessage that provides a link to a website. If clicked, this link delivers malicious software that compromises the device.

Others use the more concerning “zero-click” attack where vulnerabilities in the iMessage service in iPhones allows for infection by simply receiving a message, and no user interaction is required.

The aim is to seize full control of the mobile device’s operating system, either by rooting (on Android devices) or jailbreaking (on Apple iOS devices).

Usually, rooting on an Android device is done by the user to install applications and games from non-supported app stores, or re-enable a functionality that was disabled by the manufacturer.

Similarly, a jailbreak can be deployed on Apple devices to allow the installation of apps not available on the Apple App Store, or to unlock the phone for use on alternative cellular networks. Many jailbreak approaches require the phone to be connected to a computer each time it’s turned on (referred to as a “tethered jailbreak”).

Rooting and jailbreaking both remove the security controls embedded in Android or iOS operating systems. They are typically a combination of configuration changes and a “hack” of core elements of the operating system to run modified code.

In the case of spyware, once a device is unlocked, the perpetrator can deploy further software to secure remote access to the device’s data and functions. This user is likely to remain completely unaware.

Most media reports on Pegasus relate to the compromise of Apple devices. The spyware infects Android devices too, but isn’t as effective as it relies on a rooting technique that isn’t 100% reliable. When the initial infection attempt fails, the spyware supposedly prompts the user to grant relevant permissions so it can be deployed effectively.

But aren’t Apple devices more secure?

Apple devices are generally considered more secure than their Android equivalents, but neither type of device is 100% secure.

Apple applies a high level of control to the code of its operating system, as well as apps offered through its app store. This creates a closed-system often referred to as “security by obscurity”. Apple also exercises complete control over when updates are rolled out, which are then quickly adopted by users.

Apple devices are frequently updated to the latest iOS version via automatic patch installation. This helps improve security and also increases the value of finding a workable compromise to the latest iOS version, as the new one will be used on a large proportion of devices globally.

On the other hand, Android devices are based on open-source concepts, so hardware manufacturers can adapt the operating system to add additional features or optimise performance. We typically see a large number of Android devices running a variety of versions — inevitably resulting in some unpatched and insecure devices (which is advantageous for cybercriminals).

Ultimately, both platforms are vulnerable to compromise. The key factors are convenience and motivation. While developing an iOS malware tool requires greater investment in time, effort and money, having many devices running an identical environment means there is a greater chance of success at a significant scale.

While many Android devices will likely be vulnerable to compromise, the diversity of hardware and software makes it more difficult to deploy a single malicious tool to a wide user base.
How can I tell if I’m being monitored?

While the leak of more than 50,000 allegedly monitored phone numbers seems like a lot, it’s unlikely the Pegasus spyware has been used to monitor anyone who isn’t publicly prominent or politically active.

It is in the very nature of spyware to remain covert and undetected on a device. That said, there are mechanisms in place to show whether your device has been compromised.

The (relatively) easy way to determine this is to use the Amnesty International Mobile Verification Toolkit (MVT). This tool can run under either Linux or MacOS and can examine the files and configuration of your mobile device by analysing a backup taken from the phone.

While the analysis won’t confirm or disprove whether a device is compromised, it detects “indicators of compromise” which can provide evidence of infection.

= = =

While the spyware has (and continues) to use click-through links (with previous approaches using a Whatsapp vulnerability and even discussion of an historical Apple Music service compromise), the current version and the Amnesty International investigation are, a zero-click approach.  The “don’t click on links” measure won’t help defend against the zero-click vector as this can only be fixed by a patch from Apple and subsequent adoption by users (which thankfully is well executed).  The recommendations are, however, still relevant for the click-through method and as a more general safeguard for the multitude of compromises and scams against mobile devices.

The report from Amnesty specifically mentions that the spyware can be installed through whatsapp or iMessage through ‘zero-click’ exploits which do NOT require any user interaction such as the user clicking on a link. This renders your explanation about the ‘initial attack’ resulting from clicking these messages misleading. It also means your comments about how to protect yourself are not an accurate portrayal of the report. This article should be amended with an accurate portrayal of the report that reflects the seriousness of these attack vectors working on the latest Apple devices and OS.

Pegasus avoids sending data whilst roaming. Since it doesn’t want to raise any red flags to the user who would had wondered why their roaming data usage has suspiciously spiked. But such a feature can also be tweaked by hackers who are much more risk tolerant.

Logically it seems as long as you’re using internet. A spyware can send data out so you’re safe if you truly disable the phone to never connect to the internet if somehow already infected.

It seems ironic that while our government constantly  warns against Chinese hacking, they could be deploying this insidious program against us.

 

No comments:

Post a Comment