Pegasus spyware has been here for years. We must stop ignoring it

On July 18, a group of 17 newspaper and media organizations—aided by Amnesty International’s Security Lab and the research group Citizen Lab—revealed that one of the world’s most advanced and viciously invasive spyware tools had been used to hack, or attempt to hack, into 37 mobile phones owned by human rights activists, journalists, political dissidents, and business executives.

The spyware, called Pegasus and developed by the Israeli company NSO Group, is reportedly instrumental to several governments’ oppressive surveillance campaigns against their own citizens and residents, and, while NSO Group has repeatedly denied allegations that it complicitly sells Pegasus to human right abusers, it is difficult to reconcile exactly how the zero-click spyware program—which non-consensually and invisibly steals emails, text messages, photos, videos, locations, passwords, and social media activity—is at the same time a tool that can, in its very use, respect the rights of those around the world to speak freely, associate safely, and live privately.

Pegasus is spyware, and spyware is not made to respect privacy. It erodes it.

What may be most upsetting about Sunday’s bombshell reporting is that the cybersecurity community has known about Pegasus for years. Antivirus vendors detect it. Digital forensics labs know how to catch it. And between 2016 and 2018, more than 1,000 IP addresses were found to be associated with it.

With tools like Pegasus that can be abused on a global scale, we take on too big a risk. When weaponized by authoritarian governments, surveillance chills free speech, scares away dissent, and robs an innocent public of a life lived unwatched, for no crime committed other than speaking truth to power, conducting public health research, or simply loving another person.

It enables abuses like the mobile phone hack of Hatice Cengiz, former fiancée of murdered Washington Post columnist Jamal Khoshoggi. After the world learned that her phone was hacked, she wrote:

“I am deeply shocked that I have been targeted while I was in such pain waiting to find out what had happened to Jamal. This was the worst time of my life and yet the killers were spying on me. They have no shame. They must be brought to justice.”

Pegasus in theory

According to NSO Group, its main spyware program is a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public. In answering questions from the group of 17 media organizations—which published their findings under the name “The Pegasus Project”—NSO Group said:

“Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”

After The Pegasus Project published its initial findings on Sunday, NSO Group’s chief executive Shalev Hulio spoke with The Washington Post about concerns he had about how his company’s software has been used against journalists and human rights activists.

“The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”

Hulio told The Washington Post that his company had terminated the contracts of two customers because of allegations of human rights abuses, but, according to the paper, he refused to disclose which accounts were closed.

NSO Group’s explanations are just one half of the story, though, because, in reporting out Sunday’s revelations, The Pegasus Project also asked potentially responsible governments why they used Pegasus to hack the mobile phones of dissidents and reporters. The governments in question either denied using Pegasus at all—like Rwanda’s foreign affairs minister said—or they claimed that any surveillance carried out by their governments was lawful—like Hungarian Prime Minister Viktor Orban’s office did.

Similarly, the government of India rebuffed any allegations that it wrongfully used Pegasus to conduct surveillance. Any interception of messages, the government said, is approved at several levels of the government in accordance with several laws.

“In India, there is a well established procedure through which lawful interception of electronic communication is carried out in order for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States,” the government said. “The requests for these lawful interception of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act, 1885 and section 69 of the Information Technology (Amendment) Act, 2000”

The twin stories that NSO Group and its clients tell, then, is that Pegasus is a necessary tool to maintain safety, and that the use of Pegasus is legal within a country’s own surveillance regime.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

“Terror organizations, drug cartels, human traffickers, pedophile rings and other criminal syndicates today exploit off-the-shelf encryption capabilities offered by mobile messaging and communications applications,” NSO Group told The Pegasus Project. “These technologies provide criminals and their networks a safe haven, allowing them to ‘go dark’ and avoid detection, communicating through impenetrable mobile messaging systems. Law enforcement and counterterrorism state agencies around the world have struggled to keep up.”

This trend can be true—end-to-end encryption is more widely available today than ever before, offered in several consumer apps on both Android and iOS devices—while also overblown. As Malwarebytes Labs has written before, the “going dark” problem is often overstated, and the solution to that problem, to make “safe backdoors,” is also technologically impossible.

Importantly, though, if Pegasus was actually a critical tool to stop crime, it could be proven. In practice, however, The Pegasus Project found that the targets of Pegasus are not “terror organizations, drug cartels, human traffickers, pedophile rings” or “other criminal syndicates,” but rather reporters, scientists, romantic partners, and potentially heads of state

Pegasus in practice

On Sunday and in the days following, The Pegasus Project revealed the broad cast of victims it believes have been targeted with Pegasus spyware.

In its reporting, The Pegasus Project relied on a list of 50,000 phone numbers obtained by the French journalism nonprofit Forbidden Stories. The reporters believe the 50,000 phone numbers are a list of phone numbers that have been targeted using Pegasus spyware. The list also includes timestamps for each phone number entry, which the reporters believe shows when a phone was potentially first targeted by a Pegasus operator.

In the investigation, the reporters contacted dozens of the individuals who the listed phone numbers belonged to, eventually obtaining 67 mobile devices that they believed had been targeted by the spyware.

The 67 devices were first analyzed by Amnesty International’s Security Lab, which looked for traces of Pegasus spyware and for malicious text messages that, if clicked, were known to exploit device zero-day vulnerabilities to install the Pegasus spyware and hack into phones. Amnesty International’s work was separately verified by Citizen Lab, a research institution at the University of Toronto that focuses on technology and human rights.

In the investigation, The Pegasus Project found signs of successful or attempted hacking by Pegasus spyware on 37 devices. The remaining 30 devices produced inconclusive results.

The list of phone numbers—which NSO Group denied is a list of Pegasus targets—included 14 politicians, including three presidents, 10 prime ministers (three current and seven former), and one king.

The three presidents are France’s Emmanuel Macron, Iraq’s Barham Salih, and South Africa’s Cyril Ramaphosa. None of the heads of state offered their mobile devices to The Pegasus Project, making it impossible to know if the devices had been hacked or had received malicious text messages that could result in a hack.

The possible use of Pegasus against presidents, prime ministers, and princesses is just that: Possible. But remember that The Pegasus Project found evidence of hacking or attempted hacking on 37 of the 67 mobile devices it tested.

From the facts reported so far, the use of Pegasus against those individuals bears no marking of anti-terrorist, pro-security, or counterintelligence work at all.

For instance, why was Pegasus used to hack into the phone of reporter Khadija Ismayilova, whose investigative work has revealed corruption within Azerbaijan’s ruling family?

Why was Pegasus silently implanted onto the iPhone 11 of Claude Magnin, Paris resident and  wife of the political activist Naama Asfari, who was jailed and allegedly tortured in Morocco?

Why was Pegasus used to hack into the phones of the wife and separate fiancée of Washington Post columnist and critic of the Saudi Arabian government Jamal Khoshoggi, who, according to the Biden Administration, was murdered and dismembered with approval from Saudi Arabia’s Crown Prince?

And why did a Pegasus operator send malicious texts to one scientist and two nonprofit directors who actively supported a banal soda tax in Mexico? Or why did a Pegasus operator similarly send text messages to Mexican journalist Raphael Cabrera that, if clicked, could have reportedly resulted in a Pegasus infection of his iPhone 6?

This is not security work. This is surveillance.

A dangerous industry

Pegasus is not new. The company behind it launched in 2010, and it reportedly gained its first overseas customer just one year later. For years, Citizen Lab has been tracking the spread of Pegasus, searching for government clients and tracking down mobile devices that were hacked by the spyware. Back in 2016, the group’s investigations helped spur MacOS updates to fix severe vulnerabilities that could have been exploited by Pegasus. In 2018, Citizen Lab also identified 45 countries that were potentially relying on Pegasus to conduct surveillance.

More recently, NSO Group’s activities spilled into American news when Facebook blamed the Israeli company for exploiting a vulnerability in WhatsApp in 2019. Facebook-owned WhatsApp later sued NSO Group for allegedly using this vulnerability to allow Pegasus users to hack 1,400 devices. The lawsuit is still proceeding, and it has gained the support of Microsoft, Google, Cisco, and VMWare.

We have known about these problems for years. We can no longer turn a blind eye to this type of abuse. Two years ago, a group of cybersecurity vendors, digital rights activists, and domestic violence support networks came together to launch the Coalition Against Stalkerware, recognizing the interdisciplinary need to protect users from the threat of intimate partner surveillance.

We hope the same energy can be captured today.

After learning about the findings from The Pegasus Project, former NSA defense contractor and surveillance whistleblower Edward Snowden warned that spyware is not a small problem. It is, he said, everywhere, and it needs to be stopped.

“When I look at this, what the Pegasus Project has revealed is a sector where the only product are infection vectors, right? They don’t—they’re not security products,” Snowden said. “They’re not providing any kind of protection, any kind of prophylactic.”

“They don’t make vaccines. The only thing they sell is the virus.”

COMMENTS