A peek into the realm of Cyber Warfare — Pegasus
“The chain is only as strong as its weakest link” is how the old saying goes but what if it doesn’t matter how strong the chain is if the chain itself is useless. Confused? That is how the situation looks after recent investigations into one of the spyware that sent shock-waves throughout the world. Continue reading the article as it takes you through the details.
A recent international investigative journalism effort revealed that various governments used Pegasus to spy on government officials, opposition politicians, journalists, activists including many others all around the world. This revelation also concluded that several Indian politicians and journalists were victims of the spyware.
What is Pegasus?
Pegasus, developed by the NSO Group based in Israel, is perhaps the most powerful spyware ever created. It is designed to infiltrate Android and iOS smartphones and turn them into surveillance devices.
What can it do?
Once it worms its way onto your phone, it can turn into a 24-hour surveillance device without you knowing about its presence. It can copy messages you send or receive, harvest your photos and record your calls. It might even secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met. Sounds dangerous right?
How does it enter a device?
Pegasus exploits undiscovered vulnerabilities, or bugs, in Android and iOS.
A previous version of the spyware from 2016 infected smartphones using a technique called “spear-fishing”: text messages or emails containing a malicious link were sent to the target. This relies on the victim clicking the link, a requirement needed for the malware to take effect.
After learning the above fact, any cautious person would take a moment before clicking suspicious links. However, Pegasus was updated to circumvent this requirement entirely.
By 2019, Pegasus could infiltrate a device with a missed call on WhatsApp and could even delete the record of this missed call, making it impossible for the user to know they had been targeted. A WhatsApp flaw was what allowed the above “zero-click attack” to install spyware onto smartphones. Described as a “buffer overflow vulnerability in Voice over Internet Protocol (VoIP)”, it would activate when a target Android or iOS gadget received a WhatsApp voice call poisoned with rogue data packets.
A look into zero-click attacks
A zero-click attack eliminates the human factor from the equation by relying on software or hardware flaws to gain a foothold on a device and execute a sketchy payload or steal data behind the user’s back. The main prerequisite for pulling off a successful zero-click compromise is a specially crafted chunk of data sent to a target device over a wireless connection such as Wi-Fi, NFC, Bluetooth, GSM, or LTE. This then triggers an unknown or scarcely documented vulnerability at the hardware or software level.
For instance, the vulnerability may be exploited when the incoming information is processed by the SoC(System on a chip) component. What kind of data can fire up such an anomalous response from a receiving device? It can be a series of network packets, authentication requests, text messages, MMS, voicemail, video conferencing sessions, phone calls, or messages sent over Skype, Telegram, WhatsApp, etc. All of these can exploit a vulnerability in a chip’s firmware or in the code of an application tasked with processing the data.
Security researchers suspect more recent versions of Pegasus only ever inhabit the phone’s temporary memory, rather than its hard drive, meaning that once the phone is powered down virtually all trace of the software vanishes.
Safety measures
Most of these onslaughts zero in on specific victims such as government officials, corporate executives, and journalists. However, anyone is a target. As the iOS Mail bug demonstrates, exploitation techniques are not necessarily top-notch and costly. Some ways you can protect yourself from malware include:
- Avoid clicking suspicious links, and ignore dubious email attachments. You can stop fake support emails by checking the domain name of the email address it came from (for example, a support email from Apple would be from “support@apple.com”.
- Zero-click attacks cannot be spotted with the naked eye, so users should protect themselves proactively. The most effective method is to keep the operating system and third-party software on your devices up to date. As vendors learn about new weaknesses in their applications, they roll out patches to address them.
- When installing a new app, be sure to read the fine print and examine the permissions it asks for. Also, do not jailbreak your devices — this reduces the efficiency of controls and restrictions built into the firmware. Enabling native encryption features for sensitive information will further enhance your security practices, though it is also essential to back up your valuable data so that you can recover it in the worst-case scenario.
- Always use a reliable and trusted VPN when connecting to a public WiFi network.
References:
