Organized by Amnesty International and the Paris-based non-profit Forbidden Stories, the Pegasus Project involves 80 journalists in 10 countries. Its subject is the Pegasus spyware sold by NSO Group, a powerful tool that is supposed to only be available to law enforcement and intelligence agencies for legitimate and legal uses. The Pegasus Project reporting reveals that it has instead been made widely available to repressive governments with little oversight or regulation of how these clients have used it. It has been abused to track journalists in 20 countries, including the family members of Jamaal Khashoggi both before and after his 2018 murder.
A side note to this story, though an important one, is that the primary purpose of Pegasus is to surreptitiously defeat the security of iPhones. The Pegasus Project reporting finds that Apple’s reputation for security is likely to take a serious blow as Pegasus is capable of penetrating even the most up-to-date iPhones on the most recent iOS version.
Pegasus spyware widely used by unaccountable actors for human rights abuses
There are few legal restrictions on the sale of tools like the Pegasus spyware. Israel-based NSO Group imposes some voluntary restrictions on its sale, blacklisting a number of countries known to experience government abuse of human rights. It says it has an approved whitelist of 40 countries, though it will not publicly name them. Its clients are only supposed to be vetted government agencies, using the software for the purposes of crime and terror investigations. The Pegasus Project leak reveals that this state of self-regulation is not serving its intended purpose.
The Pegasus spyware essentially grants unfettered access to a target’s phone once installed, and operates quietly in the background with no indications it is in use. An attacker can surreptitiously exfiltrate any file from the phone as well as activate the camera and microphone without alerting the user. They also have access to precise GPS location data.
Part of the issue seems to be a loose definition by NSO Group of what constitutes a “regime” that routinely violates human rights. The leaked data led to clients in 11 countries found to be using Pegasus spyware to violate the rights of journalists, activists and dissidents: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE). While the political situation in most of these countries is more complicated than a clear-cut repressive dictatorship (such as a North Korea), all have shown troubling signs that government agencies cannot be trusted to respect human rights with a tool this powerful available to them. The Pegasus Project argues that NSO was well aware that these clients were abusing the software for political purposes and chose to do nothing about it.
The single most prominent example of the abuse of the Pegasus spyware is its use in the murder of Saudi journalist Jamal Khashoggi, killed in his own country’s embassy in Istanbul in late 2018. Khashoggi had been a prominent and vocal critic of the Crown Prince Mohammed bin Salman since he took power in mid-2017. The Pegasus leaks indicate that the Saudi government repeatedly attempted to install the spyware on the phone of Khashoggi’s son and his then-wife between September 2017 and April 2018, along with other family members. The Pegasus spyware was successfully installed on the phone of his fiancée, Hatice Cengiz, four days after he was killed in October 2018.
While that case is the most familiar example, it is far from the only one. The data leaks indicate that at least 180 journalists in 20 countries were targeted by Pegasus spyware from 2016 to present. Some high-profile examples include Mexican journalist Cecilio Pineda, whose phone was targeted weeks before he was killed in 2017, and 40 Indian journalists collectively working for nearly every major media outlet in the country as well as three members of the opposition party. Journalists from major international media outlets such as the New York Times and Reuters were also targeted, including Financial Times editor Roula Khalaf.
The data leak contains a list of about 50,000 phone numbers that were of interest to NSO client’s between 2016 and June 2021. The presence of a phone number on the list does not mean that an attempt at planting the Pegasus spyware was made, but forensic examination of a smaller sample of some of the numbers on the list revealed traces of Pegasus infection on over half of them (37 of 67). NSO has denied that the list of phone numbers represents intelligence targets. Pegasus Project research suggests that most of the numbers belong to people who have no known connection with criminal behavior. Mexico, Morocco and the UAE were the most prolific users of Pegasus services by far, each selecting over 10,000 numbers. However, the average target number per NSO customer is 112. For its part, NSO released a series of increasingly combative statements asserting that it had no insight into customer activities and would no longer be speaking to the media about the issue.
It is unclear what, if any, legal backlash NSO might face as a result of what has been learned from the data leak. But Ilia Kolochenko, Founder/CEO and Chief Architect of ImmuniWeb, believes that legal action may ultimately not do anything to change the state of affairs: “Attack attribution in the reported cases is highly complex and unreliable. First, some legitimate end-customers could have shared the cyber warfare with their foreign partners in exchange for valuable data, 0day exploits or sophisticated spyware – this is a widespread practice. Security teams in charge of such data and intelligence sharing are not necessarily experts in human rights protection and may negligently or unknowingly share the software with some grey or even black-listed jurisdictions. Moreover, individual security analysts, employed by the trusted countries, may occasionally break internal rules and unlawfully share the cyber-warfare with unauthorized third parties, as anti-insider security controls have low technical efficiency in such environments. Finally, the legitimate end-customers could have been hacked and compromised, eventually exposing access to the software to unauthorized threat actors. In any case, legal action against NSO is likely futile, and the media hype around the alleged incident – rather brings publicity to the NSO.”
Data leak indicates all iPhones can be compromised
The Pegasus spyware is particularly pernicious for two reasons. One is that it is a “zero click” method, something that does not require the target to interact with a link or file contained in a phishing email or message to install. The other issue is that it appears to be able to compromise iPhones, even the most recent models with the most recent iOS versions and security patches.
There is some evidence that iPhones are compromised via undocumented vulnerabilities in iMessage, the default messaging app that Apple pre-installs on every phone. Forensic analysis shows traces of Pegasus infection on new-model iOS phones running version 14.7 earlier this month. There is also some evidence that it can get into target phones via SMS, through some sort of unknown vulnerability in WhatsApp, and possibly via other undocumented vulnerabilities in messaging apps.
With more than a dozen media organizations doing coordinated reporting on the data leaks, including the Washington Post and the Guardian, there is likely to be public chatter about the security of Apple phones. It’s not that the Pegasus spyware doesn’t also compromise Android devices (it does, by similarly unclear means) but that Apple has a strong public reputation for security based largely on its staunch refusal to break its own encryption for law enforcement agencies. The penetration of Android phones is more unclear at this point as the OS does not log the information that forensic investigators use to track Pegasus, but a number of the Android phones in the sample were targeted with SMS messages consistent with the type seen in other attacks. Setu Kulkarni, Vice President, Strategy at NTT Application Security, sees the path forward for Apple as improved collaboration with governments rather than strengthening the walls of its independent garden: “For Apple and other manufactures, this is a moment of reckoning to get further entrenched with the governments to create more checks and balances while they make their platform more impenetrable for bad actors. For law makers, this is a moment of reckoning as well to create consequences for misuse of such utilities.”
While it appears that any iPhone can, at least in theory, be breached by Pegasus, the danger to the general public remains low given that a select collection of governments seem to be abusing it exclusively to track known dissidents. Should Pegasus escape containment to a wider world of threat actors, however, all bets would be off. The system does seem to have some built-in failsafes, however. NSO says that phone numbers with certain country codes, most notably that of the United States, are blocked from hacking. The data leak at least initially appears to confirm that, as a dozen US phones examined showed no signs of being compromised.
Apple has also issued a statement that it “unequivocally condemns cyberattacks against journalists (and) human rights activists” and said that it was “constantly adding new protections for (customer) devices and data.” But for now, the end user has little recourse against this spyware. Even encryption will not help much, as once a phone is compromised the attacker can simply capture the password once it is entered. The best hope is in NSO taking its own pledges to stop doing business with countries engaging in human rights abuses seriously. The data leaks do seem to have prompted at least some amount of change, as an internal company source speaking anonymously to the Washington Post said that the company terminated its relationships with Saudi Arabia and UAE in 2020 after rumors of the misuse of its spyware emerged. Paul Bischoff, privacy advocate for Comparitech, feels that this issue will not be resolved without a global ban on the sale of spyware for law enforcement and national security purposes: “NSO Group is in effect a weapons dealer, and there’s very few restrictions on to whom it can sell its weapons … Amnesty International and Citizen Lab have demonstrated a failure of export controls to regulate the sale of malware. We need to end the commercial market for malware by putting a moratorium on the sale of all hacking tools.”
iMessage appears to be the biggest source of security vulnerability for Apple. It’s installed on every phone, it lets anyone send an iPhone user a message without prior approval, and it has continually added new features over the years. Oliver Tavakoli, CTO at Vectra, expands on the problems this has caused: “It’s clear that the iOS iMessage service is a bit of a mess from a security perspective. Apple has added more and more functionality to it – and every piece of functionality comes with the potential for exploitable vulnerabilities. Also, the fact that iMessage does not distinguish how it handles inbound messages from known contacts vs perfect strangers opens phones up to exploitation from anywhere. Accepting and processing messages from anyone is the equivalent of running a network connected to the internet with no firewall.” If a zero-click iMessage vulnerability is available, it essentially makes the phone impossible to defend (though it is possible to deregister and turn off iMessage).
Though the situation is dire, Aaron Cockerill (Chief Strategy Officer at Lookout) offers some advice to cybersecurity and IT admins concerned about organizational compromise by Pegasus: “The number and variety of individuals targeted by Pegasus shows that advanced spyware and surveillanceware isn’t just the concern of governments. Security and IT teams need to be able to detect surveillanceware and device exploitation across all employee smartphones and tablets. If this malware is detected on a device, they should be able to block the device from accessing corporate resources until the issue is resolved. Protection against mobile phishing attacks is also a key part of securing the entire organization against surveillanceware campaigns. These attacks frequently start with a phishing attack that delivers the malicious payload to the device. Considering the number of apps iOS and Android devices have with messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or dating apps. Implementing mobile phishing protection will secure both managed and BYOD devices from compromise before the connection can be made and the payload is executed.”