While NGO Group’s Pegasus spyware has been known to the general public for several years, it made waves in 2021 when it was found to be able to compromise modern iPhones with a “zero click” attack delivered via iMessage. The fallout from that incident has prompted the Biden administration to issue a warning to the general public about commercial surveillance tools, offering advice for self-protection to journalists and dissidents that are likely to be targeted.
Spyware warning directed to potential targets of authoritarian governments
The spyware warning, issued by the National Counterintelligence and Security Center, did not name any specific surveillance tools (in spite of the Biden administration’s previous blacklist actions against NSO Group and several other similar services). But it does specify that the tools are being sold to foreign governments and other entities that have used them to track the movements and communications of dissidents and journalists, and that mobile devices can be infected without the target having to take any action.
The notice also warns about the extensive capabilities that have been seen with the Pegasus spyware: the ability to access and exfiltrate “virtually all content” from a device, and to surreptitiously record audio. Among other things, the notice advises that device cameras be covered up and that geo-location be disabled.
Biden administration continues actions against surveillance tools
The Pegasus spyware has been known to exist for nearly a decade now, but previous iterations required targets to click on a phishing link in a text message or email for the device to be compromised. The ability of Pegasus to compromise even new and supposedly secure iPhones upon receipt of a tainted iMessage seems to have been the prompt for the Biden administration to get serious about cracking down on surveillance tools.
Nasser Fattah, North America Steering Committee Chair for Shared Assessments, elaborates on exactly what the most advanced of these surveillance tools is capable of once it takes hold on a device: “Pegasus is spyware on steroids where is it is designed to be extremely stealthy and persistent on compromised smartphones. Once a phone is compromised, it takes advantage of all its capabilities, including voice, camera, and text, to conduct 24-hour surveillance of the user — and yes, unbeknownst to the user. It is seen as a targeted attack because it focuses on key individuals, like government officials and journalists. Pegasus looks for 0-day flaws in smartphones to exploit and infect them and does not leave much of a trace. Pegasus is a double-edged sword where it is supposedly designed to learn more about criminal and terrorist activities but can just as easily be used to do the same with government officials, journalists, and activists.”
Pegasus had previously been used by authoritarian governments to spy on dissidents and activists, and sometimes even abused for personal reasons. But there were no major cases involving international espionage between nation-states, or at least none involving United States officials, until December of last year. Pegasus was found on the phones of 11 US embassy employees working in Africa, the first time the spyware had been used against US officials. The phones reportedly did not contain classified information, but it remains unclear as to who planted it and why.
While the Israeli government is not known to be directly involved with domestic companies that sell surveillance tools, NSO Group is run by former Mossad and Israeli military intelligence operatives and the government must give its approval for the Pegasus spyware to be sold to foreign governments. The company was blacklisted from doing business with US firms due to knowingly supplying authoritarian governments with the tool for reasons other than legitimate law enforcement purposes, but there are now questions about how directly involved NSO Group staff was after an Apple lawsuit against the company accused it of registering numerous fake accounts to facilitate spying for clients.
Apple patched the iMessage exploit that these surveillance tools were making use of back in September, but Pegasus has been known to cycle through new zero-day vulnerabilities throughout its lifespan and there is always the possibility it will come back with a new way to exploit iPhones. The Pegasus spyware can infect Android phones as well, and provides similarly broad capabilities when it does, but its path to infection is not quite as easy as it was with Apple phones prior to September. The Android version does not have a zero-click method; it uses a documented technique called Framaroot that relies on the target to click at least once (and possibly multiple times to grant the necessary permissions), and that has a fairly high rate of failure on newer and updated Android devices.
The risk to the average US citizen from surveillance tools such as these is low; while NSO Group and similar commercial spyware firms are not necessarily discriminating in which governments they sell their wares to, they do sell exclusively to government agencies. The average person is unlikely to be targeted with Pegasus unless there is a specific reason for a government to be interested in them. Nevertheless, the “zero click” capability serves as a reminder that supposedly “secure” devices could be completely compromised without the end user being at all aware of it.
In addition to the more advanced and extreme suggestions, the National Counterintelligence and Security Center suggests that phones be rebooted or reset periodically to help defeat malware and that operating systems and apps be updated to the most recent versions as soon as possible.