A recent explosive report on military-grade ‘Pegasus spyware disclosed that it was used by governments around the world to snoop more than 50,000 people in 50 countries. Read on to know more…
A recent explosive report on military-grade Pegasus spyware from Israeli firm NSO, disclosed that it was used by governments around the world to spy on more than 50,000 people in 50 countries. According to the Washington Post, clients of NSO Group, targeted 189 journalists, more than 600 politicians and government officials, and more than 60 business executives.
While the list of phone numbers does not include names, it is said to contain hundreds of business executives, religious figures, academics, NGO employees, union officials, and government officials, with NSO Group clients discovered in at least 11 countries, including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates.
Investigation by Amnesty International
Amnesty International discovered the leaked database in collaboration with “Pegasus Project”, which is a consortium of news organisations that have seen the leaked database. More than 80 journalists from 17 media organisations in ten 10 collaborated in the investigation, which was coordinated by Forbidden Stories, a Paris-based media non-profit, with technical assistance from Amnesty International.
The Amnesty International has opposed the claims of NSO Group that Pegasus is used to investigate crime and terrorism-related cases and leaves no traces.
The Security Lab of Amnesty International conducted an in-depth forensic investigation of many mobile phones belonging to human rights campaigners and journalists from around the world to discover that Pegasus’ surveillance violates not only user privacy but also human rights.
According to a forensic investigation by Amnesty International, analysis of 67 mobile devices concluded that the intrusions involved the ongoing use of so-called “zero-click” exploits do not require any interaction from the target dating back to May 2018.
Amnesty Internation disclosed that the security breach is likely to have used numerous zero-days in iMessage to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.
About Pegasus Spyware
Pegasus is a spyware that infects iPhones and Android phones. Developed by NSO Group, when the Pegasus spyware is secretly installed on victim’s mobile phone allows the attacker to to harvest emails, SMS messages, media, calendars, calls, and contact information, as well as chat content from messaging apps like WhatsApp, Telegram and Signal, and stealthily activate the phone’s microphone and camera.
The cyber-surveillance weapon is often sold by surveillance vendor to various governments all over the world for keeping a tab on various group of people.
The cyber-surveillance tool is often installed by either exploiting previously unknown security vulnerabilities in common apps or by luring a potential target into into opening a malicious link.
Working Mechanism
The first version of Pegasus spyware was discovered in 2016, and it used a technique known as “spear phishing” to gain access to phones. Pegasus spyware in 2021, on the other hand, is a significantly more evolved version of Pegasus in 2016, and it can now carry out what is known as a “zero-click” attack, which means it can infiltrate a mobile phone with almost no action from the target.
The Guardian publication reported that “more recently NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones”. While WhatsApp has sued NSO in the US for hacking into the service, The Guardian reports that Apple “says it is continually updating its software to prevent such attacks”.
According to the Guardian, in addition to spear-phishing and zero-day attacks, Pegasus “can also be installed over a wireless transceiver located near a target”. As advertised in an NSO pamphlet, there’s the good old approach of manually installing spyware in a mobile phone if the attacker can get their hands on it.
Citizen Lab’s Bill Marczak said in a series of tweets pointed out “All this indicates that NSO Group can break into the latest iPhones,”
“It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain’t solving.”
Mitigation
Pegasus can only be totally removed by discarding the mobile phone that has been infected, according to several cybersecurity analysts and specialists. According to Citizen Lab, factory resetting your smartphone will not be effective because it will not entirely remove the spyware.
Even once your device is no longer infected, the attackers can still access your online accounts. As a result, the only method to totally remove the Pegasus spyware is to discard the mobile phone and make sure that all of the apps you reinstall on your new phone are up to date.
To secure your online accounts, you should also change the passwords of all cloud-based apps and services that you used on the infected device
Government Surveillance Programs
In order to check anti-terror operations, several governments all over the world have been trying hard to push backdoor access to encrypted systems. However, the end-to-end encryption proponents and privacy advocates say that any backdoor will also be exploited by foreign adversaries, terrorists, and hackers.
Until now, the legal system has struggled to determine what norms must apply to digital goods. The traditional playbook on who owns what has been ripped up in the digital piazza. What will take its place is yet being determined.
Earlier this month, Joe Biden, President of the United States asked the Federal Trade Commission (FTC) to create new rules on surveillance by IT organisations and their accumulation of users’ data via algorithms. It was the first time the Biden administration in White House officially endorsed a high-level strategy to rein down the large business corporates’ technical capabilities.
The Privacy Factor
Commenting on the recent incident of Pegasus spying, Timothy Summers, a former Cybersecurity Engineer at a U.S. Intelligence Agency and now Director of IT at Arizona State University, told The Washington Post, “This is nasty software like eloquently nasty,”
He added “With it one could spy on almost the entire world population. … There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody,”
In response to big tech regulation and algorithmic manipulation, Dr. Shoshana Zuboff, author of ‘The Age of Surveillance Capitalism’ and Professor Emerita at Harvard Business School, said in a recent interview “We don’t yet have the bodies of laws that are purpose built for the harms that we face, beginning with the entire supply system of surveillance capitalism, the unilateral secret extraction of behavioural data from our lives,”
“This is something that began in secret, grew in secret, we never agreed to it, there is almost no law to contain it
If you fundamentally described this process to any child you say hey, somebody took from me without asking, what should I do, and that child will say they stole something from you. You should call the police.”