Spyware like Pegasus is dangerous not only because it gives hackers complete control over an infected phone, but also because it introduces the skills and knowledge of nation-states into the civilian sphere.
Pegasus, the winged horse of Greek mythology, is haunting the Narendra Modi-led Indian government once again. Seventeen media organizations including the Wire, the Washington Post and the Guardian have spent months examining a possible list of 50,000 phone numbers belonging to individuals from around 50 countries. This list was provided by the French journalism nonprofit Forbidden Stories and Amnesty International. These investigations by the media organizations helped zero in on possible targets of these cyberattacks. The mobile phones of 67 of the people who were on the target list were then forensically examined. The results revealed that 37 of the analyzed phones showed signs of being hacked by the Israeli firm NSO Group’s Pegasus spyware or signs of attempted penetration. Of the remaining 30, the results were inconclusive as either the owners had changed their phones or the phones were Androids, which do not log the kind of information that helps in detecting such penetration.
The possible targets not only include journalists and activists, but also government officials. This includes 14 heads of states and governments: three presidents (France’s Emmanuel Macron, Iraq’s Barham Salih and South Africa’s Cyril Ramaphosa), three sitting and seven former prime ministers, and a king (Morocco’s Mohammed VI). The three sitting prime ministers are Pakistan’s Imran Khan, Egypt’s Mostafa Madbouly and Morocco’s Saad-Eddine El Othmani. Among the seven former prime ministers are Lebanon’s Saad Hariri, France’s Édouard Philippe, Algeria’s Noureddine Bedoui and Belgium’s Charles Michel, according to the Washington Post.
Once the malware is installed on a target’s phone, the spyware not only provides full access to the device’s data but also controls the phone’s microphone and camera. Instead of a device for use by the owner, the phone becomes a device that can be used to spy on them, recording not only telephonic conversations but also in-person conversations, including images of the participants. The collected information and data are then transmitted back to those deploying Pegasus.
Successive information and technology ministers in India—Ravi Shankar Prasad and Ashwini Vaishnaw—have stated that “the government has not indulged in any ‘unauthorized interception’” in the country, according to the Wire. Both the ministers have chosen to duck the questions: Did the government buy NSO’s hacking software and authorize the targeting of Indian citizens? And can the use of Pegasus spyware to infect smartphones and alter its basic functions be considered as legal authorization under the Indian Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 for “interception, monitoring or decryption of any information through any computer resource”?
I am going to leave the legal issues for those who are better equipped to handle them. Instead, I am going to examine the new dangers that weaponizing malware by nation-states pose to the world. Pegasus is not the only example of such software; Snowden surveillance revelations showed us what the National Security Agency (NSA) of the United States and the Five Eyes governments do and shed light on their all-encompassing surveillance regime. These intelligence agencies and governments have hacked the digital infrastructure of other countries and snooped on their “secure” communications and even spied on their allies. Even German Chancellor Angela Merkel was not spared from NSA surveillance.
The key difference between nation-states and cybercriminals developing malware is that the nation-states possess far greater resources when it comes to developing such malware. Take the example of a group called the Shadow Brokers, who dumped a gigabyte of weaponized software exploits of the NSA on the net in 2017. Speaking about this, Matthew Hickey, a well-known security expert, told Ars Technica in 2017, “It is very significant as it effectively puts cyberweapons in the hands of anyone who downloads it.” Ransomware hit big time soon after, with WannaCry and NotPetya ransomware creating havoc by using the exploits in NSA’s toolkit.
Why am I recounting NSA’s malware tools while discussing Pegasus? Because Pegasus belongs to NSO, an Israeli company with very close ties to Unit 8200, the Israeli equivalent of the NSA. NSO, like many other Israeli commercial cyber-intelligence companies, is founded and run by ex-intelligence officers from Unit 8200. It is this element—introducing skills and knowledge of nation-states—into the civilian sphere that makes such spyware so dangerous.
NSO also appears to have played a role in improving Israel’s relations with two Gulf petro-monarchies, the United Arab Emirates (UAE) and Saudi Arabia. Israel, therefore, sees the sale of spyware to these countries as an extension of its foreign policy. Pegasus has been used extensively by the UAE and Saudi Arabia to target various domestic dissidents and even foreign critics. The most well-known example, of course, is Jamal Khashoggi, the Saudi dissident and the Washington Post’s columnist, who was killed in the Saudi consulate in Istanbul.
NSO’s market capitalization is reported to be in the range of $2 billion, making it perhaps one of the most expensive civilian cyber-intelligence companies. And its tools are frightening, as there does not seem to be any protection against them. Most of these tools are classified as cyberweapons and require the Israeli government’s approval for export, again showing the link between the Israeli state and NSO.
The other reason why Pegasus spyware is so dangerous is that it does not need any action on the part of the owner of a phone for the device to be hacked by the spyware. Most infections of devices take place when people click on a link sent to them through email/SMS, or when they go to a site and click on something there. Pegasus exploited a security problem with WhatsApp and was able to hack into a phone through just a missed call. Just a ring was enough for the Pegasus spyware to be installed on the phone. This has now been extended to using other vulnerabilities that exist within iMessage, WhatsApp, FaceTime, WeChat, Telegram, and various other apps that receive data from unknown sources. That means Pegasus can compromise a phone without the user having to click on a single link. These are called zero-click exploits in the cyber community.
Once installed, Pegasus can read the user’s messages, emails, and call logs; it can capture screenshots, log pressed keys, and collect browser history and contacts. It exfiltrates—meaning sends files—back to its server. Basically, it can spy on every aspect of a target’s life. Encrypting emails or using encryption services such as Signal won’t deter Pegasus, which can read what an infected phone’s user reads or capture what they type.
Many people use iPhones in the belief that they are safer. The sad truth is that the iPhone is as vulnerable to Pegasus attacks as Android phones, though in different ways. It is easier to find out if an iPhone is infected, as it logs what the phone is doing. As the Android systems do not maintain such logs, Pegasus can hide its traces better.
In an interview with the Guardian published on July 19, “after the first revelations from the Pegasus Project,” Snowden described for-profit malware developers as “an industry that should not exist… If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.” He called for an immediate global ban on the international spyware trade.
Snowden’s answer of banning the sale of such spyware is not enough. We need instead to look at deweaponizing all of cyberspace, including spyware. The spate of recent cyberattacks—estimated to be tens of thousands a day—is a risk to the cyberinfrastructure of all countries on which all their institutions depend. After the leak of NSA and CIA cyberweapons, and now with NSO’s indiscriminate use of Pegasus, we should be asking whether nation-states can really be trusted to develop such weapons.
In 2017, Brad Smith, the president of Microsoft and no peacenik or leftist, wrote, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.” It is this concern that certain leading companies within the industry—Microsoft, Deutsche Telekom and others—had raised in 2017, calling for a new digital Geneva Convention banning cyberweapons. Russia and China have also made similar demands in the past. It was rejected by the United States, who believed that it had a military advantage in cyberspace, which is something it should not squander.
Pegasus is one more reminder of the danger of nation-states developing cyberweapons. Though here, it is not a leak but deliberate use of a dangerous technology for private profit that poses a risk to journalists, activists, opposition parties and finally to democracy. It is a matter of time before the smartphones that we carry become attack vectors for attacks on the very cyberinfrastructure on which we all depend.
Prabir Purkayastha is the founding editor of Newsclick.in, a digital media platform. He is an activist for science and the free software movement.