Globally, state actors have the ability to breach smartphones, even those that are updated with the latest security fixes and follow the best security practices, thanks to the Pegasus Spyware.
The Israeli firm, NSO Group, developed Pegasus spyware to sell on a subscription basis to law enforcement and intelligence agencies globally. This spyware can crack the encrypted communications of iPhones and Android smartphones, allowing authorities to remotely record audio and video, spy on text messages and phone calls, and download the entire contents of phone storage.
While it has been used for good, such as taking down serious criminals, Pegasus spyware has also been used against journalists and political dissidents. The FBI has even used Pegasus spyware on American citizens, particularly with the newest version, Phantom, which we’ll touch on below.
Now let’s shine a spotlight on Pegasus, to see just how great of a threat this tool is to smartphone security.
Table of Contents
Governments Hacking Smartphones
Capabilities of Pegasus
Pegasus is a powerful tool that can hack into phones even when users have the latest security updates installed and are following security best practices. The software is designed to exploit zero-day vulnerabilities unknown to the public, making it difficult for phone manufacturers to patch them before a hack.
The new version of Pegasus, called Phantom, can hack American phones without the victim even taking any action. It doesn’t require users to click on malicious links or open any executable files downloaded as attachments from emails.
Misuse of Pegasus
While Pegasus has certainly been used for good purposes, it has also been misused by unethical governments to spy on any opposition. In a perfect example of both, the Mexican government, as recently as 2021, used the software to track cartel members, but then also used Pegasus against journalists and human rights activists (even after pledging to no longer use the software, period).
Even worse, the Saudi government allegedly used it to spy on Jamal Khashoggi’s communications, the journalist who, in 2018, was killed and dismembered in Istanbul by a Saudi hit squad.
Marketing Pegasus
NSO Group sells Pegasus to any government or law enforcement agency willing to pay the millions of dollars subscription fee, regardless of intended use for the software.
The United States government has expressed concerns about the sale of such sensitive cyber intrusion tools to dictatorships, calling for clear rules to ensure that the companies only do business with governments in rule of law states.
Indeed, the recent revelations regarding misuse of Pegasus have only reinforced conviction that the hacking-for-hire industry needs some form of regulation, which we’ll touch on more at the end of this article.
Phantom Version of Pegasus
Hacking American Phones
Previous versions of Pegasus required the victim to click on a link or take some other action in order to be hacked. The vulnerabilities that Phantom exploits are top secret, and thus likely won’t be patched anytime soon by an iOS update or a new version of Android.
The FBI has discussed using this software with other Alphabet agencies like the DEA and Secret Service as well.
More on the No-Click Vulnerability
As I mentioned previously, Phantom doesn’t require the victim to click on any malicious links or open up an executable file to trigger. If the phone is vulnerable to whatever vulnerability Phantom takes advantage of, then it can be hacked.
The Facetime exploit that was discovered and fixed in previous versions of Pegasus required the victim to simply receive a call on facetime, and then the exploit was used to hack their iPhone. Now, with literally no action can be taken, and a phone may still be compromised.
Keeping Vulnerabilities Secret
Although security researchers who discover vulnerabilities in software can report them to companies like Google, Amazon, or Apple, those reports are often suppressed when the NSO Group purchases them first.
NSO works diligently to keep their top secret vulnerabilities top secret, plus, the company likely has several more security vulnerabilities up its sleeve to be used by Pegasus and Phantom as soon as a current vulnerability is discovered and patched.
NSO Group’s Research
Exploits and Bugs
NSO Group’s spyware, Pegasus, is able to hack into iPhones and Android smartphones by exploiting unknown vulnerabilities in the operating systems. The group’s research involves testing applications and operating systems used by the general public to find and exploit these vulnerabilities.
The Pegasus software is able to scan for multiple vulnerabilities on a phone and take advantage of whichever one is most readily available.
NSO Group’s Disclosure Policy
The NSO Group does not disclose the vulnerabilities it finds to the public or the companies owning the vulnerable applications.
Comparison with Black Hat Hackers
The NSO Group’s research and use of exploits and bugs is similar to that of black hat hackers. The key difference, however, is that when black hat hackers exploit a vulnerability, government agencies typically get involved and help the company patch the issue.
In stark contrast, the NSO Group does not disclose the vulnerabilities it finds and instead uses them for surveillance purposes, which aligns them pretty closely with black hat hackers.
US Government’s Response
Regulating the Hacking-for-Hire Industry
The US government has recently expressed concerns over misuse of spyware by governments around the world. Representatives issued a statement calling for the regulation of the hacking for hire industry. They believe that private companies should not be selling sophisticated cyber intrusion tools on the open market, and that any companies who do sell such tools to dictatorships should be sanctioned, and if necessary, shut down.
Concerns about Misuse of Spyware
The government is particularly concerned about the misuse of spyware by governments against journalists and political dissidents. While the software has been used for good purposes, such as taking down criminal syndicates, it’s certainly not inherently good – it can easily be used for nefarious purposes as well.
The US government also emphasizes that private companies contracting with the Pentagon to develop sensitive technologies should not be allowed to sell that same technology on the open market, particularly to governments that might use it against the US.
Hopeful for Rules on Selling Cyber Intrusion Technology
Overall, the US government is taking a strong stance against the hacking-for-hire industry and the misuse of spyware by governments around the world. They believe clear rules must be established to ensure these companies only do business with governments in rule of law states.
Such beliefs mean little, however, until the actions the US government is calling for actually come to fruition. Companies selling cyber intrusion technology need to truly be held accountable for their actions, and without any consequences for those misusing the technology, little will change when it comes to hacking-for-hire.
- Amazon Email Phishing: How to Identify and Avoid Scams - October 13, 2024
- Malwarebytes vs McAfee: Decoding the Ultimate Antivirus Battle - October 13, 2024
- Best Antivirus for Windows 10: Expert Recommendations for 2023 - October 13, 2024