« View all posts

Pegasus: An advanced threat to private communications

Posted by James Donaldson on July 27, 2021

Who is NSO Group, What do they do?

NSO Group is an Israeli surveillance technology company. NSO Group’s technology is constructed with the mission to help government agencies and law enforcement investigate and intercept terrorism and crime efforts in countries around the world. With the ever-changing cyber world and development of advanced technologies it is becoming more difficult to monitor and track the activities of global threats.

With the goal of assisting licensed government agencies target criminals, Israel’s NSO Group developed a malware hacking software known as Pegasus. Pegasus is designed to compromise the data security of iPhones and Android devices, gaining access to user messages, emails, photos, calls and even the microphones (to actively listen in on conversations). While all these features may provide protection in the face of crime and terrorism, the misuse of this tool threatens the integrity of its purpose and the privacy and security of personal information.

NSO Group Data Leak

In recent news, a list of over 50,000 phone numbers which are assumed to be people of interest of NSO Group clients was leaked. It is believed that this list of numbers are prospect targets for surveillance using the spyware Pegasus. Targets on this list include Telegram’s Pavol Durov and the current President of France, Emmanuel Macron. While it is not clear how many of these number has been infected by this hacking software a number of smartphones that were listed on this leak were examined and did show signs of an infection by Pegasus.

While NSO Group claims that NSO products are “used exclusively by government intelligence and law enforcement agencies to fight crime and terror”, the company declares that they do not operate the technology or have any access to the data of their customers. While maintaining the confidentiality of their clients, this leaves unanswered questions as to who has access to this spyware and the motive behind its use.

Following this data leak the NSO Group and their lawyers released a statement denying these claims, declaring that the information on the list is openly available and has legitimate uses outside of the intent of surveillance using their technology. While NSO Group does not have access to the data of their clients, they maintain that these claims of misuse are inaccurate. The security company has also voiced their continued efforts in investigating these claims and their capabilities to act through termination of client systems if need be.

While it is unclear whether this data leak has a connection to unauthorized surveillance of the personal data of non-criminal individuals, this situation does bring attention to the capabilities of malware and surveillance tools. NSO Group operates as the ‘good guys’, aiming to utilize this technology to safely, effectively and ethically develop and distribute this software to verified sources. As we begin to understand the capabilities of spyware like Pegasus in compromising the data privacy and security of our devices, it raises questions and concerns as to what other people or organizations have developed similar software with a more deceitful purpose.

Pegasus Attack Simulation

Amnesty International’s detailed report elaborates on how Pegasus is able to gain a foothold on a device. Pegasus, as a fully robust attack suite, uses a multitude of attack vectors to infiltrate a device. Known attack vectors, recorded from past events, include

  • Sending attachments from unknown WhatsApp numbers
  • Sending links from known contacts
  • Water-hole attacks on local networks
  • Utilizing zero-day vulnerabilities to exploit image and media rendering technology
  • And unfortunately, more.

Once the foothold is established on a device through the above means, Pegasus activates its malware processes to exfiltrate and spy on the data of the affected user.

Is secure Android enough to fully protect from Pegasus-style attacks?

Copperhead is often asked if CopperheadOS is protected against attacks such as Pegasus or by using customized Operating Systems, users are less likely to fall victim to attacks such as Pegasus. While we can’t say for absolute certain that CopperheadOS is immune to Pegasus-style attacks, it is possible that by providing an alternative and security-enhanced alternative there is less of a chance of NSO group targeting or compromising CopperheadOS users. Outside of the technology itself, economics and monoculture hold the answer to why this may be true.

Monoculture and the economics of zero-days

By breaking the mold of monoculture, Copperhead is placed outside the pool of popular devices to attack. This in turn increases the amount of resources NSO group would need to burn in hopes of being able to target CopperheadOS users. Finding a vulnerability in an iPhone to utilize has broad return value. Looking for a vulnerability in CopperheadOS on Google Pixels, not so much. This is demonstrable with a simple scenario.

Let’s say NSO or it’s software clients are contracted to hack 10 government officials and 9 of them use iPhones. NSO would then spend considerable resources to find multiple 0-days and an exploit-chain to provide it’s clients with a path to hacking iPhones. The same resources spent to hack 1 out of the 10 government officials pays off with the other 8. A sound investment! But what if one of those government officials use a secure Android such as CopperheadOS? This complicates the situation for the attacker.

When compared to Android or even Android on Google Pixels, CopperheadOS is an alternative that requires additional resources to target. For the NSO client to hack that last government official, they would have to spend resources on finding vulnerabilities in the latest patched Android, work their way through CopperheadOS’s numerous privacy and security enhancements and finally exploit the hardware security of the Pixel device (which is supported by a $1.5M bug bounty). Far less of a sound investment for the NSO client.

Increasing the resource expenditure cost for attackers is the motto of CopperheadOS. We would rather they focus their efforts elsewhere and leave our customers alone, by making our customers far too expensive to target.

Ways to Protect my Device from Spyware

  • Avoid opening emails from unknown sources
  • Scan your device using forensic investigative tools
  • Ensure your mobile solution receives rapid updates
  • Do not download unknown files
  • Do not download applications unless from a credible source
  • Be cautious about clicking links from unknown email/SMS sources
  • Consider cycling your phone number every year or two
  • Use Airplane mode to limit SMS attacks
  • Implement a mobile security solution