Pegasus Spyware
Page 1 of 1
Pegasus Spyware
by bdahm Thu Jul 22, 2021 3:34 pm
There’s a real nasty piece of spyware named Pegasus produced by an Israeli company called the NSO Group. It’s sold to governments ostensively to spy on criminals and terrorists, but has been employed by some of those governments to spy on journalists, political activists, and politicians not deemed friendly to the State.
The first link is a Washington Post story about Pegasus and it’s hacking of iPhone. This spyware can also hack Android smartphones.
https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/
The second link is a YouTube video from Rene Ritchie who does an excellent job explaining what's going on.
https://youtu.be/XPBHukiVSTU
The third link is from Cult of Mac and delves more deeply into just how Pegasus infects smartphones.
https://www.cultofmac.com/748037/pegasus-spyware-faq/
Finally, Steve Gibson, the security guru. Here, from his Security Now podcast show notes, are his comments.
Pegasus
The Israeli “NSO Group” produces and sells cyber-surveillance spyware known as “Pegasus.” After being surreptitiously installed onto targeted iPhones and Android devices, it enables Pegasus' user to capture eMails, SMS messages, media, calendars, calls, contact information, and massaging chat content from messaging apps like WhatsApp, Telegram and Signal. And as if that wasn't enough, it's also able to stealthily activate the phone's microphone and camera.
Just as a separate issue, Pegasus provides a classic example of the fact that it doesn't how good one's crypto is if it's possible to simply capture the plaintext at either end of the encrypted tunnel. Note that even users of Apple's iPhone, with its much heralded privacy protections and encrypted enclaves fell victim to this pre-encryption and post-decryption shim. But back to Pegasus...
A data leak of more than 50,000 phone numbers catalyzed a collaborative investigation by more than 80 journalists from a consortium of 17 media organizations in 10 countries. The investigation was coordinated by “Forbidden Stories”, a Paris-based media non-profit, and technical assistance was made available by Amnesty International.
This investigation uncovered that Pegasus was being used, not only for the surveillance of high-value targeted possible terrorists, but (sadly, hardly surprising) heads of state, activists, journalists, and lawyers around the world.
In response to the discovery of the extent to which the Pegasus spyware was being abused, Amnesty International's Secretary-General was quoted, saying: “The Pegasus Project lays bare how NSO's spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril. These revelations blow apart any claims by NSO that such attacks are rare and due to rogue use of their technology. While the company claims its spyware is only used for legitimate criminal and terror investigations, it's clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations.”
Pegasus is sold by the NSO Group to governments worldwide. It worms its way into its unwitting target's devices either exploiting currently unknown security vulnerabilities in common apps or by getting a potential target to click a malicious link. The NSO Group describes itself as “the world leader in precision cyber intelligence solutions for the sole use of vetted-and-approved, state-administered intelligence and law enforcement agencies solely for use in criminal and anti-terrorist investigations.”
Whoa! Hold on! Wait a minute!! Isn't that EXACTLY the group of entities and EXACTLY their stated purpose behind their often expressed need for having a “responsible use” backdoor added to the world's current mathematically secure encryption?? Yeah, right... like we're going to trust this group of bureaucratic ne'er-do-wells with a key to anyone’s backdoor!
Security Now! #828 10
The list of “infected” phone numbers, which did not include their owners' names, contains hundreds of business executives, religious figures, academics, NGO employees, union officials, and government officials operating in at least 11 countries, including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the U.A.E.
The timeline of the intrusions is spread over a 7-year period from 2014 up to as recently as today and the research has, so far, managed to identify 180 journalists and more than 600 politicians and government officials, despite their respective country's adamant denials of having used Pegasus to hack the phones of the individuals named in the list.
Not surprisingly, the NGO Group flatly and loudly disputed all of the evidence and allegations. They stating that the investigation is “full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources,” while stressing that it's on a “life-saving mission” to “break up pedophilia rings [that’s right, march out the children], sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings [what?!], and protect airspace against disruptive penetration by dangerous drones.” I read that through a couple of times, and the only sense I can make of it is that some other of the NGO Group’s products might be used for things like locating survivors trapped under collapsed buildings and ridding the airspace of illegal drone flyovers. I suspect that they may have been attempting to point to some good things their technologies can and have been used for.
And speaking of technologies and the Pegasus product... a forensic analysis of 67 mobile devices showed the intrusions involved the ongoing use of multiple “zero-click” exploits which do not rely upon any interaction from the device's user. And those both worked seven years ago and they still work today. In one instance which was highlighted by Amnesty International, multiple 0-days were leveraged in iMessage to successfully penetrate a fully patched iPhone 12 running iOS 14.6 this month.
In a series of tweets, Citizen Lab's Bill Marczak said: “All this indicates that NSO Group can break into the latest iPhones. It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework, which was introduced in iOS 14 to make 0-click exploitation more difficult, is not successfully preventing.”
The Washington Post said in their in-depth report that of the tested smartphones, 23 devices had been successfully infected with Pegasus, and 15 exhibited signs of attempted penetration.
We've seen other, similar, smaller anecdotal examples of this sort of abuse. I really hope that this expose' might help to strongly demonstrate why we as an industry must always be working as hard as we can to create the most absolutely secure devices possible, and that any deliberate weakening below the best we can possibly do would be foolhardy in the extreme.
For anyone wanting more details, the Amnesty International report is amazing and damning. It contains IP addresses, port numbers, the URLs of servers, the names of background Pegasus processes and more. The link is in the show notes:
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
The first link is a Washington Post story about Pegasus and it’s hacking of iPhone. This spyware can also hack Android smartphones.
https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/
The second link is a YouTube video from Rene Ritchie who does an excellent job explaining what's going on.
https://youtu.be/XPBHukiVSTU
The third link is from Cult of Mac and delves more deeply into just how Pegasus infects smartphones.
https://www.cultofmac.com/748037/pegasus-spyware-faq/
Finally, Steve Gibson, the security guru. Here, from his Security Now podcast show notes, are his comments.
Pegasus
The Israeli “NSO Group” produces and sells cyber-surveillance spyware known as “Pegasus.” After being surreptitiously installed onto targeted iPhones and Android devices, it enables Pegasus' user to capture eMails, SMS messages, media, calendars, calls, contact information, and massaging chat content from messaging apps like WhatsApp, Telegram and Signal. And as if that wasn't enough, it's also able to stealthily activate the phone's microphone and camera.
Just as a separate issue, Pegasus provides a classic example of the fact that it doesn't how good one's crypto is if it's possible to simply capture the plaintext at either end of the encrypted tunnel. Note that even users of Apple's iPhone, with its much heralded privacy protections and encrypted enclaves fell victim to this pre-encryption and post-decryption shim. But back to Pegasus...
A data leak of more than 50,000 phone numbers catalyzed a collaborative investigation by more than 80 journalists from a consortium of 17 media organizations in 10 countries. The investigation was coordinated by “Forbidden Stories”, a Paris-based media non-profit, and technical assistance was made available by Amnesty International.
This investigation uncovered that Pegasus was being used, not only for the surveillance of high-value targeted possible terrorists, but (sadly, hardly surprising) heads of state, activists, journalists, and lawyers around the world.
In response to the discovery of the extent to which the Pegasus spyware was being abused, Amnesty International's Secretary-General was quoted, saying: “The Pegasus Project lays bare how NSO's spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril. These revelations blow apart any claims by NSO that such attacks are rare and due to rogue use of their technology. While the company claims its spyware is only used for legitimate criminal and terror investigations, it's clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations.”
Pegasus is sold by the NSO Group to governments worldwide. It worms its way into its unwitting target's devices either exploiting currently unknown security vulnerabilities in common apps or by getting a potential target to click a malicious link. The NSO Group describes itself as “the world leader in precision cyber intelligence solutions for the sole use of vetted-and-approved, state-administered intelligence and law enforcement agencies solely for use in criminal and anti-terrorist investigations.”
Whoa! Hold on! Wait a minute!! Isn't that EXACTLY the group of entities and EXACTLY their stated purpose behind their often expressed need for having a “responsible use” backdoor added to the world's current mathematically secure encryption?? Yeah, right... like we're going to trust this group of bureaucratic ne'er-do-wells with a key to anyone’s backdoor!
Security Now! #828 10
The list of “infected” phone numbers, which did not include their owners' names, contains hundreds of business executives, religious figures, academics, NGO employees, union officials, and government officials operating in at least 11 countries, including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the U.A.E.
The timeline of the intrusions is spread over a 7-year period from 2014 up to as recently as today and the research has, so far, managed to identify 180 journalists and more than 600 politicians and government officials, despite their respective country's adamant denials of having used Pegasus to hack the phones of the individuals named in the list.
Not surprisingly, the NGO Group flatly and loudly disputed all of the evidence and allegations. They stating that the investigation is “full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources,” while stressing that it's on a “life-saving mission” to “break up pedophilia rings [that’s right, march out the children], sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings [what?!], and protect airspace against disruptive penetration by dangerous drones.” I read that through a couple of times, and the only sense I can make of it is that some other of the NGO Group’s products might be used for things like locating survivors trapped under collapsed buildings and ridding the airspace of illegal drone flyovers. I suspect that they may have been attempting to point to some good things their technologies can and have been used for.
And speaking of technologies and the Pegasus product... a forensic analysis of 67 mobile devices showed the intrusions involved the ongoing use of multiple “zero-click” exploits which do not rely upon any interaction from the device's user. And those both worked seven years ago and they still work today. In one instance which was highlighted by Amnesty International, multiple 0-days were leveraged in iMessage to successfully penetrate a fully patched iPhone 12 running iOS 14.6 this month.
In a series of tweets, Citizen Lab's Bill Marczak said: “All this indicates that NSO Group can break into the latest iPhones. It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework, which was introduced in iOS 14 to make 0-click exploitation more difficult, is not successfully preventing.”
The Washington Post said in their in-depth report that of the tested smartphones, 23 devices had been successfully infected with Pegasus, and 15 exhibited signs of attempted penetration.
We've seen other, similar, smaller anecdotal examples of this sort of abuse. I really hope that this expose' might help to strongly demonstrate why we as an industry must always be working as hard as we can to create the most absolutely secure devices possible, and that any deliberate weakening below the best we can possibly do would be foolhardy in the extreme.
For anyone wanting more details, the Amnesty International report is amazing and damning. It contains IP addresses, port numbers, the URLs of servers, the names of background Pegasus processes and more. The link is in the show notes:
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
bdahm- Admin
- Posts : 682
Join date : 2009-05-15
Age : 81 -
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|