What is Pegasus ?

 In November 2019, a tech reporter from New York City photographed an interception device displayed at Milipol, a trade show on homeland security in Paris. The exhibitor, NSO Group, placed the hardware at the back of a van, perhaps suggesting convenience of portability, and said it would not work on US phone numbers, possibly due to a self-imposed restriction by the firm.

Since the Israeli cyber giant was founded in 2010, that was probably the first time an NSO-made portable Base Transceiver Station (BTS) was featured in a media report.

A BTS — or ‘rogue cell tower’ or ‘IMSI Catcher’ or ‘stingray’ — impersonates legitimate cellular towers and forces mobile phones within a radius to connect to it, so that the intercepted traffic can be manipulated by an attacker. The BTS photographed in 2019 was composed of horizontally-stacked cards, likely to allow interception over multiple frequency bands.

The other option is to leverage access to the target’s mobile operator itself. In that scenario, an attacker would not need any rogue cell tower but would rely on the regular network infrastructure for manipulation.

Either way, the capability of launching ‘network injection’ attacks — performed remotely without the target’s engagement (hence, also called zero-click) or knowledge —gave Pegasus, NSO Group’s flagship product, an unique edge over its competitors in the global spyware market.

Pegasus is now at the centre of a global collaborative investigative project that has found that the spyware was used to target, among others, hundreds of mobile phones in India

How is Pegasus different from other spyware?

Pegasus aka Q Suite, marketed by the NSO Group aka Q Cyber Technologies as “a world-leading cyber intelligence solution that enables law enforcement and intelligence agencies to remotely and covertly extract” data “from virtually any mobile devices”, was developed by veterans of Israeli intelligence agencies.

Until early 2018, NSO Group clients primarily relied on SMS and WhatsApp messages to trick targets into opening a malicious link, which would lead to infection of their mobile devices. A Pegasus brochure described this as Enhanced Social Engineering Message (ESEM). When a malicious link packaged as ESEM is clicked, the phone is directed to a server that checks the operating system and delivers the suitable remote exploit.

In its October 2019 report, Amnesty International first documented use of ‘network injections’ which enabled attackers to install the spyware “without requiring any interaction by the target”. Pegasus can achieve such zero-click installations in various ways. One over-the-air (OTA) option is to send a push message covertly that makes the target device load the spyware, with the target unaware of the installation over which she anyway has no control.

This, a Pegasus brochure brags, is “NSO uniqueness, which significantly differentiates the Pegasus solution” from any other spyware available in the market.

What kind of devices are vulnerable?

All devices, practically. iPhones have been widely targeted with Pegasus through Apple’s default iMessage app and the Push Notification Service (APNs) protocol upon which it is based. The spyware can impersonate an application downloaded to an iPhone and transmit itself as push notifications via Apple’s servers.

In August 2016, the Citizen Lab, an interdisciplinary laboratory based at the University of Toronto, reported the existence of Pegasus to cyber security firm Lookout, and the two flagged the threat to Apple. In April 2017, Lookout and Google released details on an Android version of Pegasus.

In October 2019, WhatsApp blamed the NSO Group for exploiting a vulnerability in its video-calling feature. “A user would receive what appeared to be a video call, but this was not a normal call. After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call,” WhatsApp chief Will Cathcart said.

In December 2020, a Citizen Lab report flagged how government operatives used Pegasus to hack 37 phones belonging to journalists, producers, anchors, and executives at Al Jazeera and London-based Al Araby TV during July-August 2020, exploiting a zero-day (a vulnerability unknown to developers) against at least iOS 13.5.1 that could hack Apple’s then-latest iPhone 11. While the attack did not work against iOS 14 and above, the report said the infections it observed were probably a minuscule fraction of the total attacks, given the global spread of the NSO Group’s customer base and the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update.

All rights reserved to The Indian Express