PEGASUS SPYWARE: EXPLAINED

30th July, 2021

Introduction

  • At least 40 Indian journalists, along with members of Parliament, judges and others were supposedly targeted by Pegasus.
  • Phones of seven of these persons, who agreed to allow forensic examination of their devices, were found to be infected.

 

What is Pegasus?

  • Pegasus is the name of a spyware developed by Israeli firm NSO. It can be introduced surreptitiously into mobile devices and can suck up all data and meta-data on the infected device as well as monitor conversations, chats and browsing.

Note: A spyware is any malicious software designed to enter your computer device, gather your data, and forward it to a third-party without your consent.

  • Pegasus, is perhaps the most powerful spyware ever created. It is designed to infiltrate smartphones — Android and iOS — and turn them into surveillance devices.
  • The Israeli company, however, markets it as a tool to track criminals and terrorists — for targeted spying and not mass surveillance.

Who can buy Pegasus?

  • NSO claims it will only sell the software to verified government agencies, with a contractual clause that the spyware can only be used in cases of suspected crime or terrorist activity.
  • In practice, the clause is unenforceable -- any buyer can then use it as they please.
  • However, it is possible for NSO to verify potential buyers and check whether they are official agencies, though it refuses to release its client list.
  • NSO claims it has 60 clients in 40 countries. NSO also says the spyware is mainly used by law enforcement and intelligence agencies as well as the military.

 

What's special about Pegasus?

  • It is a very sophisticated spyware, which can remotely infect a very wide range of devices, without any action on the target's part.
  • Most mobile spyware is installed by getting hold of the physical device or via phishing.
  • For instance a text message/WhatsApp/e-mail with a malicious link is sent, and the target gets infected when he or she clicks on that link. Pegasus can be transmitted this way.
  • More importantly, Pegasus can infect mobiles by sending malicious WhatsApp messages, without any actions being necessary on the target's part.
  • NSO has, in fact, been sued by WhatsApp for exploiting this vulnerability.
  • Pegasus can also be spiked into the target's phone from a nearby base transceiver station (BTS). BTS is standard equipment used by telecom service companies to route and re-route signals.

 

What can Pegasus do?

  • Once installed, the spyware takes a wide range of permissions, allowing it to monitor location, e-mails, grab contact lists, take screenshots, grab media, grab instant messages and SMS, access browser history, take control of the phone’s mike and cameras, etcetera.
  • Pegasus can also be deleted remotely. It is very hard to detect and once it is deleted, leaves few traces.
  • It can also be used to plant messages/mails, etcetera, which is why there are theories it may have been used to plant fake evidence to implicate activists in the Bhima Koregaon case.

 

Figuring out if Pegasus is infecting the mobile

  • It is close to impossible to figure out if a phone has been infected with Pegasus. It doesn't cause slowdown or hanging.
  • It is slightly easier to detect Pegasus on an iPhone because iPhones keep more detailed logs of activity, and cybersecurity experts can see if data has been exchanged with suspicious Web sites.

Pros and cons of public surveillance

Pros

  • Increase Public Safety: Just like surveillance on our private property improves our home security, public surveillance increases public safety.
  • Reduce Crime Rate: It can keep an eye out for crimes as well as act as a deterrent.
  • Captures "precrime" data
  • Helps Catch Criminals
  • It helps authorities to track criminals down.
  • Encourages good behavior
  • Provide Evidence & Gather Clues
  • Acts as reassurance
  • Convenience

Cons

  • Easily Abused: Unfortunately, this technology can be easily abused. For example, information collected can potentially be used as a form of blackmail. Another example is voyeurism and stalking. To combat these issues, strict regulations on public surveillance must be put into place.
  • Reduces personal privacy
  • Reduces personal freedom
  • Freezes free speech
  • Creates a "Big Brother" society
  • Creates a "nanny state"
  • Brings into disrepute the role of government
  • Blurs moral and legal boundaries
  • Undermines the rule of law
  • Increases societal "paranoia"
  • Narrows choices through creation of algorithmic "echo chambers"
  • Increases supply side manipulation
  • Information asymmetry (supply side high, demand side low)
  • Doubts about Effectiveness
  • Expensive: High maintenance and costs of these systems is not justified by their limited results.