Authored by: Kathryn McConaughy, Red Five Open Source Analyst
In late 2021 and early 2022, Pegasus spyware garnered a flurry of media attention, and it’s easy to see why. Developed by an Israeli security company, Pegasus is purported to be the most advanced commercial spyware to date and it has huge implications for democracy, business, and privacy. Could you be at risk for this invasive and nearly undetectable spyware? Here’s what you need to know, and what you can do to protect yourself:
What is Pegasus?
Pegasus is, to date, the most advanced commercially available spyware ever made. It allows the user to access the contents of the victim’s phone, including contacts, files, pictures, videos, messages, and calls, and it can switch the phone’s camera and microphone on and off without the victim’s knowledge. To top it off, Pegasus is virtually undetectable to the victim. While there are now ways to check if your phone has been infected, to the victim the phone will appear completely normal.
The program exploits “zero-days”–or previously unknown vulnerabilities– in Apple’s iPhone iOS and Meta’s WhatsApp, but it likely exploits vulnerabilities in other common programs that have yet to be identified. Early versions were spread through phishing texts–text messages designed to lure the victim into clicking a malicious link–but current versions use “zero click” access that requires no interaction with the phone’s owner whatsoever. This makes the spyware as difficult to defend against as it is to detect once it’s there.
Pegasus was developed by an Israeli security company called NSO Group for use against terrorist organizations and extremely dangerous criminals. Contrary to these claims, however, the program has been found on the phones of activists, journalists, business executives, and politicians, suggesting much wider proliferation than NSO Group has acknowledged. Pegasus was found on phones belonging to murdered journalist Jamal Khashoggi’s wife, a prominent Indian opposition leader, and more than 30 Thai activists. The spyware may have even prevented an Emerati princess from running away from home by remotely activating and tracking the phone’s location.
NSO Group claimed it licenses Pegasus exclusively to national governments of countries with good human rights records, however the company has not published a user list and does not monitor the activities of licensed users, which leaves room for doubt. Recognizing the dangerous potential of such advanced spyware, the US has added NSO Group to the Bureau of Industry and Security (BIS) Entity List, meaning that US companies are not allowed to do business with the firm. Perversely, this designation may have pushed NSO Group to sell the software to countries with much less sterling human rights records.
So far, there are no documented instances of Pegasus software being used against Americans. NSO Group claims to have made it impossible to use the spyware against a phone with a +1 country code, however Americans with foreign country-coded numbers may still be at risk. Furthermore, The New York Times reported that the FBI purchased the software in 2019 and explored the possibility of hacking American phones, meaning that a version of the program that could be used against Americans may already exist.
Implications for Businesses:
To date, Pegasus has mostly been used against journalists, activists, and political dissidents, but there are a few instances in which business executives have been targeted with the software. Once a business executive’s phone is infected with spyware, it opens the door to multiple vulnerabilities:
- Industrial espionage: Pegasus software and programs like it make an ideal vehicle for industrial espionage. With access to an executive’s email correspondence, text messages, and files, a threat actor could easily gain access to intellectual property or restricted corporate information. In addition, Pegasus enables its users to turn on a phone’s microphone and camera, which could give them access to closed-door conversations that could easily be exploited by a competitor.
- Blackmail: By the same token, if a Pegasus user can gain access to sensitive corporate information, they can gain access to personal information as well. Pegasus could be used to track an executive’s location, making them vulnerable to physical attacks, or it could allow threat actors to lay hands on sensitive personal correspondence, photos, or other information that could be used for extortion.
- Cyberattacks: Once Pegasus has access to an executive’s phone, it could act as a bulkhead for a malicious attack. The attacker might use the executive’s email to send out a phishing email to other employees, or they might use their access to gain entry into a company’s broader network, opening the door for data destruction, disruption, or ransomware.
What can you do to protect yourself?
Unfortunately, the “zero-click” installation method, the undiscovered “zero-day” vulnerabilities it may be exploiting, and its virtual undetectability make Pegasus extremely difficult to defend against. Adopting security best practices, however, may lower your chances of falling victim to advanced spyware like Pegasus:
- Routinely update your phone’s operating system with the latest updates. New OS versions will contain patches for known zero-day vulnerabilities, which will make it more difficult for malware to find its way into your system.
- Carefully review app permissions and ensure that apps are only granted the minimum level of access required for them to function. Whenever you get a pop up message from an app asking for access to your microphone, camera, or files, ask yourself “is this really necessary for this app to function?” If something feels off, hit “deny.”
- Don’t click unknown links in text messages or emails. While modern versions of Pegasus utilize a “zero-click” installation method instead of phishing emails, you should still use caution when vetting links that you were not expecting to receive. They may be malicious.
- Be cautious about using public Wi-Fi. Threat actors can use unsecured networks to gain access to your device, so only connect to Wi-Fi networks you know you can trust.
- Enable two factor authentication on all accounts that offer it and always use strong, unique passwords. You’re probably sick of hearing this tip, but this is one of the most important things you can do to protect your personal information and accounts from unauthorized access.
- Don’t let your phone out of your physical control. Pegasus can be manually installed if a malicious actor can temporarily physically access your phone, so never let it out of your sight.
- Don’t bring smart or mobile devices into spaces where you hold sensitive personal or corporate conversations.
Mobile phones have become so integral to our daily lives that it can be difficult to conceive of them as a potential threat vector, but Pegasus is a stark reminder that devices can have vulnerabilities that can be exploited by malicious actors. Fortunately, much of this risk can be mitigated by following device security best practices, staying on top of risk trends, exercising good judgment, and being a smart device user.
If you believe your device has been compromised, or if you have concerns about your device or network security, contact Red Five for support. Red Five’s experienced team of security experts can assess the security of your network and devices, identify vulnerabilities, and work with you to address them.