Can you really prevent a Pegasus like attack?

In 2006, I demonstrated to a group of forensic auditors and regulators, how easy it is to remotely install a spyware on their blackberry phones and listen to conversations, copy data remotely. With Blackberry OS it was that simple in 2006. We would expect that today's secure phones would prevent that level of ease of breach? Well, yes and no. The Pegasus episode has shown us how vulnerable our digital presence can be.

What has happened so far?

Multiple reveleations by multiple news agencies have shown, Pegasus spyware was found to be infecting hundreds of mobile phones across the world.

A leaked database of targeted mobile numbers was found by Forbidden Stories, a Paris based organization and Amnesty International. It was also shared with several news agencies across the world including The Wire. The Security Lab at Amnesty International provided the forensic analysis and technical support for the project.

What it does?

In a nutshell, the Pegasus spyware, like any other malicious app on a phone, gains access to all "shared" data on a mobile phone. The definition of shared data varies substantially between iPhone and Android phones. On an iPhone, shared data means call records, sms messages, location information, media gallery etc. It does not include data of other apps such as WhatsApp etc. unless they are targetted specifically or the iPhone is jailbroken. Older version of iOS and newer version of Pegasus can do this however there will be only a few cases where users have not updated their iOS to the recent major version. On Android, the spyware gains access to user data of most apps including the shared data described above.

How is Pegasus different?

This is the must important question and there is lot of confusion around this primarily due to lack of hands on knowledge of how "zero-click" malware works.

Pegasus doesn't need you to click on a link or download a malware. Most importantly, on an iPhone you cannot download or install an unauthorised app even if you want to due to strict digital signing by Apple. You can only install an App which is from the AppStore or digitally signed by your enterprise.

On an Android phone, you can install any apk package you want but for that there is an intervention required from the user.

Pegasus doesn't need any of that hence it is most lethal. Just like any other "zero-click" malware, it exploits vulnerabilities in the operating system of the phone (say iOS or Android) or an App such as WhatsApp and would execute a code that makes the phone install a malicious app in the background. This app then implements a soft jailbreak of the iPhone and gains access to all shared and app data on the phone. The exploitation process can be initiated with a missed call or a text message and potentially through a notification message. These approaches could target the phone OS or an App such as WhatsApp and its vulnerabilities.

What can businesses do?

Very little. It is difficult to ask users to not install unnecessary apps, it is difficult to hide phone numbers and it is difficult to combat a weapon so lethal like Pegasus. But there is still something that can be done.

On Android, a firewall app that allows internet traffic of only whitelisted apps would work. Apple should implement something similar in the next iOS release. One can speculate that some of the vulnerabilities are deliberately kept open for specific reasons or are hardware related and were leaked. However, keeping the OS updated to the latest version is always a good idea. It is still safer to use an iPhone as Apple owns most components and software and does a better job at patching but for a company like NSO, it is easier to concentrate all efforts in finding one elusive vulnerability on an Apple chip or iOS that could open up billions of phones worldwide than hunting for a vulnerability across hundreds of different Android makes and models.

iPhone users cannot by default, block internet access (mobile data or WiFi) of apps which Android users can. However, keep a tab on missed calls and messages (cellular or WhatsApp, Telegram, Signal etc.) and regularly go through the list of Apps that have cellular data and WiFi access. Hopefully the new privacy features in iOS 15.1 can provide us with a enforced firewall. Till then every company will have to create a custom process around their users based on roles and apps in use. This requires significant amount of awareness and training. Companies can also look at providing hardened mobile phones to executives and monitoring centrally (with employee permission), all unauthorised apps that get installed on a user phone, just like an enterprise antivirus solution.

Standard Do's and Don'ts of not clicking on links etc. do not matter in this case.

This is the reason I have always been vocal for the need of a national level firewall that can block such threats at national level. No wonder Pegasus has not been that successful in the UAE.

These are my personal views and do not represent those of my organisation.