‘Pegasus Spyware’ — sounds familiar? Yes, it is the same spyware which was responsible for hacking Whatsapp earlier this May; despite which all the allegations were denied by the developers of spyware i.e. NSO (an Israeli cyber-firm). As remediation, Whatsapp solved the security issues, with patch updates, which arose due to bug leveraged by spyware via the audio call feature.
The use of such Spywares in itself is an ethical conundrum. Recalling a similar incident that happened in 2013; Edward Snowden, a whistleblower, uncovered the intelligence he had into the hacking powers of the NSA while dragging the said prime security agency to the limelight. He specifically mentioned that the agency had developed techniques for covertly taking over a mobile phone to use it as a tracking and recording device.
On the contrary, government agencies like MI5 support the idea with new laws, such as “The Investigatory Powers Act 2016 brings together and updates existing laws which grant MI5 and its partners, GCHQ, MI6 and the police, the powers they need in a digital age to disrupt terrorist attacks and damaging espionage.”
Tami Shachar (Co-president NSO Group) during CBS 60 minutes said, “To hone in on a target, for instance, authorities often infect the phones of innocent people around them, like family members. It’s been reported that Mexican authorities used Pegasus to capture drug-lord Joaquin Guzman, better known as El Chapo; by tapping the phones of a few people he talked to while he was on the lam.”
The WhatsApp story once again points out that nothing is secure. In other words,
“Security is a Myth”
According to a new report by The Financial Times, “NSO Group’s flagship smartphone malware, nicknamed Pegasus, has for years been used by spy agencies and governments to harvest data from targeted individuals’ smartphones. But it has now evolved to capture the much greater trove of information stored beyond the phone in the cloud; such as a full history of a target’s location data, archived messages or photos.”
These reports raise a major concern around the security of some of the biggest Silicon Valley giants, like Facebook, Amazon, Microsoft, Google and more; which handles the private information of billions of users. The alleged claims can’t be denied bluntly because of the various reports made public earlier about the use of spyware Pegasus for hacking and spying targeted users.
Citizen Lab’s investigation around Pegasus
Researchers at the University of Toronto’s Citizen Lab have been following Pegasus; and have conducted various scan drills between August 2016 and August 2018.
According to Citizen Lab — “Our findings paint a bleak picture of the human rights risks of NSO’s global proliferation. At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.”
Scary, isn’t it?
What makes it scarier is the ability to hack devices and extract data from the cloud – even if Pegasus is removed from the initially infected device, according to the FT.
The advanced Pegasus technology for hacking
Here is what the FT research team found about the working of advanced Pegasus,
Cloud is not secure anymore
Q-Cyber, NSO’s parent company, presented the spyware earlier this year to the government of Uganda; mentioning special abilities to “retrieve the keys that open cloud vaults” and “independently sync-and-extract data”. But the status of deal with the government officials is still uncleared.
The documents presented to the buyers boast of having access to a “cloud endpoint” which facilitate access to “far and above smartphone content,” the FT reports.
There are not any official statements from the tech giants about their servers being infected by Pegasus. All the companies mentioned in the FT reports being a potential target are now investigating the claims at their end. An NSO spokesperson also told FT that “We do not provide or market any type of hacking or mass-collection to any cloud applications, services or infrastructure.”
Pegasus can be defeated
Cybersecurity firm Check Point’s 2019 Cloud Security Report early this week cited unauthorized cloud access and account hijacking as some of the major cloud vulnerabilities. This stressed the need for stronger authentication mechanisms to safeguard users against such attacks.
The spyware like these can be fought with the basic 2-step authentication process; which requires your another trusted device to authenticate the access without any passwords.
With passwordless authentication gaining popularity in recent years, it’s possible more systems will incorporate such secure standards in the future.