Pegasus joins a list of ominously-named tools blurring the line between hacking and surveillance for ‘lawful intercept’ purposes, with other notable examples being from the likes of FinFisher and The Hacking Team.
There is much to write about Pegasus’ technical details, which I’ll leave to people smarter than me, but in a nutshell: the product exploits vulnerabilities then embeds itself to maintain persistent, remote access to a device under surveillance.
This involves maintaining the supporting infrastructure and automating targeted chains of attacks, which may employ novel or zero-day exploits in contrast to the typical Internet background noise of opportunistic, dodgy emails, port and web-application vulnerability scans.
Pegasus is neither new nor alone in a market for such products and services.
This line of business doesn’t fix bugs, it buys bugs, and weaponises those vulnerabilities into usable exploits making ready-to-use tools operated by their customers. Enabling much of this is embargoed in-house and independent research, attracted by bounties offered under the premise of responsible disclosure, or even without any such pretence; offensive security is a growing area.
The saleable product begins with a list of steps-to-reproduce and/or a proof-of-concept (PoC), with at the upper-end, a zero-click full-chain-persistence, luxury-hacking-tool for Android going for up to USD$2,500,000.
On the Internet, if something sounds too good to be true, it probably is. With that kind of money going around, questions may either come up, or be put well-aside.
In the case of a vulnerability market, one risk is some purchasers may have more Laissez-faire attitudes than others towards sales resulting in authoritarian or unethical use cases. Who is buying and where the money comes from is a question others may not even want to ask. And you’d be right to assume crypto-currency is involved at the less-reputable end of the market: those numbers can be eye-watering.
Reporting issues directly to the responsible manufacturers or vendors is the well-travelled and ethical route, and most are increasingly receptive to security concerns. Many participate in bug bounty programmes, and building a lab in the garage and simply having a go at hacking something in a clean, ‘off-net’ environment is a great way to contribute to security. Hacking should not be unethical or unprofitable. Nor inaccessible, esoteric and stereotypical, there will always be low-tech bugs hiding in plain sight too. Motivating discovery and responsible disclosure is one said benefit of a vulnerability or Zero-day market.
The NSO Group however provides nation-state-like capabilities, only accessible to the most well-resourced – and supposedly the well-intended. Few, if any journalists could be reasonably expected to guard themselves against such attacks. Not even the IT-pro with an up-to-date iPhone is reportedly immune, and French prosecutors have begun an investigation due to President Macron allegedly being targeted. The Pegasus revelations suggest we may be overdue more discussion about proliferation and regulation of such technology, or at least better answers to ‘who is buying zero day, and for what’. Since 2016 or earlier, the vulnerability market has been known to have it’s share of the good, the bad and the ugly.
Assuming devices are updated and security features used, echoing the advice to be vigilant in general towards communicating online is relevant with WhatsApp being a reported attack vector. A nuance is WhatsApp is not necessarily the problem here, as core operating system (OS) components responsible for image rendering containing exploitable flaws, which may be shared by all applications, would leave open the possibility for a maliciously-crafted image to similarly compromise a device via another messaging app. Tailored access, once limited to the acronymed agencies of the world, goes to such lengths and has long-since become a commercial industry.
Basic security like keeping software up-to-date, and using all available security features remains as important as ever, such as enabling two-factor authentication where possible. But zero day attacks are by definition, largely indefensible against, and irresponsible use of tools like Pegasus creates real victims whose right to privacy was taken. Not to mention any diplomatic implications and the chilling effect on journalism this risks. Our empathy for the people affected should not also be last, dehumanised or delegitimized with notions of any unreal ‘cyber’ space.