{"id":10833,"date":"2021-07-20T06:10:02","date_gmt":"2021-07-20T11:10:02","guid":{"rendered":"http:\/\/esterlund.com\/blog\/?p=10833"},"modified":"2021-07-20T06:12:09","modified_gmt":"2021-07-20T11:12:09","slug":"ep-1565-what-is-pegasus-the-dan-bongino-show","status":"publish","type":"post","link":"https:\/\/esterlund.com\/blog\/ep-1565-what-is-pegasus-the-dan-bongino-show\/","title":{"rendered":"Ep. 1565 What is Pegasus? – The Dan Bongino Show"},"content":{"rendered":"

\"Pegasus<\/a><\/p>\n

Source: Ep. 1565 What is Pegasus? – The Dan Bongino Show<\/a><\/em><\/p>\n

What is Pegasus? This is the biggest story of the day. In this episode, I discuss the troubling revelations about this new surveillance tool.<\/p>\n

What is Pegasus spyware and how does it hack phones?<\/a><\/h4>\n
\n
\n
\n
Pegasus can infect a phone through \u2018zero-click\u2019 attacks, which do not require any interaction from the phone\u2019s owner to succeed.<\/span>\u00a0Composite: AFP via Getty<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n

NSO Group software can record your calls, copy your messages and secretly film you<\/p>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n
David Pegg<\/a>\u00a0and\u00a0Sam Cutler\u00a0<\/a>
\nSun 18 Jul 2021 12.00 EDT<\/div>\n<\/address>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
<\/p>\n
\n
\n

It is the name for perhaps the most powerful piece of spyware ever developed \u2013 certainly by a private company. Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device. It can copy messages you send or receive, harvest your photos and record your calls. It might secretly film you through your phone\u2019s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you\u2019ve been, and who you\u2019ve met.<\/p>\n

Pegasus is the hacking software \u2013 or spyware \u2013 that is developed, marketed and licensed to governments around the world by the Israeli company NSO Group. It has the capability to infect billions of phones running either iOS or Android operating systems.<\/p>\n

The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing \u2013 text messages or emails that trick a target into clicking on a malicious link.<\/p>\n

\n
\n
\nQuick Guide<\/span><\/strong><\/summary>\n

What is in the Pegasus project data?<\/h4>\n

What is in the data leak?<\/strong><\/p>\n

The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty\u2019s Security Lab, a technical partner on the project, did the forensic analyses.<\/p>\n

What does the leak indicate?<\/strong><\/p>\n

The consortium believes the data indicates the potential targets NSO\u2019s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware\u00a0such as Pegasus, the company\u2019s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are \u201ctechnically impossible\u201d to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity \u2013 in some cases as little as a few seconds.<\/p>\n

What did forensic analysis reveal?<\/strong><\/p>\n

Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty\u2019s detective work. Three Android phones showed\u00a0signs\u00a0of targeting, such as Pegasus-linked SMS messages.<\/p>\n

Amnesty shared \u201cbackup copies\u201d of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty\u2019s forensic methods, and found them to be sound.<\/p>\n

Which NSO clients were selecting numbers?<\/strong><\/p>\n

While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.<\/p>\n

What does NSO Group say?<\/strong><\/p>\n

You can read NSO Group\u2019s\u00a0full statement here<\/a>. The company has always said it does not have access to the data of its customers\u2019 targets. Through its lawyers, NSO said the consortium had made \u201cincorrect assumptions\u201d about which clients use the company\u2019s technology. It said the 50,000 number was \u201cexaggerated\u201d and the list could not be a list of numbers \u201ctargeted by governments using Pegasus\u201d. The lawyers said NSO had reason to believe the list accessed by the consortium \u201cis not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes\u201d. After further questions, the lawyers said the consortium was basing its findings \u201con misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies\u201d.<\/p>\n

What is HLR lookup data?<\/strong><\/p>\n

The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries.\u00a0It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its\u00a0software; an NSO source stressed its clients\u00a0may have different reasons \u2013 unrelated to Pegasus \u2013 for conducting HLR lookups via an NSO system.<\/p>\n<\/details>\n<\/div>\n<\/figure>\n

Since then, however, NSO\u2019s attack capabilities have become more advanced. Pegasus infections can be achieved through so-called \u201czero-click\u201d attacks, which do not require any interaction from the phone\u2019s owner in order to succeed. These will often exploit \u201czero-day\u201d vulnerabilities, which are flaws or bugs in an operating system that the mobile phone\u2019s manufacturer does not yet know about and so has not been able to fix.<\/p>\n

In 2019 WhatsApp revealed that\u00a0NSO\u2019s software had been used<\/a>\u00a0to send malware to more than 1,400 phones by exploiting a zero-day vulnerability. Simply by placing a WhatsApp call to a target device, malicious Pegasus code could be installed on the phone, even if the target never answered the call. More recently NSO has begun exploiting vulnerabilities in Apple\u2019s iMessage software, giving it backdoor access to hundreds of millions of iPhones. Apple says it is continually updating its software to prevent such attacks.<\/p>\n

Technical understanding of Pegasus, and how to find the evidential breadcrumbs it leaves on a phone after a successful infection, has been improved by research conducted by Claudio Guarnieri, who runs Amnesty International\u2019s Berlin-based Security Lab.<\/p>\n

\u201cThings are becoming a lot more complicated for the targets to notice,\u201d said Guarnieri, who explained that NSO clients had largely abandoned suspicious SMS messages for more subtle zero-click attacks.<\/p>\n

\n
\n
\n