Today’s post is the most dour I’ve ever written, and hopefully, it’s the last one of its kind I have to write. We’re going to be discussing the Pegasus Scandal.
I make an effort to avoid the news for mental health reasons, but given my profession, I couldn’t escape the news of this story. It was trending on news sites around the world.
Despite the popularity of this story, I have found it difficult to find a simple and thorough explanation of the details of the Pegasus Scandal. Which is why I’m writing to you today.
In this post, I’m going to cover everything you need to know about this incident in terms that are easy to understand, even if you don’t know much about tech. I’ll also be going into a bit of history on this issue as well as the picture it paints for our future.
Let’s start with the facts you need to know first.
- The Pegasus Scandal: The basics
- Some background on Pegasus developer NSO
- Apple’s security and privacy claims have forever been called into question
- The origin of groups like the NSO
- How the Pegasus Scandal was uncovered
- The future of security and privacy in tech is looking bleak once more
- Interested in more stories like the Pegasus Scandal?
The Pegasus Scandal: The basics
For the first half of this article, I’m just going to cover the critical facts of this story. If you don’t know anything about this scandal, this is a good place to start.
What is the Pegasus Scandal?
The Pegasus Scandal is the name being given to one of the scariest cybersecurity breaches of our time. “Pegasus” is the name of malware developed by a group known as “NSO”.
Pegasus is capable of infecting any major smartphone device of today. That includes the iPhone 11 and iPhone 12 as well as most Android smartphones.
Once a device has been infected, Pegasus gains access to root permissions for that device. For those that don’t know, root permissions refer to deep administrative control of a device. That includes cameras, microphones, messaging apps, emails, photos and videos, phone calls, contacts, calendars, and GPS data.
In other words, root permissions give software access to everything. Ideally, the only software on your iPhone that has access to root permissions is iOS itself. And the only person who can act on those permissions is you and (on rare occasions like iPhone repairs) Apple.
In this case, though, Pegasus was able to access and use (and did use) all of these root permissions to spy on users.
I normally try to avoid negativity, but it can’t get too much more serious than this. Imagine all of your worst fears about being spied on by your device, and that’s basically what Pegasus has been able to accomplish.
Did Apple, Google, and others intentionally participate in the Pegasus Scandal?
No, Apple, Google, and other device manufacturers did not knowingly participate in the Pegasus Scandal. At least not as far as we know.
Based on the best investigative journalism being conducted at this time, it doesn’t look like any of these major tech companies had anything to do with this. If anything, these companies have been completely turned upside down by this news.
Hopefully, the engineers at these businesses are working night and day to stop Pegasus in its tracks as well as prevent future attacks like it.
Not only did Apple and others not participate in this, but Apple has made statements disavowing these attacks and asserting that the iPhone is still the most secure mobile device on the market.
To be fair, the iPhone probably is still the most secure smartphone out there. But as we’ve learned, that might not be enough anymore. I’ll get into this further in the article.
Who is at risk?
The one inkling of good news surrounding the Pegasus Scandal (aside from the fact that the story broke at all) is that you probably aren’t at risk. This software was developed for government use, which means that it’s primarily targeting individuals in positions of political power.
You should be personally concerned about the effects of Pegasus (regardless of nationality) if you:
- Hold a political office
- Are a journalist (especially a political one)
- Hold political influence
- Are a member of a military
- Work for a government (especially with access to sensitive information or permissions)
The data that was uncovered and leaked by the journalists who investigated this story (I’ll go into more detail on them later) shows roughly 50,000 individuals who were affected by this scandal.
To give you an idea of the severity of the individuals targeted, French President Emmanuel Macron was successfully targeted by Pegasus. He has since changed his phone.
You are probably safe
For now, this seems to indicate that the vast majority of people around the world are safe from Pegasus software. I’m sure that more than 50,000 people were affected. But there doesn’t seem to be an indication of mass civilian surveillance in this specific case.
That said, I would not advise you to relax and forget this story altogether. Although you most likely haven’t been affected, the ramifications of this could certainly have an impact on your life.
This software (or another like it) could at a later point in history be deployed at the civilian level en masse. Or one of your political leaders could be targeted, which could impact your national security.
Either way, this is big news for everyone around the world. Pegasus is a few years ahead of leading cybersecurity defenses. Until we catch up, this attack and others like it pose a serious threat.
You probably won’t know if your device is infected
One of the most concerning aspects of the Pegasus Scandal is how difficult it is to learn who is and isn’t infected. Journalists were able to provide a list of affected parties by finding and leaking lists of targets over time. However, they were not able to find a way to detect Pegasus malware on a person’s device.
In other words, we have an idea of who was infected because lists of names have been uncovered. This scandal was not exposed, however, by finding the malware on mobile devices.
An example that counters this is the Silver Sparrow malware, which was found oppositely. We were able to find it on Mac devices, but it was never discovered where it came from or why it was used.
For now, there is little to no way to confirm or deny the presence of Pegasus on your device. Again, it is extremely unlikely that your device has been affected. If you have reason to believe you may be at risk, though (i.e., you’re a member of one of the targeted groups I covered earlier) then it might be worth purchasing a new iPhone and getting rid of your current device completely.
How the Pegasus malware works
Pegasus malware is what’s known as a “zero-click” attack. That means that the user of the targeted device doesn’t have to do anything to be infected. It can compromise your device without any malicious links, popups, or other deceptive methods. It’s simply sent to a device, and shortly after, the device is infected.
From what we know so far, it looks like Pegasus is sent to devices one of two ways.
The first is by sending a link to the user via email, text message, or instant messaging (i.e., WhatsApp). Once the user clicks on the link, the infection process begins. In this instance, the attack would not technically be “zero-click”.
The second method uses vulnerabilities in common apps. This includes both common third-party apps (like WhatsApp) as well as built-in apps like Apple Music and Photos. While specific details haven’t been uncovered (or released to the public), it was discovered that suspicious activity occurred in both Apple Music and Photos shortly before Pegasus was able to infect the system.
How zero-day vulnerabilities work
It is believed that Pegasus was able to infect iPhones through built-in iOS apps by looking for “zero-day” vulnerabilities. A zero-day vulnerability is when a hacker starts brute-forcing different attacks on software as soon as it’s released. That way, the hacker can find a vulnerability before the developer can and exploit it.
Put simply, when Apple releases a new version of iOS (even an incremental update like iOS 14.7) there is almost always an unforeseen vulnerability. After a few days or weeks, that vulnerability will be uncovered, and before any hackers can exploit it, Apple will release a new update that removes this vulnerability. That’s why you’ll sometimes get back-to-back iOS updates.
Unfortunately, there are some groups (including Pegasus’s developer NSO) who have the resources and motivations to uncover a vulnerability on the same day that the software is released.
So they find the vulnerability, modify Pegasus to exploit that vulnerability, then send Pegasus to the victim. By the time Apple finds and patches the vulnerability, the device is already infected, so the patch is ineffective for that user and other victims.
It’s important to note that most of the vulnerabilities in Apple’s software are inevitable. In the same way that it’s impossible to build a pick-proof lock, there is no way for Apple to release a version of iOS that is completely unhackable.
That’s why iPhone is considered the “most secure” and not the “completely secure” smartphone. So Apple and co are deserving of a modicum of lenience along with the (appropriately directed) criticism.
Some background on Pegasus developer NSO
Those are all of the details that you need to know. Now we’re going to get into some finer points as well as discussions on the impact of the Pegasus Scandal. First, let’s explore NSO.
As mentioned, NSO is the group that developed the Pegasus malware. They’re based in Israel and have been working on tech like this since the 2010s, which is right around the time that smartphones shifted from a novelty to a necessity.
Unsurprisingly, the recent story on Pegasus is not the first time that NSO has gotten into hot water. Its entire history is filled with controversy and, arguably, crime. Here are some of the “smaller” issues surrounding NSO:
- In 2012, the Mexican government hired NSO to help it keep tabs on journalists and human rights activists in Mexico (source)
- In 2018, NSO was accused of helping the Saudi Arabian government spy on human rights group Amnesty International (source)
- Despite NSO’s Pegasus malware being intended exclusively for use by governments, one of NSO’s staff attempted to sell the software online in exchange for cryptocurrency, highlighting the possibility of Pegasus falling into the wrong hands (of course, it’s debatable whether or not there even are “right hands” for Pegasus to fall into) (source)
Other scandals have followed NSO
Larger scandals have plagued NSO, too. It has been sued by Facebook-owned WhatsApp for injecting its spyware on the devices of WhatsApp users via the WhatsApp platform (source). The alleged attack affected 1,400 users across 20 countries.
Among those users were (you guessed it) numerous journalists and human rights defenders. WhatsApp also claimed to have discovered that these attacks originated from NSO servers. If true, that would seem to indicate that NSO directly used Pegasus to infect these users, not one of NSO’s clients/customers.
It is also alleged that the Pegasus software was used to track Jamal Khashoggi by the Saudi Arabian government in the months preceding his murder (source). For everyone who remembers, this was an internationally devastating crime. Seeing Pegasus linked to it is no small matter.
In short, NSO has been developing the Pegasus surveillance software for the Israeli government over the last decade. The software hasn’t just been used by Israel, however. The Israeli government has been licensing the software to other governments, who have largely been using it to stifle and remove journalists, activists, and human rights defenders.
Put another way, NSO appears to be, by all accounts, a perpetrator of dystopian tactics. This may be its biggest scandal yet, but it is by no means an outlier in the group’s history.
NSO is refuting claims about its Pegasus software
To nobody’s surprise, NSO is refuting the claims surrounding the Pegasus Scandal.
Which claims is it refuting? Specifics haven’t been named. The group’s lawyers have simply disavowed the ramifications of its software without discussing specific allegations.
All NSO’s lawyers have said so far is that the claims made by the journalists who uncovered and leaked this information are “a compilation of speculative and baseless assumptions.”
It’s worth noting that when faced with the allegations surrounding WhatsApp, all NSO had to say was that, “NSO Group does not operate the Pegasus software for its clients.” In other words, all it had to say on the matter was that what its customers do with its software isn’t its business.
So it looks like NSO is sticking with the tried-and-true “I didn’t do it, and even if I did, it’s not my fault” defense.
Apple’s security and privacy claims have forever been called into question
I mentioned earlier that I think Apple, Google, and others deserve a bit of leniency when it comes to these sorts of attacks. After all, they are, to a certain extent, inevitable.
Apple doesn’t have the power to stop global government-funded organizations from wedging surveillance malware through iOS updates. If Apple could create a hack-proof version of iOS, I’m sure it would’ve done it already.
That said, I would not argue that Apple and company are exempt from criticism. I’ve been covering privacy on AppleToolBox and other websites for a long time because it’s arguably the most important challenge facing tech today. And for a long time, Apple has been the best mainstream tech company at preventing these kinds of scandals.
Seeing how effective and widespread the Pegasus Scandal is brings new points into the privacy discussion.
First, to what extent is Apple responsible? Should it change the way it manufactures its devices and software, and if so, how?
Second, it’s safe to say that for all of Apple’s best efforts and marketing slogans, your iPhone isn’t bulletproof. The only way to truly avoid surveillance is to remain a nobody and/or live isolated from modern technology.
Third, it highlights how unerringly important it is for political officials to wake up and get educated on cybersecurity and tech issues. While some promising progress is beginning to happen (read here), it’s too slow. New regulations, innovations, and defenses at the administrative level are needed to help stave off the growing threat of cyberattacks.
The origin of groups like the NSO
The NSO seems to be the most pressing threat to our digital security and privacy for at least the last ten years. It’s too much power in too many hands, all of which seem to be the worst hands available.
In the same way that the U.S. government deserves criticism when it sells weapons to bad actors, the Israeli government should be held accountable for where and how Pegasus is distributed, assuming it should even be allowed to be distributed, to begin with.
Of course, the Pegasus Scandal is not the first of its kind. Intel and security scandals have plagued the U.S. for the last 50+ years as groups like the FBI, NSA, and CIA have used similar tactics and strategies to target the same groups as Pegasus – rights activists and journalists.
It’s hard not to think that the origin of groups like NSO began with inspiration from the spying being conducted by the U.S. and U.K. governments. Both countries were shown to be bad actors on this front thanks to the information leaked by former NSA contractor Edward Snowden.
While many of the programs that were unmasked by Edward Snowden have been (at least “officially”) shutdown, the 2013 leak no doubt inspired countries like Israel and groups like NSO to pursue their ends in this area.
Similar to how the development of the atom bomb was shortly copied by every other country with the resources to do so, I imagine that there are lots of Pegasus clones that are copying the previous work of the U.S. government.
How the Pegasus Scandal was uncovered
The work done to bring the Pegasus Scandal to light is pretty fascinating. It’s certainly one of the most sophisticated instances of investigative journalism that I’ve ever heard of.
Following the leak of 50,000 phone numbers in 2020 (which were tied to Pegasus), seventeen media publications joined together to investigate NSO and its software. Among these publications are The Guardian, The Washington Post, Le Monde, Proceso, and The Wire.
In total, 80 journalists from these publications investigated this leak for several months. During that time, these journalists partnered with other investigative and forensic services to identify the phone numbers, search through the devices for malware (when possible), and confirmed that the devices were not only being tracked but being tracked by NSO’s software.
High-profile individuals from around the world have been targeted, including the President of France Emmanuel Macron, the Prime Minister of Egypt Mostafa Madbouly, and Barham Salih, the President of Iraq.
As mentioned, a majority of the targeted individuals are journalists and human rights activists. Alongside the murder of Jamal Khashoggi, there are ties between Pegasus and the imprisonment and torture of Saudi women’s rights activist Loujain al-Hathloul, the assassination of Mexican anti-corruption journalist Cecilio Pineda Birto, and the leaking of intimate photos of Fatima Movlamli (she was 18 at the time that the photos were leaked), an opposer to local authoritarian rule in Azerbaijan.
The work completed by these journalists is equal parts inspiringly brave and devastatingly eye-opening.
The future of security and privacy in tech is looking bleak once more
For the majority of the 2010s, it was generally accepted that our tech was being used to spy on us. This was confirmed by Edward Snowden’s leak in 2013.
After that leak, however, it seemed that things were steadily improving. Apple and others have taken strong stances on protecting their users’ privacy, and despite cynicism, it has seemed that these companies had put their money where their mouth was.
Additionally, the U.S. appears to have canceled its previous spying programs, and recent court cases have deemed that the NSA’s surveillance was illegal and potentially unconstitutional.
But the Pegasus Scandal seems to show that good intentions in one area do not equal good intentions in all areas. The reformation of some bad actors is not equal to the reformation of all bad actors. And it seems like, at least with the state of the world today, that there is little anyone can do about this.
After all of the journalism conducted on this scandal, it has remained conclusive that if someone wants to use the Pegasus software against you, there isn’t anything you can do to stop them short of isolating yourself from tech.
The NSO’s excuse for creating and licensing Pegasus
According to NSO, the Pegasus software is only meant to be used against terrorist organizations. NSO claims that it vets potential governments before licensing the software to them to reduce the chances that they will use it for ill purposes.
That’s hard to believe, though, given that the software was licensed to known bad actors in the Middle East, to the Mexican government (which has a long history of being adversarial to activists), and others. And regardless of NSO’s intentions, the software has been used for evil.
It’s difficult to put a positive spin on this story. It seems that, once again, those in positions of power have crafted tools of abuse from the opportunities and resources that power presents. It’s a solemn reminder that the ultimate goal of governments is to collect and maintain power at all costs and in all forms. And it’s a reminder to citizens to stay vigilant, strong-willed, and sharp.
Interested in more stories like the Pegasus Scandal?
Subscribe to the AppleToolBox newsletter to keep up with the latest news, controversies, and all other things Apple.