How Pegasus works: The sinister silencing of journalists and political opposition worldwide

Special to WorldTribune, July 26, 2021


By Richard N. Madden

This month, an ongoing investigation revealed that governments across the world have been utilizing spyware called *Pegasus* to track, monitor and suppress journalists and political opponents through their smartphones.

‘In a sense, smartphones know us better than we know ourselves.’ / Video Image

Dubbed the “Project Pegasus Revelations”, it was found that tens of thousands of mobile phones are infected with the spyware. Moreover, the spyware was discovered on a number of current and previous Heads of State, such as Emmanuel Macron, the current President of France, and Mohammed VI, King of Morocco.

Evidence suggests Pegasus has been active since 2013, with internal code referencing iOS 7 and is currently effective against the latest versions of iOS and and some versions of Android.

The NSO Group, the surveillance company behind Pegasus, markets the spyware as a tool to fight terrorism and crime. However, with the recent revelations, it is clear that the spyware’s usage transcends well beyond the designer’s declared intentions. The NSO Group has earned hundreds of millions of dollars through the sale of Pegasus site licenses to both legitimate and illegitimate organizations around the world.

In the most recent published report on the investigations, it was discovered that governments, clandestine organizations and rogue groups have utilized Pegasus to attack their opponents.

Jamal Khashoggi, the investigative journalist who was very publicly assassinated by Saudi operatives in October 2018, and his associates were found to be targets of the spyware.

In India, a number of political opponents to the Prime Minister Narendra Modi, ministers and activists were also targeted. Drug cartels in Mexico have also used Pegasus to track, intimidate and silence journalists and police.

Pegasus can be covertly installed over the Internet or SMS and is known as a “zero-click” vulnerability. This means that Pegasus can be installed without any interaction from the victim and installs without their knowledge.

Once Pegasus is installed, the spyware can capture text messages, listen in on calls, view browsing history, access other messaging apps like WhatsApp or Telegram, and run arbitrary code.

Pegasus communicates with “Command & Control” servers through a complex series of network hops and proxies which masks its interaction with the C&C servers from the user.

Pegasus can also “self-destruct” without any trace if it loses contact with the C&C servers or if it detects tampering.

More people in the world now own a smartphone than a personal computer. Our phones hold over a decade of personal data; every text, every place we’ve visited and who we interact with.

In a sense, smartphones know us better than we know ourselves.

Pegasus turns the smartphone into the world’s most sophisticated tracking device. The technical feat and ingenuity in developing Pegasus pales in comparison to the true innovation: weaponizing the devices we willingly carry and trust.

As the tech industry consolidates, this massive amount of data is quickly falling under a few monolithic umbrellas.

Of the two major smartphone operating systems, iOS and Android, iOS has been generally seen as more privacy oriented and therefore more trustworthy. However, the closed source nature of iOS does not allow for third-party security audits without Apple’s explicit consent. Conversely, Android exists in many flavors and is open by design, allowing for more third parties to view, analyze and scrutinize the source code running Android phones. The Android OS in general is less vulnerable to Pegasus due to this fact. Furthermore, privacy-oriented forks of Android, such as Graphene OS and Copperhead OS, are immune to Pegasus due to their strict access controls and security-oriented design.

The existence of Pegasus raises doubts about the security of our devices and the trust we place in them and our governments.

Although the USA, China and Russia are absent from the current reports on Pegasus, the likelihood that these governments know of and have used similar vulnerabilities and exploits is extremely high.

Richard N. Madden is a researcher in the fields of Cryptography and digital hardware design. He holds a Master’s degree in Computer Engineering with particular interest in security, data privacy and digital rights.