🦊 Pegasus - are you safe?

Jul 27, 2021 4:06 pm

...there's a LOT to unpack from the news of NSO's Pegasus mobile phone exploits capable of infecting Android and iOS devices.


Hi. I'm Jon Fedor and this is InCyber Regular, edition 17.


At InCyber I talk about cyber-related issues and security-awareness for smaller enterprises, the cyber-curious, and the security-conscious. Sometimes we talk tactics, sometimes theories; always, security.


Today:

  1. What is Pegasus?
  2. SMShing and zero-days
  3. Terrifying SIM-jacking + pizza-ing


What the heck's up with Pegasus?

Almost two weeks ago, Jeff Bezos' Washington Post broke a face-melting news story about NSO (Israeli defense firm) leaking the personal numbers of the world's power-players who, by the way, were under surveillance via the use of NSO's mobile device spyware program, Pegasus.


If you want a deep dive into the story going on around this spyware tool from Israeli defense company, NSO, read this excellent article by Paul Haskell-Dowland in The Conversation.


Highlights


  1. NSO, the publisher of the Pegasus spyware tool, leaked like a BP drilling rig in the Gulf of Mexico. Tens of thousands of private, personal phone numbers of people 'under surveillance.'
  2. Pegasus can get everything off your phone: keystrokes, audio, video, files, location; everything.
  3. Mostly these kinds of spyware happen when you click a link in a spam / phish text message which then installs a root exploit on your phone (don't click links in unrecognized texts damn it)
  4. However, the innovation for Pegasus is that you DON'T have to click a link for the spyware to install. Here's a great summary of Amnesty International's findings from their investigation from 9to5Mac.


No Clicky?

That is correct. If someone's after you with Pegasus, you're hosed. Washed up. Someone's eating your audio for breakfast, location for lunch, and data for dinner.


In fact, here's more detail from the 9to5Mac article (linked above) about the saga of Pegasus' development of this tool. tl;dr - NSO's *single* job is to create zero-day exploits for iMessage and iOS so they can keep getting their spyware installed on iOS devices.


image


So you're really up a digital creek without an EMP.


There's good news, though.


Good News...ish

First

You're super unlikely to be a target. Pegasus is INSANELY expensive and NSO doesn't just work with anyone. Well...ok...they do but only if you're rich enough to personally own and operate fleets of supercars and Gulfstreams.


Second

Most exploits of this type still come through spurious links in unrecognized SMS messages. DON'T click those links!


Third

Amnesty International published a tool that will examine files on your mobile device to look for indicators of compromise (IOCs) that will help determine if you've got spyware on your device.


Zack Whittaker from TechCrunch has a great couple tweets on this.

image


This is a command-line tool that you need to run in a shell or terminal. It's not easy to use, necessarily. But it's a start.


Honestly, if you're worried that you could be hacked and have spyware on your phone, then you probably have enough money to just snap your fingers and hire 2-3 people to run this tool on your phone every day anyway. Idk.


Closing Words

^^^ I know; finally, right?


First

Be vigilant.

  1. Don't click links in unrecognized texts
  2. Don't give your phone number to people on social media in DMs or make it available on social at all
  3. Regularly update your phone. Apple can't necessarily stay ahead of all zero-days but they absolutely catch and patch vulnerabilities continuously.
  4. Use a VPN when you're using publicly-accessible wifi
  5. Limit physical access to your phone


Second

These kind of zero-day exploits are going to proliferate. They always do.


They're developed in secret by the Walter White's of the world, sold for huge money, and then more and more people come along and figure out how to write and distribute them.


Maybe Apple and Android publishers will be able to keep up. So far, they haven't been able to keep up with a single spyware publisher.


That's not good news for the rest of us.


I'll be following this thread of news closely in the coming months.


New Darknet Diaries Episode!

image


Jack Rhysider's published another confounding, terrifying, informative episode about a guy with an OG social media handle, psychological bullying with pizza-ing (the pizza delivery version of SWATing), and what can happen if you have SIM-jacked.


By the way, friend of InCyber, Matt Cameron, published his story about getting SIM-jacked in the early days of InCyber Regular. It's another story that makes the hair on your neck stand up. Read it here.


Thanks!

Writing this thing is so. friggin. fun. It's one of my favorite weekly activities! If you ever have questions on personal digital security, cyber security news, a story you want to tell, or a favorite resource to share (etc) reply back and let me know!


Have a good'un, Good Lookin'.


~ Jon "SMShing-is-a-terrible-verb" Fedor

Comments