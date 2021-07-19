



This is probably the name of the most powerful spyware ever developed by a private sector. If you inadvertently break into your cell phone, you can turn it into a 24-hour surveillance device. You can copy sent and received messages, collect photos, and record calls. It may secretly shoot you through your phone’s camera or activate a microphone to record your conversation. It can potentially identify exactly where you are, where you were, and who you met.

Pegasus is hacking software or spyware developed and sold by the Israeli company NSO Group and licensed to governments around the world. It has the ability to infect billions of phones running iOS or Android operating systems.

The earliest versions of Pegasus discovered, captured by researchers in 2016, infected the phone via so-called spear phishing text messages or emails that tricked the target into clicking on malicious links.

Data Leakage is a list of over 50,000 phone numbers believed to have been selected as the phone numbers of interested people by NSO Group government agencies clients selling surveillance software since 2016. The data also includes the date and time the number was selected or entered into the system. Forbidden Stories and Amnesty International, Paris-based non-profit journalism organizations, initially accessed the list and shared access with 16 media organizations, including the Guardian. Over 80 journalists have worked together for several months as part of the Pegasus project. The project’s technical partner, Amnestys Security Lab, conducted a forensic analysis.

What does the leak indicate?

The consortium believes that the data represent potential targets for NSO government clients identified prior to possible monitoring. The data is intent, but even if the data contains numbers, you can tell if you tried to infect the phone with spyware such as the company’s signature monitoring tool Pegasus, or if the attempt was successful. not. The presence of very few land and US numbers of data, which NSO says is technically impossible to access with tools, makes some targets NSO clients, even if they could not infect Pegasus. Reveal selected by. However, a forensic study of a small sample of mobile phones with numbers on the list found that there was a close correlation of just a few seconds between the date and time of the numbers in the data and the start of Pegasus activity. ..

What did the forensic analysis reveal?

Amnesty investigated 67 smartphones suspected of being attacked. Of these, 23 were successfully infected and 14 showed signs of an attempted invasion. For the remaining 30, the test was not definitive in some cases due to the replacement of mobile phones. The 15 phones were Android devices, but none showed evidence of a successful infection. However, unlike the iPhone, phones using Android do not log the kind of information needed for Amnesty International’s detective work. Three Android smartphones showed signs of targeting, such as SMS messages linked to Pegasus.

Amnesty International shared backup copies of four iPhones with Citizen Lab, a research group at the University of Toronto that specializes in Pegasus research, and confirmed that it showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty International’s forensic methods and found them to be healthy.

Which NSO client was selecting the number?

The data is organized into clusters and shows individual NSO clients, but not the NSO client responsible for selecting a particular number. The NSO claims to sell the tools to 60 clients in 40 countries, but refuses to identify them. By scrutinizing the patterns of targeting of leaked data by individual clients, media partners were able to identify 10 governments that appear to be responsible for target selection: Azerbaijan, Bahrain, Kazakhstan. , Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and United Arab Emirates. Citizen Lab also found evidence that all 10 were NSO clients.

What does the NSO Group say?

The full text of the NSO Group can be read here. The company has always said that it doesn’t have access to the customer’s target data. The NSO said through a lawyer that the consortium made false assumptions about which clients are using the company’s technology. The 50,000 numbers have been exaggerated, saying the list cannot be the target number for governments using Pegasus. Lawyers said that the list accessed by the consortium is not a list of numbers targeted by governments using Pegasus, but instead is part of a larger list of numbers that NSO Group customers may have used for other purposes. He said there was reason for the NSO to believe that. After asking further questions, the lawyer said the consortium misleading interpretation of leaked data from accessible and obvious basic information such as HLR lookup services, which has nothing to do with the list of targets for Pegasus and other NSO customers. Said that it is based on. Products … No correlation has yet been found between these lists and those related to the use of NSO Group technology.

What is HLR lookup data?

The term HLR, or home location register, refers to a database that is essential to the operation of a mobile network. Such registers keep a record of the phone user’s network and its common location, along with other identifying information that is routinely used for calling and text routing. Telecommunications and surveillance experts say that HLR data may be available in the early stages of surveillance attempts to determine if a phone can be connected. The consortium understands that NSO clients have the ability to perform HLR lookup queries through the Pegasus system’s interface. It is unclear if the Pegasus operator needs to perform an HRL lookup query through the interface in order to use the software. NSO sources emphasized that there may be various reasons unrelated to Pegasus for clients to perform HLR lookups through the NSO system.

However, since then, NSO’s attack capabilities have become even more sophisticated. Pegasus infection can be achieved by so-called zero-click attacks that do not require dialogue from the phone owner to be successful. These often exploit zero-day vulnerabilities. This is an operating system flaw or bug that the mobile phone manufacturer has not yet known and has not been able to fix.

In 2019, WhatsApp revealed that it exploited a zero-day vulnerability to use NSO software to send malware to more than 1,400 phones. Even if you just make a WhatsApp call to the target device and the target does not answer the call, a malicious Pegasus code can be installed on the phone. Recently, NSO has begun to exploit a vulnerability in Apple iMessage software, allowing backdoor access to hundreds of millions of iPhones. Apple states that it is continually updating its software to prevent such attacks.

Pegasus’ technical understanding and how to find obvious bread crumbs left on the phone after a successful infection was improved by a study conducted by Claudio Guanieri, who runs a security lab based in Amnesty International Berlin. ..

Guarnieri, who explained that the NSO client abandoned most of the suspicious SMS messages due to a more subtle zero-click attack, said the target was much more complicated to notice.

For companies such as NSO, exploiting software that is installed on their devices by default, such as iMessage, or very widely used software, such as WhatsApp, dramatically increases the number of mobile phones that Pegasus can attack. Therefore, it is especially attractive.

As a technical partner for the Pegasus project, an international consortium of media organizations, including the Guardian, Amnesty International has found evidence of a successful Pegasus customer attack on an iPhone running the latest version of Apple iOS. The attack was carried out in July 2021.

Forensic analysis of victims’ phones has also identified evidence suggesting that NSO’s constant search for weaknesses may have extended to other popular apps. In some cases analyzed by Guarnieri and his team, specific network traffic related to the Apple Photos and Music apps was seen during infection, and NSO may have begun to exploit a new vulnerability.

If neither spear phishing nor zero-click attacks are successful, Pegasus can also be installed on a wireless transceiver near the target. It can also be installed manually if the agent can steal the target phone, according to the NSO brochure.

Installing Pegasus on your phone will allow you to collect more or less information and extract files. SMS messages, rosters, call history, calendars, emails and internet browsing history can all be stolen.

According to Guarnieri, when the iPhone is compromised, an attacker can gain so-called root or administrator privileges on the device. Pegasus can do more than the device owner can do.

NSO lawyers claimed that Amnesty International’s technical report explained that it was speculative and summarized speculative and unfounded assumptions. However, they did not disagree with any of that particular finding or conclusion.

NSO has put a lot of effort into making software hard to detect, making it very difficult to identify a Pegasus infection. Security researchers believe that the latest version of Pegasus exists only in the temporary memory of the phone, not the hard drive. This means that when you turn off your phone, virtually all traces of software disappear.

One of the most important challenges Pegasus presents to journalists and human rights advocates is the fact that software exploits undiscovered vulnerabilities. This means that even the most secure mobile phone users cannot prevent attacks.

This is a frequently asked question every time I forensic with someone. How can I prevent this from happening again? Guarnieri said. There is no real honest answer.

