EXPOSED! is a weekly series of articles we post that seek to uncover or maybe bring into public view some of the underhand dealings committed, supposedly for our own good, by our governments and their agents.
We covered the story of Pegasus earlier in the year and, frankly, it should have been in EXPOSED! but wasn't as it was such a big, breaking story at the time and we wanted to get it out rather than later!
So we now have the opportunity to rectify that and share some pretty amazing news as well, so below, as with a long drink, we start with the twist before we reach into the body of it with a rerun of the original piece and a subsequent, and substantial, article by Colin Hardy, that decentralize.today ran as part of it's 'The Sunday Long Read' series
(TL;DR...bad guys got beat and banned!)
The background to the latest government sponsored attack on private communications via NSO Pegasus
July 2021 - Amnesty International and The Citizen Lab publish a report indicating the widespread usage of the NSO Group’s Pegasus software.
Pegasus is defined as a type of spyware that is openly available through NSO that can be used to spy on any mobile phone utilizing many of the technological features on that phone.
Messages and emails can be read, cameras and microphones turned on remotely, keystrokes captured...all without the knowledge or permission of the cellphone's owner/operator.
The most concerning aspect of what has been suggested is how is it technically and practically possible to target a specific phone and extract the desired data or information without any action by the person to whom the phone belongs or is assigned to.
There have been reports that 'zero-click infections' and 'invisible' SMS and iMessage messages have led to phones being compromised but there is little to no evidence to support this assertion. Analysis of affected phones has, instead, detected proof of infection by Pegasus achieved without the involvement of the phone's owner.
It has to be recognized that there has been intervention by, or the involvement of, telecom operators and that given the complex legal implications of that would clearly indicate that the likely perpetrators of these attacks must be governmental organizations or agencies with wide-ranging access telcom provider infrastructure.
The intended victim is identified and their phone number and messaging address collected, presumably at the request of the by or through government or mobile provider channels.
The victim's location is identified and access to the appropriate cellular infrastructure is established either through the Base Transceiver Station (BTS) or by deployment of an IMSI catcher.
The following details the steps thereafter:
a message of a supported type is sent to the phone in question. The message will contain an element that causes network access, such as an (obfuscated) link.
some network access occurs. This can be the messaging app loading a preview of the embedded link1, or the user herself clicking on the link to view the web page.
in some cases such as the attack on Maati Monjib, the link in question was an attempted access to http://yahoo.fr/ by Monjib to access his email, without a prior “hook” message.
in any event, the compromised cellular infrastructure will now be used to execute a man-in-the-middle attack by diverting the web request to a series of trap servers which will deliver the loader (1st attack stage).
the first stage will generally exploit a 0-day vulnerability. NGO as well as other similar companies (and also government agencies) collect and even purchase 0-days for their covert use in these infection loaders.
the loader will then establish persistence on the victim’s phone and later proceed to download the payload module(s) as the 2nd attack stage. It may then operate for an extended period of time, receiving commands from Command&Control servers, and submit intercepted data.
eventually, when a terminate command is received, the software will clean up traces and remove itself from the phone.
NSO appears to have been utilizing their network access strategy via iMessage and Apple Music push notifications for Apple devices, with these being modified in tandem with Apple's updates.
For Android devices the same strategy may be applicable with popular apps such as WhatsApp, but the actual situation is unclear.
Defenses & Countermeasures
These attacks appear to be executed by government agencies using sophisticated tools and with near unlimited access to provider infrastructure.
If you're on their list, it's probably game over before you even realize it. Dozens of assassinations prove the point.
However, all is not lost as shown by the advice being offered by the report's authors (albeit they are pretty draconian!):
1. If you are vulnerable, a journalist, human rights activist or the like, do not carry a smartphone, do not use a phone to communicate, maybe don’t even own a phone!
2. For any communications, use a secure laptop which you carry with you 24x7. It should ideally be equipped with Coreboot/Libreboot and run a sophisticated and well-configured OS such as Qubes OS.
3. Use a VPN at all times, and chose your VPN provider and end points carefully. Providers such as Mullvad that have lots of nodes in multiple countries are amongst the best choices. Change nodes frequently, this makes it much harder to access local infrastructure to execute MitM attacks.
4 If you do need to use cellular communications, use a dumbphone as a modem attached to the laptop using a USB or personal hotspot functionality and never without the VPN being enabled.
5. Loading previews is a convenient function that can be dangerous and as such is disabled by default in privacy-oriented messengers such as Signal or Session. It can be enabled by the user after acknowledging a warning message discouraging its use.
Amnesty International and Citizen Lab have also recommended the following two reports/lists as additional resources:
Firstly, the Mobile Verification Toolkit (MVT) helps “to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.”
Secondly, the Indicators of Compromise are lists of domain names that can and should be blocked in your DNS setup and can also serve to alert you of suspicious activity. These are kept updated in the repository and can be consumed by a nightly DNS blocklist update.
This article provides some background to the NSO Pegasus's spyware but the list of targets and the states implicated can be found elsewhere in the MSM and intersphere. It is truly frightening!