PEGASUS Unleashed: Protecting yourself from spyware
Israeli firm NSO Group again makes headlines for their invasive spyware, targeting journalists, political opponents, and others. Here's our take on how to respond.
As politicians, journalists, and other high-profile individuals around the world are reportedly being targeted by a spyware technology called Pegasus, regular citizens are now beginning to wonder if they should be concerned as well.
Spyware is a malicious technology that is embedded into a device with the purpose of gathering information from that device in order to exploit the data, and in some cases, to cause harm the owner of that data.
This is a global concern – anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.
Israeli technology firm NSO Group is responsible for the existence of the Pegasus software which facilitates remote surveillance of smartphones through a “zero-click” attack, meaning that the target does not have to take an action in order to be exploited. Simply by sending a message to a phone number through iMessage or even “secure” messaging applications like Facebook’s WhatsApp, the spyware can install without the user knowing it.
While NSO Group maintains that they are exclusively selling their technology to governments that only use it for legitimate crime and terrorism, foreign leaders are revealing that they are being targeted by political opponents through affected Android and iOS devices. Reports have surfaced which claim these attacks have been happening since at least 2014 and continue to this day, so if we are just learning of the attacks, how many more attacks have we just not heard about yet?
Smartphone security, namely Apple’s iPhone, has generally been considered to be sufficient in protecting users from spyware attacks, but Amnesty International has revealed that thousands of Apple users worldwide have potentially already been affected by Pegasus.
Deputy Director of Amnesty Tech Danna Ingleton stated, “Apple prides itself on its security and privacy features, but NSO Group has ripped these apart. Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised.”
Ingleton continued by saying, “These attacks have exposed activists, journalists and politicians all over the world to the risk of having their whereabouts monitored, and their personal information and used against them. This is a global concern – anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.”
Just like technology giants such as Apple, if governments cannot fully protect themselves from these types of attacks, the reality is that they cannot protect you either.
So, what can private citizens do to harden their security and counter threats like Pegasus?
Protect your phone number
There is little reason for people outside your inner circle to possess your dialed mobile number, the number assigned by your cell carrier that, when dialed, connects directly to your device. The numbers assigned by major cell carriers typically associate immediately to your name, address, date of birth, and even social security number, based on the information provided to cell carriers upon initiation of service. This information then becomes publicly accessible as data is shared, sold, brokered, or otherwise exchanged among third parties. In order to protect your privacy and minimize tracking, harassment, telemarketing calls, and other undesirable contacts, employ a service such as Google Voice, Blur by Abine, or MySudo to mask your device's true phone number and assign you a Voice Over Internet Protocol (VoIP) number that works just as well, but doesn’t tie directly to your device.
Use a trusted encrypted messaging app
A highly recommended and not officially endorsed service that provides end-to-end user encrypted communications is provided by the Signal Private Messenger (from Open Whisper Systems) application. On an encrypted and secure platform, Signal offers messaging, calls, video, pictures, and other data transmissions. Chief in this service are the end-to-end encryption between users and a high regard for user privacy and individual liberties (e.g. Signal does not store data on its servers and cannot access it even if demanded by law). The app is available in mobile or desktop configurations. Signal does require a phone number upon initial registration; this is to verify ownership of the device being registered. However, after registration, the app will not rely on or require that number to function. On top of its security benefits, Signal is free to use, offers a similar interface to other common messaging apps, and sounds clearer to boot.
Download and employ a VPN at all times
Cellular devices on more advanced technology protocols (e.g. 4G, LTE, etc.) offer relatively advanced encryption on their networks. However, access to these networks varies based on privacy laws & individual civil liberties of the countries in which the carriers conduct business. Regardless of location, users are highly recommended to connect to a virtual private network (VPN). VPNs provide an added layer of privacy and security (but not anonymity) by encrypting device communications. There are various encryption technologies available; in its most basic explanation, a VPN creates an encrypted tunnel from the user’s device to the Internet. In addition to encryption, VPNs mask or “spoof” the user’s Internet Protocol (IP) address based on where the user wishes to route their internet traffic. Various VPN providers offer cost effective services for access to servers across the world. We recommend and rely on ProtonVPN, which offers a free version for basic users.
Consider employing “burner” or “toss” devices
Known as "burner" or "toss" devices (typically phones), these electronics serve as a means of communication and connection without the extensive or unnecessary exposure of personal data to potential adversaries. There are a number of considerations to engage prior to employing this technique, given a fresh device with little data or history could raise unnecessary suspicions of travelers seeking to avoid law enforcement or security service scrutiny. However, compartmentalizing one's electronic devices in such a manner does add a significant layer of defense to one's security and privacy posture, and greatly reduces risk of exposing personal, sensitive, or proprietary data.
Concerned about your cyber signature?