An international group of journalists this month detailed extensive new evidence that spyware made by Israeli company NSO Group was used against activists, business executives, journalists, and lawyers around the world. Even Apple’s iPhone, frequently lauded for its tight security, was found to be “no match” for the surveillance software, leading Johns Hopkins cryptographer Matthew Green to fret that the NSO revelations had led some hacking experts to descend into a posture of “security nihilism.”
Security nihilism is the idea that digital attacks have grown so sophisticated that there’s nothing to be done to prevent them from happening or to blunt their impact. That sort of conclusion would be a mistake. For one thing, it plays into the hands of malicious hackers, who would love nothing more than for targets to stop trying to defend themselves. It’s also mistaken factually: You can defend yourself against NSO’s spyware — for example, by following operational security techniques like not clicking unknown links, practicing device compartmentalization (such as using separate devices for separate apps), and having a virtual private network, or VPN, on mobile devices. Such techniques are effective against any number of digital attacks and thus useful even if NSO Group turns out to be correct in its claim that the purported evidence against the company is not valid.
There may be no such thing as perfect security, as one classic adage in the field states, but that’s no excuse for passivity. Here, then, are practical steps you can take to reduce your “attack surface” and protect yourself against spyware like NSO’s.
The recent revelations concern a specific NSO spyware product known as Pegasus. They follow extensive prior studies of the company’s software from entities like the Citizen Lab, Amnesty International, Article 19, R3D, and SocialTIC. Here’s what we know about Pegasus specifically.
The software’s capabilities were outlined in what appears to be a promotional brochure from NSO Group dating to 2014 or earlier and made available when WikiLeaks published a trove of emails related to a different spyware firm, Italy’s Hacking Team. The brochure’s authenticity cannot be confirmed, and NSO has said it is not commenting further on Pegasus. But the document markets Pegasus aggressively, saying it provides “unlimited access to target’s mobile devices” and allows clients to “remotely and covertly collect information about your target’s relationships, location, phone calls, plans and activities — whenever and wherever they are.” The brochure also states the Pegasus can:
For all the hype, Pegasus is, however, just a glorified version of an old type of malware known as a Remote Access Trojan, or RAT: a program that allows an unauthorized party full access over a target device. In other words, while Pegasus may be potent, the security community knows well how to defend against this type of threat.
Let’s look at the different ways Pegasus can potentially infect phones — its various “agent installation vectors,” in the brochure’s own vernacular — and how to defend against each one.
There are numerous examples in reports of Pegasus attacks of journalists and human rights defenders receiving SMS and WhatsApp bait messages enjoining them to click malicious links. The links download spyware that lodges into devices through security holes in browsers and operating systems. This attack vector is called an Enhanced Social Engineer Message, or ESEM, in the leaked brochure. It states that “the chances that the target will click the link are totally dependent on the level of content credibility. The Pegasus solution provides a wide range of tools to compose a tailored and innocent message to lure the target to open the message.”
“The chances that the target will click the link are totally dependent on the level of content credibility.”
As the Committee to Protect Journalists has detailed, ESEM bait messages linked to Pegasus fall into various categories. Some claim to be from established organizations like banks, embassies, news agencies, or parcel delivery services. Others relate to personal matters, like work or alleged evidence of infidelity, or claim that the targeted person is facing some immediate security risk.
Future ESEM attacks may use different types of bait messages, which is why it’s important to treat any correspondence that tries to convince you to perform a digital action with caution. Here are some examples of what that means in practice:
Another way Pegasus infected devices in multiple cases was by intercepting a phone’s network traffic using what’s known as a man-in-the-middle, or MITM, attack, in which Pegasus intercepted unencrypted network traffic, like HTTP web requests, and redirected it toward malicious payloads. Pulling this off entailed either tricking the phone into connecting to a rogue portable device which pretends to be a cell tower nearby or gaining access to the target’s cellular carrier (plausible if the target is in a repressive regime where the government provides telecommunication services). This attack worked even if the phone was in mobile data-only mode, and not connected to Wi-Fi.
When Maati Monjib, the co-founder of the Freedom Now NGO and the Moroccan Association for Investigative Journalism, opened the iPhone Safari browser and typed yahoo.fr, Safari first tried going to http://yahoo.fr. Normally this would have redirected to https://fr.yahoo.com, an encrypted connection. But since Monjib’s connection was being intercepted, it instead redirected to a malicious third-party site which ultimately hacked his phone.
Typing just the website domain into a browser opens you to attacks, because your browser will attempt an unencrypted connection to the site.
Typing just the website domain (such as yahoo.fr) into a browser address bar without specifying a protocol (such as https://) opens the possibility for MITM attacks, because your browser by default will attempt an unencrypted HTTP connection to the site. Usually, you reach the genuine site, which immediately redirects you to a safe HTTPS connection. But if someone is tracking to hack your device, that first HTTP connection is enough of an opening to hijack your connection.
Some websites protect against this using a complicated security feature known as HTTP Strict Transport Security, which prevents your browser from ever making an unencrypted request to them, but you can’t always count on this, even for some websites that implement it correctly.
Here are some things you can do to prevent these kinds of attacks:
Unlike infection attempts which require that the target perform some action like clicking a link or opening an attachment, zero-click exploits are so called because they require no interaction from the target. All that is required is for the targeted person to have a particular vulnerable app or operating system installed. Amnesty International’s forensic report on the recently revealed Pegasus evidence states that some infections were transmitted through zero-click attacks leveraging the Apple Music and iMessage apps.
Your device should have the bare minimum of apps that you need.
This is not the first time NSO Group’s tools have been linked to zero-click attacks. A 2017 complaint against Panama’s former President Ricardo Martinelli states that journalists, political figures, union activists, and civic association leaders were targeted with Pegasus and rogue push notifications delivered to their devices, while in 2019 WhatsApp and Facebook filed a complaint claiming NSO Group developed malware capable of exploiting a zero-click vulnerability in WhatsApp.
As zero-click vulnerabilities by definition do not require any user interaction, they are the hardest to defend against. But users can reduce their chances of succumbing to these exploits by reducing what is known as their “attack surface” and by practicing device compartmentalization. Reducing your attack surface simply means minimizing the possible ways that your device may be infected. Device compartmentalization means spreading your data and apps across multiple devices.
Specifically, users can:
A final way an attacker can infect your phone is by physically interacting with it. According to the brochure, “when physical access to the device is an option, the Pegasus agent can be manually injected and installed in less than five minutes” — though it is unclear if the phone needs to be unlocked or if attackers are able to infect even a PIN-protected phone.
There seem to be no known cases of physically launched Pegasus attacks, though such exploits may be difficult to spot and distinguish from online attacks. Here’s how you can mitigate them:
Although Pegasus is a sophisticated piece of spyware, there are tangible steps you can take to minimize the chance that your devices will be infected. There’s no foolproof method to eliminate your risk entirely, but there are definitely things you can do to lower that risk, and there’s certainly no need to resort to the defeatist view that we’re “no match” for Pegasus.