The Pegasus spyware, which can perform far-reaching actions on smartphones, has been discovered on many devices around the world, according to recent research by a journalists’ alliance. Sensitive data can fall into the wrong hands this way. The problem is that both prevention and detection of Pegasus are difficult if adequate security mechanisms are not in place. And, as our EMEA study found, this is the case in very few companies. Learn in our blog article what Pegasus is, about the risk posed by the spyware, and how you can best protect yourself.
What is Pegasus?
Pegasus is a surveillance software from the Israeli NSO Group, which is actually used for spying on criminals. However, an international alliance of journalists recently made public that traces of the surveillance software were also discovered on smartphones of politicians, journalists, human rights activists, businessmen and their relatives.
The Pegasus software exploits unknown vulnerabilities in operating systems – zero-day exploits – and can access both Apple and Android devices. On the devices, the software can record conversations, bypass message encryption, activate the camera and detect the user’s location.
How does Pegasus get onto the devices?
The software can get onto the devices in various and constantly changing ways. These are just a few options that have been frequently observed:
- Via an SMS message containing a link that leads to the installation of the software, e.g. a tracking message (Smishing).
- Via a connection to a compromised network – via router or IMSI catcher (Malicious WiFi)
- Via infected DNS servers pointing to malicious servers (Malicious DNS)
- Via Apple system services with web integration, such as Apple Music and Apple Photos
- For iPhones and iPads, via an iMessage that has been prepared in such a way that the software is installed without any user interaction (Zero Click).
Who is affected and how high is the risk?
The Federal Cyber Security Authority BSI assumes that this is not a mass attack, but rather targeted attacks. It is also not yet known that German targets were affected by the activities.
Nevertheless, the BSI rates the threat as high. Firstly, because the current iOS and Android versions are also considered vulnerable. Secondly, because it is feared that the software will always exploit new exploits in order to gain access to the devices. Consequently, the risk posed by Pegasus would not disappear even after fixing the vulnerabilities currently in use.
How can enterprises protect themselves against Pegasus?
Both prevention and detection of Pegasus is difficult: Because the software is constantly evolving and exploiting new vulnerabilities. Because the zero click approach allows the software to get installed without any user interaction, so even a vigilant user has no chance to prevent the installation. And because restrictions and settings in Mobile Device Management systems are in most cases not sufficient to detect the software that has reached the device or even to prevent the attack.
Additionally, we always recommend making employees aware of security issues – so they don’t click on a dubious link or use a public WiFi. However, in the case of Pegasus, even a careful user can’t do anything about some attack settings (see Zero Click scenario).
As a reactive measure, the Mobile Verification Toolkits provided by Amnesty International are also recommended: https://github.com/mvt-project/mvt. They help to detect infected devices – although, according to the organization, this is more difficult on Android devices than on iPhones and iPads.
Do you have questions?
If we can help you protect your devices and data and advise you on effective and modern security measures, please feel free to contact us!