Pegasus spyware issue – Explained, pointwise

Introduction

Recently, a global collaborative investigative effort, titled the Pegasus project, revealed that Israeli company NSO Group’s Pegasus spyware targeted over 300 mobile phone numbers in India. As per reports, at least 40 journalists, Cabinet Ministers, and holders of constitutional positions were possibly subjected to surveillance.

The reports are based on a leaked global database of 50,000 telephone numbers.

Earlier instance of Pegasus in India: In 2019 also, Facebook-owned WhatsApp had confirmed use of Pegasus to target journalists and human right activists in India. In that case it was alleged that the NSO Group targeted around 1,400 WhatsApp users with Pegasus. Among those then targeted in India were several human rights activists and lawyers working in tribal areas, an Elgar Parishad case accused, a Bhima Koregaon case lawyer and others.

What is Pegasus?
  • It is a spyware created by NSO Group, an Israeli cybersecurity firm founded in 2010.
  • The NSO Group’s founders come from Unit 8200 – Israel’s elite defence force. It is also the Israel Defence Force’s largest military unit and probably the foremost technical intelligence agency in the world.
  • Pegasus spyware can hack any iOS or Android device and steal a variety of data from the infected device.
  • It works by sending an exploit link and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
  • Pegasus can be deleted remotely. It’s very hard to detect and once it’s deleted, leaves few traces.
  • It can also be used to plant messages/mails which is why there are theories it may have been used to plant fake evidence to implicate activists in the Bhima Koregaon case.
  • Purpose: Pegasus is designed for three main activities:
    • collection of historic data on  a device without user knowledge
    •  continuous  monitoring of activity and gathering of personal information and
    • transmission of this data to third parties.
  • Israel, identifies Pegasus as a cyberweapon, and claims that its exports are controlled.
How Pegasus is different this time?

Pegasus spyware has evolved from its earlier spear-phishing methods using text links or messages to ‘zero-click’ attacks which do not require any action from the phone’s user. It is the worrying aspect of spyware.

  • It helps spyware like Pegasus to gain control over a device without human interaction or human error.
  • Most of these attacks exploit software that receives data even before it can determine whether what is coming in is trustworthy or not, like an email client.
  • They are hard to detect given their nature and hence even harder to prevent. Detection becomes even harder in encrypted environments, where there is no visibility on the data packets being sent or received.
Must Read: What is a Zero-Click and a spear-phishing attack? – Explained
How does Pegasus infiltrate devices?
  • Pegasus utilizes “zero click exploits” that do not require the victim to do anything. Instead, the spyware is designed to take advantage of bugs in popular apps such as iMessage and WhatsApp to infiltrate the system.
  • Pegasus can also use unsecured websites to infiltrate a device. These are called network injection attacks and also happen without the victim’s intervention.
  • Once inside, Pegasus seeks root privileges (Root privileges is a level of control over the phone that is beyond what a regular user has). It enables Pegasus to establish communications with its controllers through an anonymised network of internet addresses and servers. It can then start transmitting any data stored on the phone to its command-and-control centres. This level of control also means Pegasus can turn on the phone’s cameras and microphones to turn it into a spying device without the owner’s knowledge.
Must Read: State of surveillance in India – Explained, pointwise
Implications of Pegasus spyware issue
  • National security implications: The use of Pegasus poses a national security risk. Who else will have access to that information? How much geopolitics is now influenced by these shadowy cyber weapons?
  • The issue also indicates that surveillance rules in India are not as per global standards. This hinders India’s ability to enter data sharing agreements, which allow government agencies to access data stored overseas when required, with other countries.
  • Weakness of India’s cyberwarfare capacity: Beyond national security, the Pegasus revelations highlight a disturbing weakness in India’s cyber warfare capacity. If it is indeed true that Indian government agencies had to purchase a foreign commercial cyber-weapon for their needs, then we have advertised a strategic vulnerability that is bound to be exploited unless rectified quickly.
  • Misuse of data insights: Vendors of commercial cyber-weapons can get insights as to how their product is being used. This information can be misused by making it available to their governments.
Must Read: Surveillance laws in India and privacy concerns – Explained
Challenges
  • Checks and balances: With the increasing usage of such tools both by the countries and criminal elements across the world, one important challenge is of appropriate checks and balances that can be built up for preventing misuse of such tools.
  • Detection is difficult: NSO has invested substantial effort in making its software difficult to detect and Pegasus infections are now very hard to identify.
  • Duopoly of two Operating systems: Present smartphone market, dominated by just two operating systems – Android & iOS, also makes it easier for companies like NSO Group to carry out the attacks. The scale of these monopolies or duopolies means there’s not much variability. Variability makes it harder for cyber offense operations.
Suggestions/Measures

Users

  • Smartphones should always be updated. Doing so will ensure that one’s phone is susceptible to fewer exploits.
  • Arming oneself with right knowledge about digital security will help.

Government

  • Legal framework for intelligence agencies: The intelligence agencies in India must be provided with a legal framework for their existence and their functioning must be under Parliamentary oversight and scrutiny”. This will also ensure civil liberties and rule of law are protected. The Shah Commission and the LP Singh Committee recommendations need to be looked into.
  • Governance framework for surveillance: Pegasus shows that any country that can afford a few thousand dollars can hack the smartphones of heads of government. Hence, the need for a governance framework covering surveillance and information operations is necessary for national security
  • Curtailing discretion: The laws in India allow for surveillance for reasons including the interest of public safety where it is necessary or expedient so to do in the interests of the sovereignty and integrity of India” and for “public order or for preventing incitement to the commission of an offence”. This is a lot of discretion here, which often leads to abuse of these powers. Hence, proper limits to discretion should be laid out.
  • Trans-national treaties: We urgently need trans-national treaties along the lines of the Paris climate accord to collectively make it difficult for rogue governments and corporations to implement surveillance at scale.
Way forward

India lacks offensive cyber capacity and is thus not a credible cyber power. It needs a serious, realist, non-partisan policy debate on the development and governance of national cyber capabilities, without compromising on the fundamental values of our democracy.

Print Friendly and PDF