Several weeks ago, Amnesty International published a detailed report describing a new case of what appears to be the threat actor NSO Group deploying their notorious Pegasus spyware against a new target, Moroccan journalist Omar Radi. This is only the latest such attack amidst a long, sordid history of similar attacks attributed to NSO Group targeting journalists and human rights defenders; a pernicious pattern of targeted surveillance which has been extensively documented and researched by organizations such as Citizen Lab, Amnesty International, and Article 19, R3D, and SocialTIC.
But while Pegasus is a sophisticated piece of spyware weaponizing various zero-day exploits, the installation vectors Pegasus relies on to successfully infect a target device may be stymied by basic operational security procedures such as not clicking unknown links, practicing device compartmentalization (such as using separate devices for separate apps), and having a VPN on mobile devices.
“Unlimited access to the target’s mobile device”
In 2015, WikiLeaks published The Hackingteam Archives which consisted of more than one million emails from another spyware vendor, HackingTeam. Some of those emails include HackingTeam members discussing their rival NSO Group, and certain emails from 2014 include what appears to be a promotional brochure from NSO Group outlining Pegasus' capabilities. The brochure is informative in that it reveals information about the methods NSO Group deploys to attempt to install Pegasus onto targets' devices, which is further corroborated by the various case studies that human rights organizations have put out analyzing victims' devices.
NSO Group markets Pegasus as providing "unlimited access to target's mobile devices", allowing clients to "remotely and covertly collect information about your target's relationships, location, phone calls, plans and activities – whenever and wherever they are". Specifically, Pegasus is advertised as having the following capabilities:
- Monitor voice and VoIP calls in real-time
- Siphon data from the phone, including contacts, passwords, and files, as well as encrypted content
- Operate as an "environmental wiretap", which is to say listen through the mic, effectively turning the phone into a bug
- Monitor communications taking place in a number of applications, including WhatsApp, Facebook, Skype, Blackberry Messenger, and Viber
- Track the phone's (and in turn, the target's) real-time location via GPS
Based on the above capabilities Pegasus appears to be a particularly expensive Remote Access Trojan (RAT). Pegasus can also be described as a mobile Advanced Persistent Threat (mAPT). Mobile because it specifically targets mobile devices (both Android and iOS, as well as BlackBerry devices), not desktop or laptop computers; advanced because it uses a number of sophisticated and previously not publicly known infection vectors (known as 0-day vulnerabilities); persistent because it lingers on the target device until the attacker decides they no longer want it there; and a threat because it allows complete compromise of the target device.
Hacking the Phone
According to the NSO Group brochure, there are four “agent installation vectors” for getting Pegasus onto a target device. The first two vectors–Over-the-Air (OTA) and Enhanced Social Engineering Message (ESEM)–allow for remote installation, while the last two–Tactical Network Element and Physical–require proximity to the target.
Marketed as an "NSO uniqueness, which significantly differentiates the Pegasus solution from any other solution available in the market", the Over-the-Air (OTA) installation vector works by sending a stealth push notification to the target's phone and requires no interaction from the target in the form of either clicking links or opening messages, rendering the spyware installation "totally silent and invisible". This kind of attack is known as a 'zero-click' exploit. However, the applicability of the OTA vector appears to be limited, with a footnote noting that "some devices do not support it; some service providers block push messages”, as well as noting that the attack will not work if “target phone number unknown."
Here are some examples of specific attacks that put Pegasus on a phone using zero-click exploits:
- A 2017 complaint filed by the U.S. in the U.S. District Court for the Southern District of Florida against Panama’s former president Ricardo Martinelli states that Martinelli "misappropriated government resources to illegally intercept and record the private communications of at least 150 individuals whom he identified as 'targets'", with journalists, political figures, union activists, and civic association leaders being among Martinelli's listed targets. One of the installation vectors by which it is stated that Pegasus was operated at the behest of Martinelli was "by electronically pushing a package of tiles that were installed directly on the phone".
- In 2018, Vice published an account from an anonymous “entrepreneur'”who appears to have witnessed a zero-click exploit of their phone during an NSO Group demonstration.
- While not using the push notification exploit referenced in the OTA installation vector section of the product manual (which may be talking about various exploits possible via WAP push Service Load messages), many more examples of another NSO zero-click installation vector being utilized nonetheless appeared in 2019 when WhatsApp announced that NSO Group had leveraged a zero-click RCE (Remote Code Execution) exploit in their app which allowed NSO Group to successfully infect targets simply by placing a call via WhatsApp to the target; "the person did not even have to answer the call" to be infected. According to the WhatsApp complaint, NSO Group attempted to infect more than 1,400 phone numbers via this attack vector, with "attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials" being more than 100 of those targeted by NSO Group via the WhatsApp exploit.
The original OTA attack alluded to in the Pegasus brochure is likely no longer effective as the brochure was published in 2014 and modern devices typically do not support WAP Service Load push messages. However, as the WhatsApp exploit demonstrates, NSO Group is continuously updating their installation vectors to leverage new zero-click vulnerabilities.
As zero-click vulnerabilities by definition do not require any user interaction, they are the hardest to defend against. There are basic operational security steps users can take to lock down their devices, however even if all security best practices are followed, they are not a foolproof guarantee that a device will be protected against a new attack. Device hardening can be achieved through the twin security principles of attack surface reduction and device compartmentalization.
To reduce an attack surface is to minimize the possible ways that your device may be infected. Much like the fewer unlocked doors your home has, the fewer opportunities a burglar has to enter, so too the fewer apps on your phone, the fewer doors an adversary has to sneak in. Be sure to regularly update both your phone's underlying operating system and individual installed apps as even 0-day vulnerabilities can be inadvertently patched by software updates.
Speaking of apps, regularly perform an audit of your installed apps (and their permissions) and remove any apps that you no longer need or don't actively use. It is safer to remove a seldom-used app and download it again when you actually need it than to let it remain on your phone when you don’t need it.
For apps which you can't uninstall because you use on a regular basis, you may consider practicing device compartmentalization. For instance, consider the WhatsApp exploit. If a phone only had WhatsApp installed, when that phone was compromised it could only be used to exfiltrate WhatsApp data, but not any other sensitive information that would have been on your other phone–your email, calendar, photos, and Signal messages would be safe, for example (though the compromise would still allow NSO Group to use the phone as a wiretap and a tracking device). During particularly sensitive meetings, you may also wish to physically compartmentalize your phone by leaving it in another room in a tamper bag.
When OTA attacks are not possible, NSO Group’s brochure states that they need to resort to sending a custom-crafted message–via SMS, email, or messaging app like WhatsApp–to the target hoping that they’ll click on a link which leads to a malicious website, which then compromises the device and installs Pegasus. This is what the brochure refers to as an Enhanced Social Engineer Message (ESEM). As the marketing materials point out, "the chances that the target will click the link are totally dependent on the level of content credibility. The Pegasus solution provides a wide range of tools to compose a tailored and innocent message to lure the target to open the message." In other words, ESEM is simply NSO Group marketing-speak for spear phishing–phishing attacks custom-tailored to have the bait appeal to specific individuals, versus mass impersonal phishing campaigns like those you may get in your inbox asking you to login to a bank you don't even have an account with.
Alongside R3D, SocialTic and Article19, Citizen Lab has extensively documented a number of NSO Group attacks which deployed the ESEM installation vector against journalists and human rights defenders between 2015 and 2018. Known ESEM-based attacks attributed to NSO Group include those launched against the following individuals and organizations, all of which received various bait text messages which included a malicious link in the message that if clicked would have led to the installation of Pegasus:
- New York Times journalist Ben Hubbard received SMS messages claiming to have linked information about “Ben Hubbard and the story of the Saudi Royal Family"
- Journalist Griselda Triana (producer and host of the radio show "La otredad", as well as the wife of slain journalist Javier Valdez Cárdenas) received multiple text messages related to the death of her husband
- Andrés Villarreal and Ismael Bojórquez, journalists and directors at the Ríodoce newspaper, received multiple SMS messages claiming to have information about the killing of journalist Javier Valdez Cárdenas, some of which were presented as news alerts
- Claudio X. González, director of the anti-corruption organization Mexicanos Contra la Corrupción y la Impunidad (MCCI), received multiple SMS messages claiming to be links to news stories about him
- Human rights defenders and lawyers Karla Micheel Salas and David Peña received multiple SMS messages purporting to be 'service messages' as well as messages to purported news stories and one message which was presented as a link invitation to a wake
- A phone belonging to the Interdisciplinary Group of Independent Experts, a group convened by the Inter-American Commission on Human Rights to investigate the 2014 Iguala mass kidnapping, received at least two text messages which purported to be link invitations to a wake
- Three Mexican politicians, Ricardo Anaya Cortés, Roberto Gil Zuarth, Fernando Rodríguez Doval, received multiple text messages purporting to be links to news stories, as well a link claiming that a rival political party had said something about one of the politicians
- Mexican journalists Carmen Aristegui (as well her son, a minor), Rafael Cabrera, Sebastián Barragán, Carlos Loret de Mola, Salvador Camarena, Daniel Lizárraga; civil society organization Centro Miguel Agustín Pro Juárez staff Mario Patrón, Stephanie Brewer, and Santiago Aguirre; and Mexican Institute for Competitiveness staff Juan Pardinas and Alexandra Zapata, were all targeted in protracted campaigns which saw them receive multiple SMS messages claiming to be everything from official notifications from a US Embassy to messages purporting to be AMBER Alerts, as well as work-related and sexually-themed texts with accompanying links
- Simon Barquera, a researcher at the Instituto Nacional de Salud Pública; Alejandro Calvillo, the Director of the consumer rights organization El Poder del Consumidor; and Luis Encarnación, the Director of the Coalición ContraPESO, an obesity prevention coalition, all worked to support Mexico’s soda tax and received text messages purporting to be links to news articles, linked claims that relatives had died or that their children had been injured, as well as linked sexual taunts
- Human rights defender Ahmed Mansoor received multiple text messages enjoining him to click a link which purported to contain "new secrets" about people being tortured in jails in the United Arab Emirates
- Saudi dissident activist Omar Abdulaziz received SMS messages purporting to be package tracking notifications with links to parcel tracking services
- An unnamed Amnesty International staff member received a WhatsApp message purporting to be a link which had information about a protest, while a Saudi activist living abroad received an SMS message claiming to contain information about a court order issued against them
- An Amnesty International investigation found that Maati Monjib, a human rights defender and journalist, and Abdessadak El Bouchattaoui, a human rights lawyer, received SMS messages throughout 2018-9 with multiple lures including messages claiming to be links to videos, ebooks, petitions, app updates, and real estate listings
- The United States complaint against former Panamanian president Ricardo Martinelli previously described in the section on known OTA attacks further mentions that aside from "pushing" the spyware onto phones of “targets” (including journalists and civic society members amongst others), Pegasus was also installed by "sending the target a text message containing a link that would initiate installation when the target clicked on it"
- The Office of the United Nations High Commissioner for Human Rights published a press release in January 2020 regarding the hacking of Amazon CEO Jeff Bezos' phone, stating that "The forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group's Pegasus-3 malware", with an annex to the press release further stating that "Experts advised that the most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group’s Pegasus or, less likely, Hacking Team’s Galileo". Specifically, Bezos received a WhatsApp message from Saudi Crown Prince Mohammed bin Salman which contained a malicious file purporting to be a video, which when downloaded led to malware being installed, similar to the way malicious email attachments often lead to users inadvertently installing malware on their systems.
As the ESEM Pegasus installation vector is essentially just a spear phishing campaign, all of the usual advice to avoid falling for sophisticated, targeted phishing attacks applies.
The Committee to Protect Journalists (CPJ) has issued a security advisory for staying vigilant against Pegasus attacks and has classified the various ESEM bait messages into various categories, which may include:
- Messages claiming to be from established organizations like banks, embassies, news agencies, or parcel delivery services
- Messages claiming to relate to personal matters like alleged evidence of infidelity
- Work-related messages
- Messages which claim that the targeted person is facing some immediate security risk
To avoid Pegasus ESEM attacks, you should not only be wary of any messages from these categories, but also of any messages that include a link at all. Future ESEM attacks may evolve to use different types of bait messages.
- If you receive a message with a link, particularly if it includes a sense of urgency (for instance, saying a package is about to arrive, or you're going to miss out on a breaking news story, or your credit card is going to be fraudulently charged), avoid the impulse to immediately click on it.
- If the link purports to be to a known site, double-check that the link actually goes to that website. This may be easier to spot in some cases–like if the link has a typo–than in other cases. For example, if the link uses different letters across varying character sets that look alike (a homograph attack), such as a Cyrillic 'О' being used to mimic a Latin 'O'.
- If the link appears to be a shortened URL, use a URL expander service to reveal the actual link the shortened URL points to before clicking on the shortened link.
- Confirm that the person you think sent you the link is the person who actually sent you the link, to make sure that their account wasn't hacked or their phone number spoofed. You can do this using out-of-band verification, which means using another communication channel to verify that the message is legitimate. For instance, if the link came via a text or email message, give the sender a call. This only works if you know the person who sent the link.
- If you still feel that there’s a compelling reason to open the link, practice device compartmentalization by using a secondary device which does not have any sensitive information on it to open it. Keep in mind that if the secondary device is infected, it may still be used as a surveillance device with the spyware activating its microphone or camera. Keep the secondary device in a Faraday bag when not in use, and regularly perform a factory reset.
- Use non-default browsers. According to a section titled 'Installation Failure' in the leaked Pegasus documentation, installation may fail if the target is running an unsupported browser; specifically, Pegasus installation will fail if "the default browser of the device was previously replaced by the target. Installation from browsers other than the device default (and also Chrome for Android based devices) is not supported by the system." However, as the documentation is now six years old, there is no guarantee that Pegasus hasn't evolved to now support other browsers.
- If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link on the target device to prevent the risk of infection via the ESEM installation vector.
Tactical Network Element
Another way NSO Group might infect your phone with Pegasus is by intercepting your phone’s network traffic using man-in-the-middle (MITM) attack, then redirecting unencrypted network traffic (such as HTTP) to download a malicious payload and compromise the target device. In order to intercept network traffic on a phone, the attacker either needs to trick the target phone into connecting to a MITM device that’s physically close-by or have access to the cellular carrier to perform interception from within the carrier's own network.
“Tactical Network Element” is listed as a “range limited” installation vector meaning it requires proximity to the target. Specifically, "The Pegasus agent can be silently injected once the number is acquired using tactical network element such as Base Transceiver Station (BTS)". In January 2020, Business Insider published a photo of what appears to be such a tactical network element being shown off by NSO Group, taken at the 2019 Milipol security conference in Paris. The device was exhibited in a booth designed to look like the back of a van and is housed in a carrier bag, ostensibly to advertise the device's portability.
Zooming in on the labels of the various components of the device in the Insider photo lends further evidence to the device being precisely such a Tactical Network Element as that described by NSO Group’s brochure–a Base Transceiver Station with 'Femto X2' cells and the “3G B1” components, indicating that NSO at the least appears to have the capability to surveil 3G connections: though the case studies discussed below appear to indicate that 4G/LTE connections may presently also be intercepted.
Amnesty International has reported two cases of potential Tactical Network Element installation vector use in suspected Pegasus attacks. In the following case studies, the MITM attacks intercepted unencrypted HTTP traffic and redirected it to malicious websites instead of the actual sites the targets tried to go to. The MITM attacks are particularly insidious because if you just type a domain name into a web browser, it defaults to trying an unencrypted HTTP connection first–which may then redirect to an HTTPS connection, but that first HTTP connection is enough for the MITM attack to hijack and redirect the connection.
In 2019, while analyzing the Safari browsing history of Maati Monjib's iPhone (Monjib is the co-founder of the Freedom Now NGO as well as the Moroccan Association for Investigative Journalism), Amnesty International discovered unusual browsing patterns. When he opened the iPhone Safari browser and typed yahoo.fr, Safari first tried going to http://yahoo.fr which normally would have redirected to https://fr.yahoo.com; however, Monjib’s connection was being intercepted, it instead redirected to a malicious third-party site which ultimately hacked his phone. The MITM, instead of mounting a downgrade attack, prevented the connection from being upgraded to HTTPS in the first place.
From 2019 to 2020, Moroccan journalist and activist Omar Radi was targeted in a similar fashion to Monjib, with an analysis of his iPhone also indicating malicious website redirection.
While it is not clear in the case studies whether the attacks were conducted via a Tactical Network Element or via surveillance which was carried out on the telecom carrier’s infrastructure itself, the preventative measures to guard network traffic are the same. Typing just the website domain (such as yahoo.fr) into a browser address bar without specifying a protocol designation (such as https://) opens the possibility for MITM attacks if the website does not use HTTP Strict Transport Security (HSTS), and even if it does there are edge cases where a website may still be vulnerable to MITM attacks, for instance if it's the first time that website is being visited in the browser and the website is not included in the browser's HSTS preload list.
An alternative to the cumbersome and not entirely effective countermeasure of always typing out https:// is to use a Virtual Private Network (VPN) on both desktop and mobile devices. A VPN tunnels all connections securely to the VPN server, which then accesses websites on your behalf and relays them back to you. This means that a Tactical Network Element will likely not be able to perform a successful MITM attack as your connection is encrypted to the VPN.
The “physical” installation vector, as the name suggests, requires physical access to the target's device. According to the NSO brochure, "When physical access to the device is an option, the Pegasus agent can be manually injected and installed in less than five minutes", though it is unclear if the phone needs to be unlocked or if NSO operatives are able to infect even a PIN-protected phone, for instance.
There seem to be no known cases of NSO Group deploying the Physical installation vector, though such an attack may be difficult to spot. There do, however, appear to be cases where researchers working on exposing NSO spyware have been invited to in-person meetings under false pretenses. Lawyers working on a lawsuit against NSO Group were similarly baited with requests for in-person meetings), which could manufacture opportunities for potential physical device compromise (there is no evidence that they have actually done so).
To foil physical attacks against devices, a line of sight should always be maintained with the device. If the device is ever out of sight–whether taken out of view by a customs agent, or left behind on a dinner table while going to the restroom–then it has the potential to be compromised via the physical installation vector.
If a device ever needs to be left unattended, such as deposited in a locker during an embassy visit or left behind in a hotel room, the device should be placed in a tamper bag. While this will not prevent the device from being tampered with, it will at the least provide a ready alert that the device has been taken out of the tamper bag and might have been tampered with, at which point the device should no longer be used.
Aside from tamper bags, device compartmentalization should also be practiced when entering potentially hostile environments such as government buildings like embassies and consulates, or when going through border checkpoints. Travel and embassy burner phones should ideally be used when travelling or visiting government buildings instead of primary, everyday devices.
To sum up, the key takeaway of this analysis of Pegasus installation vector case studies is that the success of Pegasus installations may be limited by deploying basic operational security procedures across your workflow such as avoiding clicking on suspect links, compartmentalizing devices, and using a good VPN across all devices. Pegasus deploys sophisticated zero-day infection vectors to entrench its spyware onto mobile devices, but that infection is dependent on installation vectors which may readily be guarded against.