What is Pegasus spyware and how does it hack phones? | Surveillance | The Guardian
<https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how...> What is Pegasus spyware and how does it hack phones? Pegasus can infect a phone through ‘zero-click’ attacks, which do not require any interaction from the phone’s owner to succeed. NSO Group software can record your calls, copy your messages and secretly film you David Pegg and Sam Cutler Sun 18 Jul 2021 17.00 BST Last modified on Mon 19 Jul 2021 09.53 BST It is the name for perhaps the most powerful piece of spyware ever developed – certainly by a private company. Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device. It can copy messages you send or receive, harvest your photos and record your calls. It might secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met. Pegasus is the hacking software – or spyware – that is developed, marketed and licensed to governments around the world by the Israeli company NSO Group. It has the capability to infect billions of phones running either iOS or Android operating systems. The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link. Quick Guide What is in the Pegasus project data? Show Since then, however, NSO’s attack capabilities have become more advanced. Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix. In 2019 WhatsApp revealed that NSO’s software had been used to send malware to more than 1,400 phones by exploiting a zero-day vulnerability. Simply by placing a WhatsApp call to a target device, malicious Pegasus code could be installed on the phone, even if the target never answered the call. More recently NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones. Apple says it is continually updating its software to prevent such attacks. Technical understanding of Pegasus, and how to find the evidential breadcrumbs it leaves on a phone after a successful infection, has been improved by research conducted by Claudio Guarnieri, who runs Amnesty International’s Berlin-based Security Lab. “Things are becoming a lot more complicated for the targets to notice,” said Guarnieri, who explained that NSO clients had largely abandoned suspicious SMS messages for more subtle zero-click attacks. Pegasus: the spyware technology that threatens democracy – video 04:55 Pegasus: the spyware technology that threatens democracy – video For companies such as NSO, exploiting software that is either installed on devices by default, such as iMessage, or is very widely used, such as WhatsApp, is especially attractive, because it dramatically increases the number of mobile phones Pegasus can successfully attack. As the technical partner of the Pegasus project, an international consortium of media organisations including the Guardian, Amnesty’s lab has discovered traces of successful attacks by Pegasus customers on iPhones running up-to-date versions of Apple’s iOS. The attacks were carried out as recently as July 2021. Forensic analysis of the phones of victims has also identified evidence suggesting NSO’s constant search for weaknesses may have expanded to other commonplace apps. In some of the cases analysed by Guarnieri and his team, peculiar network traffic relating to Apple’s Photos and Music apps can be seen at the times of the infections, suggesting NSO may have begun leveraging new vulnerabilities. Where neither spear-phishing nor zero-click attacks succeed, Pegasus can also be installed over a wireless transceiver located near a target, or, according to an NSO brochure, simply manually installed if an agent can steal the target’s phone. Once installed on a phone, Pegasus can harvest more or less any information or extract any file. SMS messages, address books, call history, calendars, emails and internet browsing histories can all be exfiltrated. “When an iPhone is compromised, it’s done in such a way that allows the attacker to obtain so-called root privileges, or administrative privileges, on the device,” said Guarnieri. “Pegasus can do more than what the owner of the device can do.” Lawyers for NSO claimed that Amnesty International’s technical report was conjecture, describing it as “a compilation of speculative and baseless assumptions”. However, they did not dispute any of its specific findings or conclusions. NSO has invested substantial effort in making its software difficult to detect and Pegasus infections are now very hard to identify. Security researchers suspect more recent versions of Pegasus only ever inhabit the phone’s temporary memory, rather than its hard drive, meaning that once the phone is powered down virtually all trace of the software vanishes. One of the most significant challenges that Pegasus presents to journalists and human rights defenders is the fact that the software exploits undiscovered vulnerabilities, meaning even the most security-conscious mobile phone user cannot prevent an attack. “This is a question that gets asked to me pretty much every time we do forensics with somebody: ‘What can I do to stop this happening again?’” said Guarnieri. “The real honest answer is nothing.”
Buongiorno, Alberto Cammozzo via nexa <nexa@server-nexa.polito.it> writes:
<https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how...>
What is Pegasus spyware and how does it hack phones? Pegasus can infect a phone through ‘zero-click’ attacks, which do not require any interaction from the phone’s owner to succeed.
NSO Group software can record your calls, copy your messages and secretly film you David Pegg and Sam Cutler Sun 18 Jul 2021 17.00 BST
Last modified on Mon 19 Jul 2021 09.53 BST
Grazie mille Alberto per il riferimento. Purtroppo, come a me pare troppo spesso accada con molti, troppi articoli della stampa "mainstream", mancano /clamorosamente/ riferimenti alle FONTI. Tento di riparare a questa insopportabile leggerezza, almeno qui.... ANCHE PERCHÉ sono _esattamente_ i "dettagli" (di come viene raccontata la storia) a fare la differenza... oltre che la mancanza di riferimenti ai documenti tecnici. La "root news" dell'intero grappolo credo sia questa, pubblicata da Forbidden Stories [1]: https://forbiddenstories.org/about-the-pegasus-project/ «About The Pegasus Project» --8<---------------cut here---------------start------------->8--- [...] The Forbidden Stories consortium discovered that, contrary to what NSO Group has claimed for many years, including in a recent transparency report, this spyware has been widely misused. The leaked data showed that at least 180 journalists have been selected as targets in countries like India, Mexico, Hungary, Morocco and France, among others. Potential targets also include human rights defenders, academics, businesspeople, lawyers, doctors, union leaders, diplomats, politicians and several heads of states. In a letter shared with Forbidden Stories and its partners, NSO Group contended that the consortium’s reporting was based on “wrong assumptions” and “uncorroborated theories.” NSO Group insisted that the analysis of the data by journalists who were part of the Pegasus Project relied on a “misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products.” HLR refers to Home Location Register – a database that is essential to operating cellular phone networks. A person with direct knowledge of NSO’s systems, speaking on the condition of anonymity, told journalists from the Pegasus Project that an HLR lookup is a key step of determining certain characteristics of a phone, such as whether it is turned on or in a country that allows Pegasus targeting. [...] The consortium met with victims from all over the world whose phone numbers appeared in the data. The forensic analyses of their phones – conducted by Amnesty International’s Security Lab and peer-reviewed by the Canadian organization Citizen Lab – was able to confirm an infection or attempted infection with NSO Group’s spyware in 85% of cases, or 37 in total. Such a rate is remarkably high given the state-of-the-art spyware is supposed to be undetectable on the device in compromises. [...] The project shines a harsh light on the business of NSO Group, which, despite claiming it vets its clients based on their human rights track records, decided to sell its product to authoritarian regimes such as Azerbaijan, the United Arab Emirates and Saudi Arabia. Insiders disclosed the important role played by the Israeli Ministry of Defense when it came to picking NSO Group’s clients. Multiple sources corroborated the fact that Israeli authorities pushed for Saudi Arabia to be added to the list of customers despite NSO Group’s hesitations. The company’s lawyer denied “NSO Group takes governmental direction regarding customers.” --8<---------------cut here---------------end--------------->8--- Credo non sfuggirà ai più smaliziati (anzi _complottisti_) di voi che il /presunto/ coinvolgimento del ministro israeliano aprirebbe scenari geopolitici interessanti in merito al cosiddetto terrorismo internazionale. Il report (che non ho ancora letto) che descrive come è stata condotta l'analisi forense è stato pubblicato da Amnesty International ieri: https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-repo... «Forensic Methodology Report: How to catch NSO Group’s Pegasus» 18 July 2021, 17:00 UTC --8<---------------cut here---------------start------------->8--- [...] In this Forensic Methodology Report, Amnesty International is sharing its methodology and publishing an open-source mobile forensics tool and detailed technical indicators, in order to assist information security researchers and civil society with detecting and responding to these serious threats. This report documents the forensic traces left on iOS and Android devices following targeting with the Pegasus spyware. This includes forensic records linking recent Pegasus infections back to the 2016 Pegasus payload used to target the HRD Ahmed Mansoor. The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021. These also include so-called “zero-click” attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful “zero-click” attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021. Sections 1 to 8 of this report outline the forensic traces left on mobile devices following a Pegasus infection. This evidence has been collected from the phones of HRDs and journalists in multiple countries. Finally, in section 9 the report documents the evolution of the Pegasus network infrastructure since 2016. NSO Group has redesigned their attack infrastructure by employing multiple layers of domains and servers. Repeated operational security mistakes have allowed the Amnesty International Security Lab to maintain continued visibility into this infrastructure. We are publishing a set of 700 Pegasus-related domains. [...] --8<---------------cut here---------------end--------------->8--- Saluti, 380° [...] [1] https://forbiddenstories.org/about-us/ -- 380° (Giovanni Biscuolo public alter ego) «Noi, incompetenti come siamo, non abbiamo alcun titolo per suggerire alcunché» Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>.
participants (2)
-
380° -
Alberto Cammozzo