The infamous Pegasus spyware

We live in a world where our privacy and security is highly valued but also very much at risk of being stolen. Now it’s not only in our physical surroundings we have to be vigilant, it’s also online. With the emergence of the Pegasus spyware, there have been raised some concerns regarding our privacy. Pegasus is a spyware that might make you question where the limits lie with surveillance and our individual rights. We’ll look into the spyware, how it all started, and how the debate has evolved around the technical tool.

How it all started

Pegasus is developed by the Israeli cybersecurity company, NSO Group Technologies. It’s a highly advanced, commercial surveillance tool that has gained a lot of attention because it’s so advanced but also for some of the controversies that involve the spyware. NSO Group Technologies allegedly made the spyware to help governments fight crime and terrorism - hence being on the right side of the law.

The spyware saw the light of day back in 2016 and has since then been developed into one of the most prominent tools for digital espionage.

How Pegasus spyware works

Pegasus works like a “zero-click” or “no-click” spyware, where it can infect any device without any user interaction; this implies a user clicking a link or downloading a file that contains malware of some sort. Since you don’t need to click anything and not interact with the malware it makes the Pegasus even more sophisticated and advanced than many other types of malware. Pegasus can exploit vulnerabilities in different apps (mainly messaging apps) like iMessage, WhatsApp and SMS. Through these, it gains access to any target’s device.

Once installed, Pegasus can:

• Monitor interactions: Pegasus can intercept and record any interaction done via a target’s device. That can be anything from e-mails, phone calls, texts, and even encrypted messages from apps like Telegram and Signal.

• Access personal data: The spyware can steal photos, videos, and documents from any device that has been infected with the spyware.

• Monitor geographic locations: Pegasus can track a target’s movements in real-time by using GPS data.

• Record audio and video: Without the target’s knowledge, Pegasus can turn on/offf the device’s microphone and camera. This way, the hackers (whether white hat or black hat) can capture video and audio at their convenience.

• Keylogging: Pegasus can also record and capture keystrokes and motions on a target’s device - since they can see how a target is using the keyboard on a device, they can thus see passwords and sensitive information.

Involved in controversies

Pegasus has not been without attention and has been involved in several controversies over the years:

• News of targets abound and some of the targets should reportedly be human rights activists, journalists and political figures - in many different countries. Since these news reached the surface, many people have raised concerns about the misuse of the spyware since, in some opinions, it suppresses the freedom of speech.

• Pegasus has also started debates on the legality of the use of the software, and if it is ethically correct to use the spyware. Some critics argue that it violates the right of privacy.

• Since its growing popularity spread the word of Pegasus, the Israeli government has issued a ban for export of the spyware and any of NSO Group’s products. It is, however, questionable just how effective this ban is, from preventing any exploitation of the spyware.

• The main thing that Pegasus relies on is vulnerabilities in the software it’s targeting. It needs to find a zero-day vulnerability (meaning that it’s a security gap that is just discovered). These vulnerabilities are of high value on the dark web so you might speculate the different actors who are interested in the spyware; Pegasus is an attractive tool to malicious cybercriminals.

An international fallout

The use of Pegasus has generally divided opinions since its intention was to help fight terrorism and crime - it does pose a security threat when malicious actors get their hands on the spyware. Below we highlight some notable incidents that involved Pegasus spyware.

In 2019, WhatsApp filed a lawsuit against the NSO Group. WhatsApp accused NSO Group of targeting more than 1,400 users. Among these users are human rights activists and journalists. According to the lawsuit, NSO Group violated U.S. federal law with the use of Pegasus to hack into the accounts.

A broad group of international media orgs launched a project called the Pegasus Project back in 2021 where they exposed new and potential Pegasus targets. This was a list of global targets. The project illustrated how big range Pegasus spyware has and how it can affect any one - including international politics.

Pegasus has been used to target different foreign front figures and leaders. This list include heads of state, which then lead to great tensions between nations since every world leader could be at risk of being spied on. Several governments wanted an explanation from Israel; how they exported Pegasus and the advanced spyware.

Minimizing the risk of spyware

No one wants to be monitored without their knowledge, especially not by a spyware as powerful as Pegasus. That is why we’ve gathered a list of things you can do to, to prevent any type of spyware - and simply improve your cybersecurity:

• Update your software and devices when there’s an update available. Vulnerabilities and gaps in software is the main entrance for hackers into your systems.
• Use encryption on your messages and files, so only you - with the decryption key - can read the files.
• Don’t click suspicious attachments and links you receive from unknown users and domains. Even if the e-mail is from a familiar organization, you should hover over the link, to ensure that it’s a benevolent link.
• Use antivirus software to add an extra shield of protection. This will detect and remove any spyware and malware that have found its way into your software.
• Have strong passwords and MFA. Both will add additional security to your accounts and devices, as the hacker would need the extra authentication to your account and find it much more difficult to crack a strong and unique password.

The debate continues

Pegasus has started a heated discussion about the balance between national security and personal privacy. On one hand, Pegasus helps law enforcement do their job more efficiently, catching terrorists and criminals. They use Pegasus with caution and care, so it should not pose a cyberthreat to anyone.

On the other hand, people raise concerns about the lack of control over who can use and access Pegasus - others criticize the potential for power abuse the spyware has potential to. Critics wish for more transparency of its use, better regulations and accountability for the use of Pegasus.

All in all

The Pegasus spyware has become a symbol for advanced technology as well as the many dilemmas it brings. The international conversation is concerned with its capabilities, as well as our privacy as individuals. When does the use of Pegasus become an act of law and government and an act of activism?

The use of Pegasus raises questions of (lack of) boundaries and surveillance in our society - we might need a clear balance between security and freedom. But that is perhaps easier said than done when it comes to our overall cybersecurity.