According to legends, Pegasus was a white-winged horse of greek mythology created by the God of the sea, Poseidon. It is the most recognised creature of greek mythology. But in the world of cyber-attacks, spying, breach of privacy and surveillance Pegasus is spyware that is used to steal data from your phone. It surfaced in 2019 when popular newspapers like Indian Express reported how Pegasus was used via WhatsApp to spy on journalists and human rights activists in India. Telephone numbers of 40 Indian journalists appeared in a list of potential targets.
An anonymous agency confirmed that some of them were under unauthorised surveillance. Few Indian ministers, government officials and opposition leaders were also under the list. An investigation led by the Guardian, the Washington Post and other 17 international media groups uncovered how Pegasus was used to extract messages and information from the phones of journalists, politicians and activists. Big names like Shishir Gupta, Siddharth Varadarajan, MK Venu, Sushant Singh, Ritika Chopra, Swati Chaturvedi, Rohini Singh, et cetera were present in the list.
Who created Pegasus and what is its legal status?
Pegasus is developed by an Israeli firm NSO group that sells spyware to authorised governments across the world. It specialises in surveillance technology by providing software that helps in combating terror and crime. NSO founded in 2010 stands for Niv Shalev and Omri who are the founders. Every technology can be a boon or a bane based on its use.
Pegasus was used for a number of good and bad things alike. It was used in the murder of Jamal Khashoggi, a Saudi monarchy dissident, espionage in Pakistan, capturing of Mexican drug lord El Chapo, spying on human rights activist Ahmed Mansoor, reducing Mexico’s soda tax, investigation of 2014 Igula mass kidnapping etc.
The surveillance in news was carried out between April 2019 to May 2019 in 20 countries across four continents. WhatsApp sued the NSO group for using WhatsApp servers to send the malware to 1400 mobile phones and target devices for unauthorised surveillance. Tools of surveillance are abused if they spy on the private life of a person. If such technology ends up in the hands of responsible companies and notorious governments it can jeopardise democracy, lives of people and security.
What is Pegasus? How does it enter into target devices? What is it capable of doing?
This is spyware meaning it spies on people through their phones. It gets into action when an exploit link sent to the target is activated by clicking on it. The code or malware which allows surveillance is installed via clicking on the link sent to the user’s phone. Once Pegasus has been installed the attacker has full access to the target’s phone. The newer versions do not require a target user to click on the link. In 2016 when Ahmed Mansoor was spied the software used chinks in iOS to take over the device.
Pegasus uses a chain of zero-day exploits to penetrate the security features of the phone to get installed. The user or the developer has no idea about its installation or the weakness it uses to enter into phones. It is only after an event the developer knows the targetdevice has been compromised. Citizen lab which investigated cases of Pegasus infection revealed that Pegasus can send the target’s private data, passwords, contact list, calendar events, text messages, live voice calls from apps like WhatsApp and telegram et cetera.
It can also turn a mobile phone into a spy device by turning on the camera and recorder thereby expanding the scope of surveillance. WhatsApp submitted a brochure that exhibits the abilities of Pegasus, it can access email, SMS, location tracking, network details, device settings, browsing history data – all of this without the user’s knowledge. Pegasus can access all password-protected devices right under the nose of the user and leaves no trace. It consumes minimal battery, memory and data so that it raises almost no suspicions.
Like the Mission Impossible movie, Pegasus comes with a self destruct mechanism to reduce the risk of exposure. The brochure along with its capabilities also lists that it can work on blackberry, android, iOS and Symbian-based devices. Pegasus is an old malware that has been updated over years to keep up with upcoming operating systems. As far as WhatsApp is concerned, Pegasus is installed on target devices via a voice call placed on WhatsApp. There was no clicking on a misleading link. Also, the spyware was installed even if the target device did not accept the WhatsApp voice call.
Are we safe from Pegasus?
In a word, no we aren’t. Also if we have no grudges against the government, we do not criticise the government or raise our voices against the government, we are completely safe from Pegasus. In the present case, the WhatsApp call which installed Pegasus was sent to 1400 users. The list included dozens of academics, lawyers, journalists and Dalit activists.
NSO has time and over clearly said that it provides its services to authorised governments, law enforcement agencies, intelligence agencies. Just anyone can’t acquire NSO software Pegasus. It is not unknown that the Indian government indulged in surveillance thereby violating the right to privacy of individuals. Social engineering is a very common strategy used by spyware for unnoticed surveillance.
What are the challenges with surveillance software like Pegasus?
Since it uses zero-day exploits to enter into target devices it becomes impossible to find a permanent solution. Given the advancement in the technological world and human dependence on technology, multiple ways and different technologies are used to exploit user apps. The play store and App Store have thousands of applications with threats that could be used by companies like NSO to plant spyware. The lack of digital security experts makes this sector a soft target.
Targeting WhatsApp is just an example of how big of impact spyware can create if it goes into hands with resources. Nowadays terrorist organisations and antisocial elements are using technology for recruitment, polarisation, crowdfunding, communication, operations et cetera. It’s just a matter of time before they get their hands on such sophisticated spying software.
Why is the Indian government turning into a police state?
It will be a nightmare if the Indian government turns into an authoritarian police state because dissent will be crushed. Dissent is the essence of democratic working. Why is the government so interested in the lives of individuals? It uses sedition, UAPA to demotivate criticisms, engages in arbitrary arrest and detention, extrajudicial killings and now mass surveillance.
The government that believes in zero tolerance towards terrorism does not understand that sometimes lawyers and human rights activists help the Naxalites in the court of law to negotiate and surrender which can be helpful to the state. The government altered amendments in the right to information act and brought the act to a standstill. The information commissions with low employees are pawns of the state. Amendments to the NIA act violates federal structure when CBI takes over investigation of any case in the name of national security.
All government organisations are being converted into policing agents. The government has an inherent belief that every citizen is a criminal. Insurance regulation, taxation, banking, and property registration, every activity is seen as suspicious. Surveillance software is not only policing agents but also violate the right to privacy. The state has to ensure that the fundamental rights of any citizen are not harmed yet it indulges in the same practice. For a democracy to work the state has to trust its citizens for abiding the law and the citizens have to trust the state for their well-being.
The government ordered surveillance on journalists, human rights activists and academics who are in no shape and form perpetrators of crime.