Pegasus: A cyber security expert explains how the zero-click spyware can hack phones without user interaction

Last month, Amnesty International, working with over a dozen other news outlets, revealed that they had come into possession of a leaked list of politicians, journalists and activists whose phones had been hacked by a piece of spyware named Pegasus.

The software was developed by an Israeli company called NSO Group, who said it has sold this technology to over 40 governments, although it won’t reveal which ones.

Pegasus can gather data, record videos and even take screenshots once it’s on board, and requires only an unanswered message via Apple's iMessage to embed itself onto a device.

The victims include the French president Emmanuel Macron and some 180 journalists from around the world.

We asked Dr Tim Stevens, the head of the Cyber Security Research Group at King’s College London, to explain how Pegasus works and whether it can be stopped.

Pegasus has been described as the most powerful spyware ever, is that accurate?

It’s hard to know whether it’s the most powerful ever developed, because what else is out there? But I think it clearly has some functions that are a little more devious than we’re used to seeing.

What makes this different?

In the past, you might have been contacted via email, or some kind of social media messaging service, and asked to click on a link. Then when you click on the link, you download a piece of software onto your device and it’ll do its work from there.

What’s remarkable about Pegasus is that it can get on your system without you clicking a thing. It’s called a zero-click malware. All that needs to happen is for somebody to send a message to your device. It doesn’t even need to be opened. It exploits flaws in the operating system of that device.

We call these ‘zero-day vulnerabilities’ because they haven’t yet been discovered by the vendor or by researchers. By the time it is discovered, they have zero time to patch it because they’re only ever discovered when someone’s used it to do bad things.

It is a fact that all very large pieces of software, like an operating system like Apple’s iOS or Android or any other, including open source operating systems, have bugs. None of them are perfect. They present openings or opportunities for people to use to gain access.

It’s like locking up all the doors and windows, but leaving the kitchen window open overnight. If the burglar is going to recce the whole house, they will find it eventually, no matter how large your house. And that’s exactly what goes on with software.

So Pegasus has a number of ways of getting access, and in some cases it’s as simple as a message?

If you’re a tech-savvy mobile phone user, alarm bells start ringing if you get a message that asks you to give a piece of software access to your address book or your email. If you decline that offer then you don’t open that door. But with Pegasus you didn’t even know the door was there.

Pegasus effectively jailbreaks your phone, it unlocks all this kind of administrative functionality that it then uses to position itself and hide itself and have access to everything that’s going on in your phone. It’s a very novel and impressive technical feat.

Is Pegasus, as a piece of software, legal?

It’s a complex question. There are probably a few hundred answers to this, depending on what country you’re in. Most countries these days have legislation that says that you cannot use unauthorised access into a computer system, you simply can’t do it. Essentially, you’re not allowed to hack into a system.

There is no legislation that effectively and expressly forbids us doing that in a foreign country. It gets very complicated with mutual legal assistance treaties and extradition and so on.

But essentially, there’s no overarching international legislation that says that this stuff is illegal. And mostly that’s because there’s no overarching international legislation to say that espionage is illegal. And really, that’s what we’re talking about here.

Read more about cybersecurity:

• Can you get a virus by watching YouTube?
• How do computer viruses work?
• Could computers get a virus that’s as contagious and difficult to eliminate as coronavirus?

What can be done about it?

We first need to confirm who’s been targeted. Disassemble phones and figure out whether Pegasus was there. I mean it’s meant to be quite untraceable, but I believe that it leaves some digital tracks behind under certain circumstances. So it’s a forensic issue at first.

After that, it’s a political or economic decision. What could these countries do? The NSO Group’s clients in many cases are governments of countries. Are these governments going to admit to what they’ve done? Are they going to admit that they had contracts with the NSO – and if they do, you’d imagine they’d say that they were using it for law enforcement and counterterrorism.

You know, I don’t see that an honest answer to this will be particularly forthcoming, unless there’s sufficient pressure from civil society and the press. I hope the press doesn’t let this one go because it’s shambolic behaviour.

Given that a number of journalists seem to be on the target list for this software, it’s not a great time to be a reporter, is it?

I think some deep-rooted cultural and political threads are running through public life at the moment that make being a journalist a slightly uncomfortable place to be. The bigger problem is that surveillance really only works when people internalise it. You want the watched to feel like they’re being watched. Even if you’re not watching them all the time.

As long as people think they’re being watched, they modify their behaviour. If journalists say, “I’m not going to have that conversation because my phone is on me,” then that is a big concern.