After Citizen Lab, a cybersecurity watchdog group that’s spent years tracking digital threats, examined the contents of a Saudi activist’s phone, researchers quickly discovered that it was infected. But the phone wasn’t infected with just any virus. It was infected with NSO Group’s zero-click Pegasus spyware—software that does not even require people to click on a link in order to get the infection.
With Pegasus, before the fix is installed, “there’s absolutely nothing you can do to protect your phone,” says self-described data breach hunter Chris Vickery. “It’s nightmare-level terrible.” Keeping your software updated is the easiest way to defend yourself, as companies release fixes that way after they discover new vulnerabilities.
Here’s what you need to know about what zero-click software, and Pegasus, is.
What are exploits like Pegasus so scary?
Pegasus is the name of a software exploit product created and sold by an Israeli outfit called the NSO group, and “FORCEDENTRY” is the more specific name of the vulnerability. Unlike the type of viruses you might have seen in movies, this one doesn’t spread. It is targeted at a single phone number or device, because it is sold by a for-profit company with no incentive to make the virus easily spreadable. Less sophisticated versions of Pegasus may have required users to do something to compromise their devices, like click on a link sent to them from an unknown number.
In the past, texts have been sent telling people their children were in a car accident or that someone has just used their credit card—these are phishing attempts. As soon as the link is clicked, the phone is injected with Pegasus software, which gives complete control over the phone to the people targeting it.
[Related: Why you need to update your Apple products’ software ASAP]
But you probably won’t even know you’ve been targeted. “For the purposes of doing an investigation, you want to be as quiet as possible,” says Vickery, “so hackers are probably not going to use the phone to do obvious things that will show their presence.”
What is a zero-click exploit?
The most advanced version of Pegasus involves a zero-click exploit. It requires no human interaction to infect the phone. “It’s like a bullet hitting your head from afar,” says Vickery. “You have no defense whatsoever.” The hackers can send an exploit payload to your phone. In the case Citizen Lab discovered, Pegasus was sent via a corrupted gif file.
The vulnerability lurked in the iPhone software that parses images. That was why Apple issued an emergency fix and urged everyone to update their devices.
What’s a zero-day attack?
A zero-day attack, a zero-day vulnerability, and a zero-day exploit are all terms talking about the same fundamental thing: There’s a vulnerability in software that the manufacturer has not released a fix, or patch, for yet. “Because there has not been time for defenses to catch up with the attackers, it’s a zero-day exploit,” says Vickery. “As soon as somebody releases a patch for it, the next day, it could be thought of as a one-day exploit, meaning that there’s been one day of potential patching for it.”
If you’re a hacker, you want that zero day to last as many days as possible, if you want to take advantage of it in the future. There are many zero-day exploits that are sold and passed around underground that specifically avoid letting the victim know about it so that it will be a zero day for a longer period of time. Some hackers might discover these zero days and report them in order to get rewards from the company they report it to, but places like military intelligence agencies stockpile zero-day vulnerability knowledge, says Vickery, because it can be used to very efficiently penetrate a target network. In 2013, the NSA spent $25 million to purchase software vulnerabilities, and in 2020, the NSA published a list of 25 vulnerabilities they discovered Chinese-sponsored cyber actors were exploiting.
But the process becomes like a cat and mouse game, because as soon as you use it you run the risk of the adversary learning what you used to take advantage of them. “There is a gray area of what the value is to our nation in knowing how to do this, versus the value of telling the manufacturer so that they can protect everyone,” says Vickery.
Who is the NSO group?
NSO is a group of Israeli hackers for hire that have been operating for many years. They provide software like Pegasus to places like the United Arab Emirates and Saudi Arabia. The group has claimed their software assisted in the capture of El Chapo and one lawsuit has connected the murder of slain journalist Jamal Khashoggi with Saudi use of the software. One report notes that NSO tried to pitch their software to local U.S. police.
The NSO group have stated that they provide the services of this software for governments around the world to help fight terrorism and crime. “NSO Group says that their spyware is only for targeting criminals and terrorists,” John Scott-Railton, a senior researcher at Citizen Lab, wrote on Twitter. “But here we are…again: their exploits got discovered by us because they were used against an activist.”
WhatsApp, which is owned by Facebook, is currently suing NSO Group, accusing the company of providing software that allowed people to spy on journalists and political dissidents.
“The company claims that all they do is provide the software to do the exploitation,” says Vickery. “It’s kind of like a gun maker saying they sell the guns, but they’re not the ones aiming it at somebody’s head and pulling the trigger.”
How do you know if you’ve been targeted?
It can often be very difficult to find out if your phone is infected. Exploits like this happen quietly, limited by how much risk the people deploying it want to put out there. And because the hackers have control of all the processes in the phone, they can delete the text or link that originally infected the devices, preventing the notification from ever being shown. (However, as one security expert told PopSci earlier this week, “these attacks are not a threat to most Apple users.”)
If your phone logs have contact to a certain domain or IP address, it’s an indicator that your phone was compromised—that’s Pegasus at work, because it was reaching out to the command and control server, but only a place such as Citizen Lab would have the resources to discover that.
Once your device has been infected, there’s no way to protect yourself. Experts say that one way to mitigate the damage that could come from a compromised device is that if an occupation involves sensitive info, to maintain two separate phones, one for work and one for private use.
The most important thing that a regular person can do is to keep their software up to date, as software updates can often come with patches for security vulnerabilities. And scrutinize the phone numbers and emails in messages you receive to ensure they are from someone you trust.
This article has been updated.