As the need to avoid government surveillance in authoritarian states worldwide, activists and whistleblowers leaned heavily on end-to-end encryption in hopes of evading reprisals for speaking truth to power. 

Pegasus can break into most messaging systems including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others. This means it can spy on almost all of the world's population. 
 

Why was Pegasus created?

Today an entire industry dedicated to hiding, masking or protecting dissidents from authoritarian regimes is in full swing. Encrypted email services like Protonmail, Tutanota, TorGuard's Private-Mail, and apps like Telegram, WhatsApp, and Signal became common. The trend left Authoritarian governments and powerful criminals unable to monitor dissidents, opposition, and rivals. For a short period, this led to a brief feeling of security and enabled the organizing of protests and a free flow of information within some of the earth's most authoritarian states.

While this newfound power to hide from a government's imposing gaze is used by people with noncriminal intentions, it has also been abused by transnational organized crime, spies, terrorists, and other anti-social elements. The use of these tools by criminal groups created a counter industry that often disguises its anti-encryption crusade as law abiding and well intentioned. However, no matter how well intentioned the creation of the tools to hide or expose are, those who want to abuse them in one way or another are still the most visible and vocal majority.

Under the guise of law and order the espionage tool Pegasus was created by the Israeli spyware firm NSO Group. The firm allows its clients, which it claims are exclusively governments, to target specific phone numbers and infect the associated devices with Pegasus.

To circumvent encryption, instead of listening in on data flowing between two devices, Pegasus allows its clients to infect and hijack the device their targets are using and gains access to everything on it. Pegasus also monitors the keystrokes on infected devices, this gives it access to all written communications and web searches, and even passwords. The data is then given to the clients and also provides access to the targets phone’s microphone and camera, turning it into a mobile spying device that the target unwittingly carries with them.

Why is this a problem?

The Israeli-based NSO Group has sold its technology to governments with poor human rights records and the technology has been used to target journalists and human rights activists. Notably the former Washington Post journalist, Jamal Khashoggi who was stalked by members of stalked, lured, and dismembered by criminals associated with Saudi Arabia's Crown Prince Mohammed bin Salman's inner circle.  Governments from India to Azerbaijan and Rwanda to Mexico have successfully used NSO’s spyware. Some these government has also been infiltrated by organized crime, such as in Mexico where journalists are often the targets of death threats, human rights abuses, and murder by criminal elements.

How do Zero-Click Exploits work?

From a crude system relying on social engineering, Pegasus has evolved from malware that compromises phones simply by clicking on a link to no longer requiring a target's direct involvement. Hacking attacks using Pegasus once required active participation from a target. Pegasus operators sent text messages containing a malicious link to their target’s phone. When the user clicked on it, a malicious page appeared on their web browser for downloading and executing the malware, infecting their system.

Over time the public and targets became aware of the social engineering techniques used to lure them. As a result ‘zero-click exploits’ were created. These vulnerabilities do not rely on the target doing anything at all in order for Pegasus to compromise their device. Zero-click exploits target popular apps like iMessage, WhatsApp, and FaceTime, which all receive and sort data from unknown sources.

Once a vulnerability is found, Pegasus can infiltrate a device using the protocol used by the app. No link has to be clicked, no message to be read, and no call has to be answered, and the target may not even see a missed call or message.

‘Network Injection’

Aside from zero-click exploits, NSO Group's clients can also use so-called "network injections" to silently access a target's device. Targets can be attacked through web browsing without clicking on a malicious link. This method involves waiting for the target to visit a website that is not fully secured during their normal online activity. When an unprotected link is clicked, the NSO Group's software can reach the phone and initiate an infection.

What's in it for NSO group?

The New York Times reported in 2016 that an NSO tool to spy on 10 iPhone users would cost $650,000 and a $500,000 installation fee, but it is likely more today. In 2020, the company reported revenues of $243 million.

Legal battles

A lawsuit was filed in 2019 in the United States by WhatsApp against the NSO Group, claiming that the Israeli company had exploited a vulnerability to infect more than 1,400 devices. The WhatsApp lawsuit reports that those targeted included journalists, lawyers, religious leaders, and political dissidents. Microsoft and Google are among other prominent companies that have filed supporting arguments in the case.

Amnesty International (which sued the Israeli Ministry of Defense, which must approve all NSO Group sales to foreign governments), activists and journalists targeted by NSO Group's technology have also filed suits.