Enlarge image
NSO headquarters in Herzliya near Tel Aviv: Suspicious processes on the iPhone
Photo:
JACK GUEZ / AFP
The surveillance software Pegasus from the Israeli company NSO "turns the iPhone into a digital spy with access to all communication services, so far it has apparently been used primarily for targeted surveillance attacks by state institutions on human rights activists and dissidents".
SPIEGEL wrote that almost five years ago.
Now the Pegasus project, in which the »ZEIT«, the »Süddeutsche Zeitung« (»SZ«), NDR and WDR as well as numerous international media are involved, shows that nothing fundamental has changed since then: »More than 180 journalists Journalists, "as the" SZ "summarizes," also numerous human rights activists, opposition activists, lawyers and politicians - including 13 current and former prime ministers and heads of state "have been at least potential, but in some cases also proven, targets and victims of Pegasus since 2016 . Your chats, e-mails, photos, location data, contacts, access to the microphone and camera - all this and more was in the hands of the attackers as soon as the Pegasus infection was successful.
The research is based on a list of around 50,000 telephone numbers leaked to Forbidden Stories - presumably a wish list of the various NSO customers, including the governments of Saudi Arabia, India, Mexico, Morocco and Hungary. Not all owners of these numbers have been hacked and spied on - if only because landline numbers are also included and Pegasus only works on mobile phones with iOS or Android. The search for those specifically affected was therefore tedious. How it happened and what the results say about the security and insecurity of iPhones is detailed in Amnesty International's IT forensic report.
To this end, the organization examined 67 smartphones belonging to people who were on the phone number list and who made their devices available.
Amnesty found traces of Pegasus on 37 devices, in 23 cases the forensic experts assume a successful infection, the rest only from attempts.
Your methods and results have been checked by the Canadian Citizen Lab and found to be flawless.
NSO speaks of "false claims" and "unsubstantiated theories" that cast "serious doubts" about the sources and basis of the Pegasus project reports - but the company has not yet refuted a single detail of the forensic investigation.
The iOS vulnerability is still open today
The forensics report specifically says nothing about the security or insecurity of Android devices prior to Pegasus.
The Google operating system is simply even more difficult to examine than iOS because even more data is deleted during the reboot.
That is why Amnesty has only focused on iPhones.
Two key findings in advance: Pegasus has never been an instrument for mass surveillance.
In this respect, the software is a typical state trojan, developed for monitoring individual suspects, although the definition of suspicious depends very much on the respective government.
On the other hand, a route of infection described by Amnesty works to this day.
Even those who use an iPhone with the current iOS version 14.6 today would be practically defenseless against Pegasus.
Apple is still in the process of investigating the vulnerability.
But how does the spy software get on a target device?
Amnesty has several answers to this.
They include SMS and iMessage, the Twitter app and the Safari browser, Apple Music and the standard Apple photo app.
But the apps are only part of the problem.
NSO itself has set up a network infrastructure, among other things to distribute the actual spy software.
Up until 2020 in particular, NSO customers will also need a certain amount of control over the cellular networks in their country as well as special hardware.
Amnesty ultimately identified three different routes of infection, some with variants:
Between 2016 and 2018, potential Pegasus victims received customized
SMS with links to infected websites
.
Anyone who clicked on such a link immediately caught the monitoring program, regardless of whether he or she was using a current iOS operating system or not.
But soon even that one click became superfluous.
Because in the following years Pegasus infections were
via so-called "
network injections"
carried out, as Amnesty had already shown in 2019 and 2020.
Anyone who accessed a certain website via Safari or Twitter was redirected to another, malicious one in a flash.
To do this, the attackers needed control of the network - either through suitable special devices directly from the victims' cellular network providers or through special routers or cell phone towers in their vicinity in order to be able to pick up their network traffic and manipulate it in real time.
But it can be even more perfidious.
Amnesty was only able to indirectly prove the next route of infection, which was mainly used in 2019.
All that was required was the victim's cell phone number.
The attacker sent
invisible iMessages to them
with specially prepared attachments, as Bill Marczak from Citizen Lab explained to SPIEGEL in a chat. The attachments could trigger an infection because iOS has weaknesses in handling them. In retrospect, however, you can only see the contact to an iMessage account not known to the victim, such as "linakeller2203@gmail.com". Shortly after the contact was made, suspicious processes started on the devices that do not exist on other iPhones, as an analysis of the log files showed. The same processes started with other types of infection, in which Amnesty noticed contact with known servers of the Pegasus infrastructure.
The forensic scientists could not see what exactly these processes were causing, nor did they find any traces of Pegasus himself on the devices.
But their conclusion was that NSO exploited a publicly unknown vulnerability ("Zero-day") in iMessage to start the infection with Pegasus without the active intervention of the victims ("Zero-Click").
The Pegasus infection is no longer permanent
In 2020 Apple Music was added as a presumed part of the “zero-click” infection route.
It all started again with an iMessage.
Some time later, the music service set up a network connection on the iPhone - to an address that Amnesty had previously identified as part of the NSO network infrastructure.
Immediately afterwards the suspicious processes started again on the device.
Until July 2021, forensic scientists were also able to observe a variant of the "zero-click" attack, in which a process in Apple's telephony function was hijacked after the iMessage was triggered in order to call up a specific Internet address for the further infection routine.
According to Amnesty, an interesting side aspect of the "zero-click" versions of Pegasus is that, unlike in the past, the spy software no longer remains permanently on the target device.
Instead, it is deleted with every restart, along with all artifacts.
That makes it hard to ever find and investigate a full Pegasus installation.
For the attacker, however, the short life is not a big problem as long as the reinstallation is so easy and the victim has no chance.
It is true that iMessage can be deactivated in order to block the "zero-click" attacks in this way. But NSO has tricked several other Apple-owned apps and will try again and again. So far, the best defense is to use the iPhone only as a paperweight.
