They have full access to your phone: Hacking phones with zero clicks

Security people, including myself, will need to rethink their recommendations: A spyware company hacking mobile phones for governments compromises fully patched phones without any user interaction. They come and go as they please and we don’t even notice.

apple snacked by pegasus

In December 2015, the FBI got their hands on a terrorist’s iPhone. The terrorist killed 14 people in an attack in San Bernardino, California. Even though the phone was physically present in the hands of investigators, the FBI was unable to unlock it and access the data. After months, a company unlocked it for 900.000 US dollars. This looked like the moment of glory for mobile security.

More than five years later the disclosures of the “Pegasus Project”, an investigative journalism initiative, have left me speechless. The spyware company NSO Group compromises fully patched iPhones (most likely Android phones too) without any user interaction (“zero-click”) using their malware “Pegasus”.

I am shocked that…

The Pegasus Project questions many of the recommendations I gave in the past. I still think that it is a good idea to use encryption and strong passwords. But the offline world will be much more important for really secret information: Personal meetings and hand-written notes while shutting down our phones and storing them out of earshot.

"We've been recommending each other this tool or that tool, how to keep [our phones] more and more secure from the eyes of the government," Ismayilova said. "And yesterday I realized that there is no way. Unless you lock yourself in [an] iron tent, there is no way that they will not interfere into your communications." 1

This exactly expresses my feelings right now: There is nothing we can do. And it will not go away. It might be that at some point in time, developers fix their issues and “zero-clicks” will (temporarily) disappear. But I believe that they will still find their way into our phones (even if we then have to click a link or so). And if they don’t get you, they might get your friends, family, and peers.

I think that all people in IT security now must reflect and draw their conclusions. We (IT people) must be aware that we are responsible for our recommendations. Pegasus has proven that times in which you choose a strong passphrase and everything will be fine are over.

What are your conclusions? I would appreciate your response to

  1. Phineas Rueckert at, Pegasus: The new global weapon for silencing journalists