They have full access to your phone: Hacking phones with zero clicks
Security people, including myself, will need to rethink their recommendations: A spyware company hacking mobile phones for governments compromises fully patched phones without any user interaction. They come and go as they please and we don’t even notice.
In December 2015, the FBI got their hands on a terrorist’s iPhone. The terrorist killed 14 people in an attack in San Bernardino, California. Even though the phone was physically present in the hands of investigators, the FBI was unable to unlock it and access the data. After months, a company unlocked it for 900.000 US dollars. This looked like the moment of glory for mobile security.
More than five years later the disclosures of the “Pegasus Project”, an investigative journalism initiative, have left me speechless. The spyware company NSO Group compromises fully patched iPhones (most likely Android phones too) without any user interaction (“zero-click”) using their malware “Pegasus”.
I am shocked that…
- there is nothing we can do to keep data on our phones secret and we would not even notice an infection.
- the exploits seem to work that good that the malware did not even persist. When agencies need access, they simply reinfect the phones.
- infected phones are fully remote-controlled, including microphone, camera, and keyboard (app).
- phones of at least 180 journalists from 21 countries were selected for surveillance.
- Pegasus malware was probably involved in the murders (Jamal Khashoggi, Cecilio Pineda) and imprisonments (Omar Radi, Anand Teltumbde) of journalists, and the capture of Princess Latifa.
- even democratic countries like Hungary seem to spy on domestic journalists (Szabolcs Panyi).
- NSO Group denies everything and apparently falsely claims that the malware “only collects data from the mobile devices of specific individuals, suspected to be involved in serious crime and terror”.
- most people do not seem to care or notice.
The Pegasus Project questions many of the recommendations I gave in the past. I still think that it is a good idea to use encryption and strong passwords. But the offline world will be much more important for really secret information: Personal meetings and hand-written notes while shutting down our phones and storing them out of earshot.
"We've been recommending each other this tool or that tool, how to keep [our phones] more and more secure from the eyes of the government," Ismayilova said. "And yesterday I realized that there is no way. Unless you lock yourself in [an] iron tent, there is no way that they will not interfere into your communications." 1
This exactly expresses my feelings right now: There is nothing we can do. And it will not go away. It might be that at some point in time, developers fix their issues and “zero-clicks” will (temporarily) disappear. But I believe that they will still find their way into our phones (even if we then have to click a link or so). And if they don’t get you, they might get your friends, family, and peers.
I think that all people in IT security now must reflect and draw their conclusions. We (IT people) must be aware that we are responsible for our recommendations. Pegasus has proven that times in which you choose a strong passphrase and everything will be fine are over.
What are your conclusions? I would appreciate your response to email@example.com.
- Phineas Rueckert at https://forbiddenstories.org/, Pegasus: The new global weapon for silencing journalists