Project Pegasus: Experts fear Apple-Android duopoly making life easier for spyware, a losing battle for users

The latest Pegasus revelations have once again put sharp focus on the use of spyware, in addition to reigniting fears that our phones are not secure. This time, there’s sharp focus on Apple iPhones and their security, an aspect that the company has always touted in its advertisements. But experts say when it comes to protecting oneself against sophisticated spyware, it is like fighting a losing battle.

“NSO Group is a military grade weapons manufacturer and just like any arms maker, they have to guarantee their customers that whatever they supply is going to work everywhere. Android and iOS are unfortunately the only two big markets out there,” Anand Venkatanarayanan, independent security researcher, tells indianexpress.com.

“Contrary to what Apple tells in public domain about all the security enhancements and whatever you call them, there exist lots of smaller vulnerabilities. It’s easier for NSO to either procure or develop exploits on their own. And it’s been pretty lucrative,” he points out, adding that exploits can sell for millions of dollars.

Venkatanarayanan says multiple zero-day vulnerabilities have been found on iMessage over the last one and half years and that while Apple has tried to use BlastDoor technology to prevent the same. “Historically, it doesn’t work.”

With iOS 14, Apple tried to secure iMessage with BlastDoor technology, a sandbox technology designed to protect only the messaging system. It processes all incoming iMessage traffic and only passes on safe data to the operating system. But as Amnesty International’s forensic analysis of iPhones infected with Pegasus spyware showed, NSO Group’s ‘zero-click’ attacks managed to bypass this. ‘Zero-click’ attacks do not require any interaction from the target, and according to Amnesty, they were observed on a fully patched iPhone 12 running iOS 14.6 till as late as July 2021.

Meanwhile, Apple has defended itself while condemning cyberattacks against journalists, activists and others, adding that the iPhone is still the safest device. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” Ivan Krstić, head of Apple Security Engineering and Architecture said in a statement. An Apple spokesperson also underlined that the Pegasus attacks were run by well-funded, highly-sophisticated, and targeting specific individuals which does not make them a threat for a vast majority of iPhone users.

While the focus is certainly on iOS devices, it should be noted that only iPhones tend to keep the data logs which makes it possible to carry out this kind of analysis to detect possible spyware infection. On Android, detection of Pegasus is not as easy given the logs are just not available and tend to get deleted after a year or so.

An iPhone 12 is seen in this photo. Image used for representational purposes. (Image source: Anuj Bhatia/Indian Express)

“Android and iOS devices have both been targeted. The number is not clear. What they do make clear is that certain kinds of logs, which are needed for detection of this infection, were not available on Android devices after a period of time. So detecting it on iOS was a different process. One cannot just compare the numbers,” Pranesh Prakash, Affiliated Fellow at the Information Society Project at Yale Law School tells indianexpress.com.

In his view, both iOS and Android are “vulnerable to various security exploits and have robust programmes to counter these kinds of security vulnerabilities.” As he points out, even spyware like “Pegasus has to keep evolving to different forms of security measures that Android and iOS take.”

According to Anand, the nature of the present smartphone market, dominated by two operating systems, also what makes it easier for companies like NSO Group to carry out the attacks. “With Android and iOS, if you find one vulnerability, you can hit 50 per cent of the population. The scale of these monopolies or duopolies means there’s not much variability. Variability makes it harder for cyber offense operations. Now, there are only two or three systems so it is much easier to target,” he explains, adding that the opponent out here “has an asymmetric advantage because they just have to hit you once.”

He also states while tech companies are trying to combat this, their efforts are clearly not enough. It should be noted that Google has its Project Zero, which tends to find vulnerabilities in popular software across including iOS, while Apple has its own bug bounty program. Microsoft is also publishing its own research on the cybersecurity issues.

However, spyware like Pegasus also poses problems for app developers. For instance, Pegasus exploited vulnerabilities in WhatsApp to hack into devices of certain targets, according to reports from 2019.

“The app can only be as secure as the operating system. But app developers need to realise the importance of at-rest encryption. Again, this is not a panacea to what is being done by Pegasus. Apps of a sensitive nature, such as financial data, calendar, etc, should make use of At Rest Encryption which is a missing link,” Prakash said.

He points out that just as End-to-End encryption (E2E) protects data in transit, at rest encryption is also important. “iMessages are E2E. But backup of those on the cloud is not encrypted. It also requires a warrant to access these messages from the cloud. I would say that in order to avoid going through the official companies for the data, this kind of phone hacking is also happening,” he explains.

But what can those who are likely to be targets of such sophisticated attacks really do? According to Anand, this is like “going up against a tank with a pea-shooter gun.” “You really can’t survive this as a journalist or an activist, unless and until you understand this is the situation you’re facing,” he said and that in his view the mobile is a “walking spying device.”

His advice to journalists: keep multiple identities, try to use the mobile phone less, and invest in tools like SecureDoc when sharing documents with sources. “We advise people to have multiple phone numbers and identities,” he says, adding that “in a world where surveillance is prevalent” one perhaps needs to start acting “like an intelligence agent”.

But he cautions “precise targeting techniques are hard to stop.” Prakash also agrees that when facing “a sophisticated nation state,” protecting oneself is very difficult.

The Indian government has meanwhile, denied the charges of Pegasus being used for surveillance on journalists, activists and opposition leaders. It has called the reports as a ‘sensational’ story,” designed to malign India. “India has established protocols when it comes to surveillance. In India there is a well established procedure through which lawful interception of electronic communication is carried out for the purpose of national security particularly on the occurrence of any public emergency or in the interest of public safety by agencies at the centre and the state. The requests for these lawful interceptions for electronic communications are made as per the relevant rules…,” Ashwini Vaishnaw, Minister for Electronics and Information Technology said in the Parliament.

But according to Prakash, the government statements only add to the confusion. “It is not clear based on government statements whether they are actually denying usage of Pegasus. The statement says there was no targeted surveillance, and at the same time they also talk about the legal provisions under law for interceptions,” he points out.

Nonetheless, in his view, India needs to “undertake reforms on intelligence agencies which are not accountable to Indian. We need a drastic overhaul of this procedure.”