Pegasus: The Silent Threat to Digital Democracy

Introduction

Today, our smartphones know more about us than many of our closest friends and family. The digital revolution has opened the floodgates for technology capable of digitizing every aspect of our lives. The ascendance of household devices, such as smart speakers, smart appliances and our beloved smartphones has shown us that technology can affect nearly every part of our lives. Additionally, the emergence of more nascent technologies in the fields of virtual reality (VR), augmented reality (AR) and artificial intelligence (AI), such as the Meta Quest (Oculus) Headset, Apple’s recently released Vision Pro and ChatGPT, have shown us that technology may soon take a front seat in our lives. With the ubiquity of technology, we are invariably sharing more information through our devices than we may be comfortable sharing with most of the people we know, begging the question: are any parts of our digitized lives truly private?

Most people are familiar with the concept of spying, a practice as old as time, where groups or individuals secretly collect information about their enemies and competitors. The earliest forms of spying, referenced in Sun Tzu’s 5th Century book Art of War, were conducted physically; later, more sophisticated cyber espionage was developed during the Cold War, a time that saw the founding of the CIA and KGB. However, there is one recent technology making all other spying methods look like child’s play: Pegasus, engineered by NSO Group Technologies, a multi-billion dollar Israeli spyware firm.

What is Pegasus?

Founded in Israel in 2010, the NSO Group is a product of its environment, as Israel is a global technological center in the heart of a major conflict zone. 

Though plagued by war for nearly the entirety of its independence, Israel is often referred to as the Startup Nation as the tech sector makes up 18% of Israel’s GDP, 50% of its exports, and 30% of its tax revenue. Despite having just 0.1% of the world’s population, Israeli companies account for 10.5% of the world’s AI startups, according to Statista. Additionally, there has been no shortage of global high-tech companies forged in the Middle Eastern techno-cauldron. From the satellite navigation app Waze to the autonomous driving-tech company Mobileye and the popular website builder Wix.com, Israel has a strong tech industry and success to show for it. 

One of the more controversial digital flowers that bloomed in Israel is the NSO Group. Most recently valued at $2.3 billion, the NSO group is one of the most secretive companies in the world and a global leader in spyware technology. Their flagship product, Pegasus, named after the legendary winged horse from Greek mythology, was released in 2011 and is only licensed to governments and law enforcement for “the sole purpose of preventing and investigating terror and serious crime”, according to the company’s website. 

Pegasus is a sophisticated spyware that is capable of installing itself onto a victim's device without leaving a trace. Once installed, Pegasus gains full remote access to the victim’s device. This means that Pegasus can see all of the device’s passwords, phone and message records and location, as well as be able to turn on the camera and microphone, send messages and make calls on the victim’s behalf.

What is a Zero-Click Attack?

What makes Pegasus especially advanced and hard to stop is its use of zero-click attacks to install itself on a victim’s device. Compared to the majority of spyware attacks, which are spear phishing attacks—requiring a victim to click a malicious link—zero-click attacks install software on a victim’s device without the victim ever clicking anything. This means that even if someone is careful with who they interact with, what they interact with and where they interact on the internet, they are vulnerable to zero-click attacks.

Zero-click attacks take advantage of a loophole in most devices’ systems that trust data coming from trusted apps. Most downloads on modern devices either come through an app store manned by teams of hundreds of app reviewers, or have warnings associated with their online download from untrusted sources. However, there are fewer restrictions on data and downloads onto a device via already-installed apps, such as messaging or social media apps that allow for sending data between strangers with relative ease. Recognizing this loophole, zero-click attackers target apps, sending malicious code to victims’ devices through apps like WhatsApp*, email and SMS messaging, that attempt to seep into the device itself. As soon as the device is compromised, the hacker effectively has access to all the functions in the victim’s phone, meaning the malicious message could be erased from the device, without the victim ever knowing, leaving virtually no trace that the attack ever happened.

Why is This Important?

Pegasus remains prominently used around the world. Between August 2016 and August 2018, Pegasus spyware was found to have likely been used to spy on individuals in 45 countries. Even the FBI revealed that they purchased a Pegasus license in 2019.

Governments around the world are using Pegasus to track terrorist movements, but also to undermine political campaigns, expel ideological dissidents and suppress free speech. However, you do not have to be a politician, activist or journalist to be targeted by a Pegasus attack. 

In the connected world of digital media, people are linked to one another in more ways than ever. If someone interacted with a political party’s social media page, is seen in a photo with an activist or was on the mailing list of a controversial journalist, they could potentially be targets of a government that licenses Pegasus. Your digital presence is something that follows you for a lifetime, and Pegasus could be used to expose it.

*Meta, the parent company of WhatsApp, sued the NSO Group in 2019 for the targeted use of Pegasus to spy on 1,400 of its users. After the U.S. Supreme Court rejected the NSO Group’s claim for immunity in January 2023, which argued that the company was acting as an agent for foreign governments, the case remains ongoing in the U.S. District Court of Northern California.

In response to the first revelations of Pegasus, Edward Snowden, the famous U.S. National Security Agency (NSA) whistleblower said that, traditionally, for an agency to access a suspect’s phone, they would need to “break into somebody’s house” with a warrant. However, with Pegasus, “they can do the same thing from a distance, with little cost and no risk” and “do it all the time, against everyone who’s even marginally of interest”. 

Snowden added that this is “an industry that shouldn’t exist”. Nonetheless, it does exist, and we are seeing the consequences regularly and all around the world.

Uses of Pegasus Software

In 2011, the Mexican government became Pegasus’s first client. Since then, Mexico has been a case study for both the abundant potential for security as well as the oppression of individuals that Pegasus brings to a nation. 

As a tool designed to thwart terrorism and crime, Pegasus has been used in many high-profile cases in Mexico for that exact purpose. Pegasus has been used by the Mexican government to fight crime and bring down child abuse rings. On Christmas Eve 2011, the President of Mexico called the NSO Group to say: “I couldn't have asked for a better Christmas present. With what you gave us, we can finally eradicate the cartels”. Sure enough, the NSO Group claimed that Pegasus was used to track, and eventually capture, the notorious drug lord Joaquín “El Chapo” Guzmán Loera in February 2014, after he escaped from a maximum security prison thirteen years earlier. 

However, while the primary purpose of Pegasus is for governments to fight crime and terrorism, Pegasus’s real-world uses have extended far beyond that. 

Jamal Khashoggi was a prominent Saudi journalist who covered major stories such as the Soviet Invasion of Afghanistan and the rise of al-Qaeda’s former leader Osama Bin Laden. Khashoggi served as an advisor to Saudi Arabia’s royal family before falling out of favour and going into self-imposed exile on two separate occasions: to London in 2003 and then to the U.S. in 2017. While writing for the Washington Post in the U.S., Khashoggi published a monthly column criticizing Crown Prince Mohammed bin Salman, Saudi Arabia’s de facto ruler at the time. On September 28, 2018, Khashoggi was murdered in the Saudi Consulate in Istanbul. His body was never found and the UN issued a statement saying that Khashoggi’s death \“constituted an extrajudicial killing for which the state of the Kingdom of Saudi Arabia is responsible" and that there was "credible evidence" to warrant an investigation into Prince Mohammed. Amnesty International’s Security Lab later uncovered that Pegasus was used to hack the devices of Khashoggi’s wife, new fiancee, as well as his associate Wadah Khanfar, who was an Al Jazeera journalist, within a period beginning six months before the murder. The NSO Group vehemently denies that Pegasus was used to monitor Khashoggi, his relatives or his associates, contradicting the report by Amnesty International’s Security Lab as well as Saudi Arabia’s known use of Pegasus and its tarnished human rights record. 

In 2021, a list of 50,000 phone numbers was published with clues as to who may be the target of past, present and future Pegasus attacks. The list included two Turkish officials deeply involved in the Khashoggi homicide investigation. Although NSO Group called the list “exaggerated” and the origin of the list remains unknown, an investigation by The Washington Post and sixteen media partners concluded a “tight correlation” between “a [phone number] on the list and the initiation of surveillance”. Reporters identified more than 1,000 numbers on the list, including 65 executives, 85 activists, 189 journalists, and more than 600 politicians, which included French President Emmanuel Macron, Pakistan’s then-Prime Minister Imran Khan and Morocco’s King Mohammed VI. However, the greatest concentration of numbers was in Mexico, which made up over 30% of the list.

In Mexico, Pegasus has been used in the suppression of journalists, democracy advocates and accusers of Mexican corruption. Javier Valdez was one of dozens of Pegasus’s victims in the country. Valdez was a Mexican journalist and founder of Río Doce, a newspaper in Sinaloa, the home of El Chapo’s Sinaloa cartel. Valdez investigated and reported on Mexican cartels, winning the International Press Freedom Award in 2011 for his courageous journalism. On May 15, 2017, Javier Valdez was shot 12 times in an assassination that was condemned by the U.S. embassy in Mexico, the EU, and the UN. It was later confirmed that Pegasus was used to infect the devices of Valdez’s wife, who was also a journalist, as well as two of Valdez’s colleagues at Río Doce.

The NSO Group and many of their clients, including Mexico, are in a constant precarious dance of bilateral reliance. Mexico’s president, Andrés Manuel López Obrador, who promised to ban the illegal spying of Mexico’s past was elected in 2018 and has, up until now, not lived up to that promise. On the other side, Israel’s Ministry of Defense (IMOD), which must approve all exports of Pegasus, said it would not approve sales of Pegasus to countries with a risk of human rights violations. However, IMOD continues to allow Pegasus to be used in Mexico, as well as countries including Kazakhstan, Morocco and Saudi Arabia.

With Pegasus spyware, anyone can be spied on without them knowing, which could greatly impede their ability to do valuable work. We are nearing a reality where journalists can’t conduct interviews without endangering themselves and their sources, activists can’t hold meetings without risking government raids, and opposition politicians can’t plan campaigns without the party in power anticipating their every move. 

What is Being Done

In recent years, human rights activists in the EU have been lobbying to ban Pegasus. In 2021, despite licensing Pegasus just two years earlier, the U.S. put NSO Group on the Entity List, heavily restricting its ability to conduct business in the U.S. This signalled a sharp revision of the U.S.’s stance on the technology: from embracing the innovative spyware to essentially banning it and citing the threat it poses to “the privacy and security of individuals and organizations”.

Meanwhile, in the private sector, Apple and Google, which make up 99.3% of the mobile operating system market, have been taking action to protect their users’ digital privacy.

In July 2022, Apple launched “Lockdown Mode” on their devices, specifically designed to protect iPhone, iPad and Mac users from “highly sophisticated cyber attacks”, as detailed by the company’s website. The feature heavily restricts access to most apps, affecting both users and attackers, since apps are the most common attack points for zero-click attacks. The feature immediately paid dividends. It was reported that Apple’s “Lockdown Mode” successfully blocked one of “at least 3” instances of a Pegasus attack conducted by the Mexican Army in October of 2022 against two Mexican human rights defenders. The report was published in 2023 by the Citizen Lab, a human rights watchdog based out of the University of Toronto, whose researchers have been targeted by international undercover agents in the past.

Meanwhile, Google has a Threat Analysis Group (TAG): a specialized team that “detects, analyzes, and disrupts serious and government-backed threats against Google and its users”. Additionally, Google is in the third year of a five-year pledge to invest $10 Billion into cybersecurity, which includes commitments to protect users from “nation-state actors” and other cybercriminals, according to Kent Walker, Google’s President of Global Affairs.

How People Can Protect Themselves

It is so vital to stay connected in today’s digital society that even technology like Pegasus shouldn’t have anyone running for the hills and switching to pigeon post. Whether you are optimistic or pessimistic about the uses of spyware technologies such as Pegasus, it is inevitable that spyware will continue to be used by entities around the world, for good and for bad. 

While it is nearly impossible to fully protect your device from a Pegasus attack—Edward Snowden compared it to protecting oneself from nuclear weapons—there are ways to better secure your device from those who may not have your best interests at heart. 

Protecting yourself from spear-phishing attacks is straightforward: never click on suspicious links and always think twice before divulging personal information, especially to people you do not know. These precautions are especially important in a world where 1.2% of all emails are malicious and, each year, 88% of organizations face spear phishing attacks. 

Moreover, aside from protecting your device from spear phishing attacks, there are precautions you can take against zero-click attacks. 

Firstly, it is important to ensure that your device’s software is kept up to date. The companies behind the operating systems on most devices—including Apple iOS and Google Android—are constantly patching exploitable software and adding features to make their devices safer. By updating your device promptly, you are ensuring that any new security patches are installed on your device and attackers have a smaller window to take advantage of known vulnerabilities.

Moreover, hackers rely on a large surface area to carry out their attacks, meaning the more points of entry on a device, the easier it will be for them to find weaknesses in one of them. To reduce your device’s attack surface, you should disable pop-ups and delete apps that you do not need. For essential apps, you should always download the official version from developers that you trust and make sure to keep them up-to-date.

Future of Pegasus

Despite the dangers when misused, it is hard to deny that Pegasus truly has potential for good when in the right hands. We can only imagine how the world could be different if Pegasus was around, and used for prevention, during 9/11, the Madrid Train Bombings or other similar tragedies. The question is, who decides who the right hands are? 

Companies, including the NSO group, often have profit goals and shareholder interests at heart.  Meanwhile, countries have internal, geopolitical, and economic interests that could influence their actions, including decisions about who to target or avoid targeting and which parties have access to powerful tools like Pegasus. Since 2019, Ukraine has been lobbying Israel to get access to Pegasus but has been refused, including at the onset of the Russia-Ukraine War, reportedly due to Israel’s fear of angering Russian officials by licensing Pegasus to a regional foe. Since Pegasus licensing currently requires the approval of Israel’s Ministry of Defense, Pegasus is frequently used as a bargaining chip supporting Israeli foreign policy.

Maybe technologies like Pegasus should fall under the oversight of a supranational entity like the United Nations. The UN could be a calming force to provide oversight, establish ethical guidelines and ensure that all uses of Pegasus comply with international human rights laws. But the UN likely won’t be able to develop Pegasus in the way the NSO Group can. Additionally, what would be the incentive for the future development of bleeding-edge technologies that walk the line of good and evil in the name of technological development?

Either way, with each passing year, the world risks the emergence of more technologies that threaten our data, democracies, and lives. In a world where our online identities become increasingly prominent, we need to continue to advocate for companies and countries to prioritize people’s online safety. This needs to include implementing policies that make clear when individual data can be legally accessed; for example, in a criminal investigation or in cases, beyond reasonable doubt, of illegal activity. Moreover, as cyberweapons become more powerful, and cybercrime has become a common prelude for physical crime, it is crucial to punish cybercriminals and cybercrime enablers, in the second degree for any crimes that result in their actions and careless distribution of their technologies. Finally, the world, including both the public and private sectors, must continue investing heavily in cybersecurity infrastructure and developing technologies that can protect their people and users from cyberattacks. We must continue developing vaccines for the digital viruses we know are coming.