NSO Group Pegasus

https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/

https://www.theguardian.com/news/video/2021/jul/19/pegasus-the-spyware-technology-that-threatens-democracy-video

1 Like

This is an interesting read, too: https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/

I see that it’s linked in the OP, but I thought I would draw attention to it. It shows how browser redirects divert to infection sites (I think!).

2 Likes

See this thread from January as well:

https://forums.puri.sm/t/the-spy-in-your-phone-by-al-jazeera-world/11638

2 Likes

That’s why easy to use hardware kill-switches should be default on every mobile device with sensors and wireless connection. Good point: Purism devices have it all … but bad point: I don’t know any other device (at least phones) with such kill-switches (Pinephone has no “easy to use” ones).

Oh and by the way … as far as I know, the spyware of NSO Group Pegasus is used for iOS and Android, not on Linux. As long as Linux is no common OS for phones, we have an additional protection against default hacks.

4 Likes

There’s more to it than that, as far as I can tell.

  • People use http. You can’t hijack (redirect), in the way described, a request to e.g. yahoo.fr if the request is to https://yahoo.fr - so first and foremost users should always use the secure version where possible and use a browser extension that makes that automatic.

However, and this is a shocker, if you visit yahoo.fr securely, it returns a legitimate but insecure redirect location i.e. you could hijack the subsequent HTTP request. (To be fair, the original domain does supply HSTS information but I would have to go read the HSTS RFC to see what it says about redirects and perhaps some older web browsers don’t even support HSTS. At best, yahoo is relying on correct browser HSTS implementation.)

The general point about always using https is a complicated area however because the report talks about following links that are posted in social media. Should social media automatically upgrade any link that one user posts that is insecure for the benefit of that user’s friends / contacts? (The social media platform will typically preview the link anyway, so it will have accessed the original URL and could have verified whether it will work as https instead and if so whether the content is “the same”.)

The report also talks about insecure links carried in text messages. Should the logic that you can add to your browser for upgrading security automatically be added to text message clients?

Adding this paragraph: One other comment about redirects: The malware is using redirects extensively in order to obscure where the redirect is really going. I believe that this is in order to avoid measures, such as blocking, being deployed against its infrastructure.

  • Regardless of all of the above, there has to be a serious exploit to use for the infection. The report talks about a vulnerability on iOS in the Javascript implementation.

And it looks like there may be a bug in handling iMessages directed to email addresses that contain the NUL character (a classic C-legacy flaw).

So overall, Apple needs to lift its game.

There are many ways to get users to visit malicious web sites but that only really matters when there are zero day exploits available for when the visitor arrives.

2 Likes