During the last few weeks a shocking revelation spread lile wildfire in the media, centering around the use of the NSO Pegasus spyware that has been used to infect the smartphones of and eventually spy on politicians, journalists and other persons of interest.
The geography of where the targets are residing is telling, as these persons weren’t by any chance located in the USA, Russia, the People’s Republic of China, Iran, the Democratic People’s Rebublic of Korea or Israel – meaning that this was a Tier 2 operation at best. (In 2021 or even in the late 2010s, one should see something more sophisticated than a multi-platform spyware, like a cross-platform one or an architecture/container-based one to think of a Tier 1 op.)
The media frenzy is justified as most of the targeted persons were media workers and NGO activists, however a king or a prime minister or a president were also included.
Interestingly the NSO Pegasus, which is already obsolete, became a worldwide headliner exactly at the same time when a newer and much more potent spyware, the Candiru/Sherlock became exposed.
The whole investigation allegedly started when a whopping 50.000-entries long target list complete with phone numbers got leaked about two years ago. And in the last two years the NSO Pegasus was watched by ITSec specialists around the clock, to the extent that all new exploits were documented and independent NGOs were able to even write forensics playbooks to identify the spyware.
With already much have been said about the purposes of the use of such spyware it can be said that for every terrorist, narcotrafficker and paedophile there was one political opponent as well on the target list, meaning tbat mankind plays the exact same games it used to since day one of organized power.
Yet what is of utter importance is that the targeted persons – while apparently in the know of many big things, known nothing about the number one rule:
Rule No.:1 Commercial Communication Devices Were Built With Eavesdropping Made Easy
In terms of smartphones it means that as long as you are using Android, iOS or any Windows derivatives it is you leaving the front and back doors wide open. There are simply thousands of articles depicting separate vulnerabilities in these operating systems and the over-the-air updating method used by these devices. So, you have been forewarned a thousand times already.
There are a number of enterprises openly buying zero-click exploits (and a whole lot more than that) targeting these, which will find their way into spywares like Pegasus or Candiru. With a quick payment of 1 to.2,5 Million US Dollars, it is understandable that there will always be some to provide the exploits.
So what is there to do?
Ditch WinRCE, iOS and Android. It is this easy, folks. Before arguing about availability, it would be advisable to look at the hundreds of mobile operating systems that are not vulnerable, because of their rarity. So, if you want to be safe, leave the herd and walk your own way.
Rule No.:2: Your Number is Collected When You Are Meeting With Persons You Shouldn’t
Your number isn’t in the possession of these operators by some magick. It is because they are already trailing some persons they are interested in. And when you bump into your interesting friend they will gather your phone number by some easy direction finding, which is more often than not is done by employing a mini pseudo-mobile tower where your phone will connect to, because this is what mobile phones do. These surveillance devices are called IMSI-catchers and are around for at least the last two decades (more precisely it had been patented by Rohde & Schwarz in 2003 and even the Harris Stingray is in use since 2012). However there are some promising IMSI-catcher detector/blocker applications, these have the same shortcomings as any anti-spyware methods:
You cannot legally have root or sudo (e.g. full) rights on your own Android or iOS device. You can ‘root’ or ‘jailbreak’ your device, but it means that you’ll lost your ability to use 99% of the apps designed to run on these operating systems.
So, is there a way to prevent your phone number landing in the hands of the operators doing their close-in surveillance stuff?
Yes. Without turning off your device, put it into a Faraday bag whenever conducting risky business. As an added bonus your RFID cards (like your debit/credit card) could not be read out by cladestine card readers.
Rule No.:3: If You Want to Communicate Privately, You Have to Use One-Time Pads
One thing you need to understand if you want to live a life where there is a need for privacy: there is no other mathematically unsolveable encryption other than the one-time keys/pads. Period.
It is cumbersome, it is slow and uncomfy, yes – but if you don’t decipher your messages in front of the camera and you don’t forget to destroy the one-time ley/pad as soon as you finish the decrypt phase you are 100% safe.
Take Signal for example. Both NSO Pegasus and Candiru is able to read your Signal messages, even though these are not able to crack the encryption of Signal. What they are able to, however, is to have full root permissions on your device and henceforth taking screenshots as you read & write, because Signal is not able to gain such elevated permissions and enforce its no-screenshot policy on the underlying admin/kernel level.
So, as long as you are using one-time pads, there is noone in the World who can read your private messages, as long as you are using one-time pads, and it will stay that way, no matter how far technology will evolve.
Be the first to comment on "Pegasus, Candiru et al: 3 Easy Ways to Evade Professional Surveillance"