Pegasus (spyware)

from Wikipedia, the free encyclopedia

Pegasus is a spyware from the Israeli company NSO Group for spying on iOS and Android devices. The software can access all data unnoticed and send it over the Internet. Pegasus was discovered and analyzed in August 2016 by the security company Lookout and by Citizen Lab ( University of Toronto ). It is considered professional and is primarily marketed to states.

Journalists, human rights activists and politicians were spied on with the help of Pegasus.

discovery

Ahmed Mansoor , an internationally known human rights activist from the United Arab Emirates , received a text message on his iPhone 6 (iOS version 9.3.3) on August 10 and 11, 2016 , which drew attention to new information about human rights violations and a link to contained a webpage that supposedly revealed new secrets. The sole purpose of this SMS was to get the user to click the link ( drive-by download ). Instead of clicking the link, Mansoor sent the message to a security specialist from Citizen Lab , who ran the link in a protected development environment and thus discovered the attempted hack .

analysis

During an initial investigation, Citizen Lab found that the link belongs to a so-called " exploit infrastructure" from the Israeli company NSO Group, as the sms.webadv.co domain used and its IP address had already become suspicious during analyzes in other cases . This company markets an iOS spyware product under the name Pegasus as a software service exclusively to government agencies, criminal investigators, and intelligence agencies . According to Lookout, an estimated USD 25,000 is charged per destination.

Further joint investigations by Citizen Lab and Lookout led to a chain of so-called " zero-day " exploits - security gaps in a software product that are not yet officially known. Such unknown gaps are rare and correspondingly expensive on the black market (up to 1 million euros per gap). Therefore, a professional origin of this software is considered certain. The exploitation of three such “zero-day” exploits is remarkable. Code fragments suggest that Pegasus can be used up to iOS version 7.

The chain was christened "Trident" and consists of the following vulnerabilities, which are carried out in the specified order:

  1. CVE- 2016-4657: A loophole in the iOS WebKit which means that a website can break out of its intended environment ( sandbox ) when it is opened .
  2. CVE-2016-4655: A vulnerability in the operating system kernel up to version 9.3.5 through which the exploit can determine memory addresses.
  3. CVE-2016-4656: An error in the memory management of the iOS kernel up to version 9.3.5 that allows a jailbreak . Specifically, the exploit can override iOS protection mechanisms and install spy software with unrestricted rights on the device.

Improvement in iOS 9.3.5

After Apple was informed of the security vulnerabilities on August 15, 2016 , the company released an update with iOS 9.3.5 on August 25, 2016 that closed the vulnerabilities. It can be assumed that Pegasus will no longer run on already infected iOS devices after the update. Due to the high price per target ($ 25,000), it is unlikely that a large number of users have been infected with Pegasus.

Functions

After clicking on the link, the vulnerabilities are exploited in the order mentioned above and a so-called "hidden jailbreak " is carried out. Safari opens briefly for the user and then closes again automatically without anything pointing out the infection.

During installation, the Pegasus spyware checks whether a jailbreak has already occurred, deactivates the auto-update function to avoid security updates , and embeds itself in the operating system with root rights . The battery status is monitored and the type of network connection is used so that spied data can only be transmitted in encrypted form via WLAN to a command & control server (C&C) (to avoid suspicious data consumption in the cellular network). A sophisticated self-destruct mechanism is also integrated, which completely uninstalls Pegasus if suspicious activity ( tracking ) is detected.

In the following, the researchers were able to determine the following functions based on the existing libraries:

The program thus opens up all functions that are also used for state online searches or source telecommunications surveillance.

The Financial Times reported in July 2019 that Pegasus could not only access the devices, but also silently access data in an associated cloud by copying the authentication key. Access is still possible after removing the program from the smartphone.

use

Germany

At the end of October 2017, the Federal Criminal Police Office (BKA) received delegates from the NSO. Before that, a law was passed in August 2017 that allowed the BKA to secretly infiltrate digital devices. However, no agreement was reached because the lawyers of the BKA classified the use of Pegasus as unconstitutional. Reference was made to the Federal Constitutional Court , judgment of the First Senate of February 27, 2008 (1 BvR 370/07, Rn . 1–333). In it, the court affirmed that everyone has a " fundamental right to guarantee the confidentiality and integrity of information technology systems ". Hacking devices is therefore only permitted in exceptional cases, namely when there is a specific danger. Even when infiltrating, the " core area of ​​private life " should be protected.

According to information from Zeit Online , the NSO Group was keen to win Germany as a customer and also went down significantly in price. According to the newspaper, this was done to improve the company's image, as it had previously only sold its services to "dubious" countries. However, there was no contract because Pegasus spied out almost all of the data of the hacked, which is against the German constitution - and the NSO refused to sell a weaker form of their product that respects the privacy of those affected.

In the summer of 2019, delegates spoke with the Bavarian State Criminal Police Office and on September 24, 2019 with the Bavarian Interior Minister Joachim Herrmann (CSU). However, the Bavarian police are said not to have bought Pegasus. Die Zeit had asked all states and the federal government whether NSO products were being used. All denied the use of Pegasus by the police, but refused to provide information about the constitutional protection authorities.

Spying on journalists, human rights activists and politicians

In 2020 were Amnesty International and Forbidden Stories (the latter is a nonprofit media organization based in Paris) a list of more than 50,000 phone numbers leaked . The two organizations assumed that the numbers were targets selected by customers of the Israeli cyber weapons company NSO Group . These two organizations shared their suspicions and all information they received with 17 media outlets: The Guardian (from Great Britain), Le Monde and Radio France (from France), Die Zeit , Süddeutsche Zeitung , WDR and NDR (from Germany), The Washington Post , CNN and Frontline (from the USA), Haaretz (from Israel), Aristegui Noticias and Proceso (from Mexico), Knack and Le Soir (from Belgium), The Wire (India), Daraj (Syria), [9] Direkt36 (Hungary) and OCCRP (International). As a result, these media joined together to form a research network under the name Project Pegasus and jointly evaluated the information received.

During their research into the Pegasus software scandal , they found that around 15,000 of the 50,000 phone numbers used came from Mexico. They also found that the numbers included hundreds of business people and business executives, religious figures, journalists and other media workers, human rights activists, NGO workers, union officials, the military, other civil servants and politicians. In July 2021, the media involved in the research finally announced that the suspicion had been confirmed. The research network found that the states that used Pegasus for surveillance include Mexico , India , Morocco , Indonesia , Saudi Arabia , the United Arab Emirates , Kazakhstan , Azerbaijan , Togo , Rwanda and the EU member state Hungary .

Among the monitored phone addresses are several numbers of politicians in the highest offices: Emmanuel Macron ( President of France ), Barham Salih ( President of Iraq ), Cyril Ramaphosa ( President of South Africa ), King Mohammed VI. of Morocco , Ahmed Obeid bin Daghr (Prime Minister of Yemen ), Saad Hariri (Prime Minister of Lebanon ), Ruhakana Rugunda (Prime Minister of Uganda ), Edouard Philippe ( Prime Minister of France ), Noureddine Bedoui (Prime Minister of Algeria ), Charles Michel ( President of European Council ), Imran Khan (Prime Minister of Pakistan ), Mustafa Madbuli (Prime Minister of Egypt ), Baqytschan Saghyntajew (Prime Minister of Kazakhstan ), Romano Prodi (was spied on while working as the UN Special Envoy ).

Morocco

There are indications that Morocco makes extensive use of the Pegasus software for espionage. The leaked list contained around 10,000 entries related to Morocco. These included numbers from the Moroccan royal family, from the king ( Mohammed VI ) himself and from close contacts of the king. This sparked speculation that there would be palace intrigue. There are also some French phone numbers on the list, which were added around 2019. These numbers include numerous French politicians, specifically the numbers of President Emmanuel Macron, Édouard Philippe and François de Rugy . Other politicians around the world who could have spied on Morocco are affected, including the two Algerian politicians Noureddine Bedoui and Mostafa Madbouly , as well as Charles Michel (former Belgian Prime Minister), Barham Salih (Iraqi President), Bakitzhan Sagintayev , Kazakh Prime Minister, Saad Hariri (Prime Minister of Lebanon ), Imran Khan (Pakistani Prime Minister), Cyril Ramaphosa , (South African President), Ruhakana Rugunda (Ugandan Prime Minister) and Ahmed Obaid Bin-Dagher (Prime Minister of Yemen).

Mexico

In Mexico was Alejandro Solalinde monitored. The phone was also monitored by Cecilio Pineda Birto , a Mexican journalist, before he was assassinated in March 2017. In addition, at least 50 people around the Mexican President, Andrés Manual López Obrador , were spied on, including his wife, children and doctors.

India

In India , Rahul Gandhi and Stan Swamy were among the spies.

Hungary

Hungary under Prime Minister Viktor Orbán is said to have used Pegasus against investigative media, as the leaked data showed. Hungary's government is suspected of hacking investigative journalists' phones and targeting owners. The targets were journalists and other people with oppositional attitudes. Investigations of the cell phone of the journalist Szabolcs Panyi showed that spy software was active on it for about six months in 2019. Also András Szabó as Panyi an editor of the Hungarian research team investigastiven Direkt36, was attacked by Pegasus. The attack was presumably related to research on a Russian investment bank. The editor-in-chief of a local newspaper, David Dercsenyi , and Zoltán Varga, a businessman who promotes opposition media, were also monitored.

Some of the victims report that government officials told them they were being monitored. The Hungarian government hesitantly denied the activity.

Saudi Arabia

In autumn 2018, the Saudi journalist Jamal Khashoggi was murdered in Turkey by Saudi Arabian state actors . Research by the Pegasus Project showed that many people in his environment were allegedly deliberately spied on with this instrument. Former UN Special Rapporteur on Extrajudicial Executions , Agnès Callamard , previously suspected that cell phones had been infected with Pegasus by people close to Khashoggi. NSO denied repeatedly and company boss Shalev Hulio told the US broadcaster CBS that he could say "very clearly" that one "had nothing to do with this terrible murder". However, the Pegasus project showed that Kashoggi's family, friends and colleagues were targets of espionage using Pegasus before and after the crime. Their numbers are recorded on a list of telephone data that NSO customers have entered as possible spying destinations. The cell phone of the Turkish chief investigator in the murder case, Attorney General Irfan Fidan , is also given. Khashoggi himself does not appear in the list, however.

An analysis by Amnesty International's Security Lab found that the mobile phone of Khashoggi's fiancé, Hatice Cengiz , was infected with Pegasus four days after the crime on October 6, 2018. Cengiz had accompanied Khashoggi to the Saudi consulate and waited hours outside the door for his return. The Turkish politician Yasin Aktay , an advisor to the Turkish President Recep Tayyip Erdoğan and friend of Khashoggis, was also affected . Cengiz called him at 4:41 pm on the day because her fiancé hadn't returned. The list also includes three phone numbers of Wadah Khanfar , the former boss of Al Jazeera television station and friend of Khashoggi's. Khanfar has been working to solve the crime since the act.

Amnesty International's analysis of the NSO data suggests that the surveillance of some family members and friends was hired by a close ally of Saudi Arabia, the United Arab Emirates, at NSO. The data also suggest that there was an interruption in surveillance of those around Khashoggi after the murder. It then started again in spring 2019. The weekly newspaper Die Zeit refers to two sources from the NSO environment, according to which the business relationship with Saudi Arabia was stopped in 2018, but was reactivated for the Saudis a few months later at a request by the Israeli government under Benjamin Netanyahu Pegasus.

The women's rights activist Loujain al-Hathloul is also among those who were intercepted in Saudi Arabia .

Spain

In Spain , politicians from the independence movement of Catalonia , including the President of the Parliament of Catalonia Roger Torrent , Anna Gabriel i Sabaté (Prime Minister of the Province of Barcelona) and Ernest Maragall i Mira, were targeted by espionage.

United Arab Emirates (UAE)

In the UAE , among others, Haya bint al-Hussein and Latifa bint Muhammad Al Maktum and their entire environment, including John Gosden , were spied on. The phones of human rights activists Alaa al-Siddiq and Ahmed Mansoor and the phones of Asian and European human rights activists and 3,000 Qataris were also monitored at the instigation of the UAE.

Reactions

NSO responded to the journalists' allegations by asserting that it would rigorously review its clients' human rights records before allowing them to use its espionage tools and rejecting "false claims" about its clients' activities, but said it did “Will continue to investigate and take appropriate action” on all credible allegations of abuse. A few days after the publications, Amazon responded by banning NSO Group Technologies from their AWS cloud. The reason given was that the AWS Terms of Service do not allow hacking .

The German Association of Journalists (DJV) called for clarification. The German security authorities and secret services should clarify whether German journalists were also spied on with Pegasus.

Edward Snowden called for a spyware trade ban following the Pegasus revelations: “If you don't do anything to stop this technology from being sold, it won't just be 50,000 targets. It's going to be 50 million targets and it's going to happen a lot faster than anyone expects us to. ”In comparison to the 2013 NSA affair , he analyzed:“ It's shocking. (…) It's about journalists, it's about government officials, it's about representatives of the opposition, it's about human rights activists. (…) Of course, I have long suspected that surveillance options are being abused. We saw that in 2013. But at that time it was exclusively governments that mostly worked internally and put pressure on commercial providers. The whole thing still had a facade of legitimacy or legality, procedures and processes. "

Amazon said they had already ceased some of their business relationships with NSO. Meanwhile, Apple's share price fell as customers worried about the security of their data.

Specialist literature

Web links

Individual evidence

  1. Pegasus: Android version of the nifty state Trojan appeared. In: heise.de, April 4, 2017, accessed on January 23, 2020
  2. Spyware for iOS and Android: Pegasus is said to be able to steal data from cloud services. In: heise.de, July 22, 2019, accessed on January 23, 2020
  3. Marketing Brochure. In: documentcloud.org, accessed on August 29, 2016.
  4. ^ The Million Dollar Dissident: NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender. In: citizenlab.org, August 24, 2016, accessed August 29, 2016.
  5. ^ Technical Analysis of Pegasus Spyware. In: lookout.com, accessed August 29, 2016
  6. CVE-2016-4657
  7. CVE-2016-4655
  8. CVE-2016-4656
  9. About the security content of iOS 9.3.5. In: apple.com on August 25, 2016, accessed August 29, 2016
  10. a b c d Revealed: leak uncovers global abuse of cyber-surveillance weapon. July 18, 2021, accessed July 18, 2021 .
  11. ^ Thomas Brewster: Everything We Know About NSO Group: The Professional Spies Who Hacked iPhones With A Single Text. Retrieved July 18, 2021 .
  12. Surveillance: Pegasus spy software can probably access cloud data. In: Die Zeit , July 19, 2019
  13. ^ 1 Senate of the Federal Constitutional Court: Federal Constitutional Court - decisions -. February 27, 2008, accessed July 19, 2021 .
  14. Kai Biermann, Holger Stark: Surveillance affair: The super weapon and the Germans. In: The time . July 19, 2021, accessed July 19, 2021 .
  15. Pegasus espionage software: Cyber ​​attack on democracy. Retrieved July 18, 2021 . In: Zeit Online , July 18, 2021.
  16. Frederik Obermaier, Bastian Obermayer: This is how the project Pegasus research went. In: Süddeutsche Zeitung , July 18, 2021.
  17. About The Pegasus Project | Forbidden Stories. Retrieved July 22, 2021 (American English).
  18. درج درج: Israel Helped Over Ten Countries Tap Over 50,000 Phones | Daraj. July 18, 2021, accessed July 22, 2021 (American English).
  19. ^ Panyi Szabolcs: Hungarian journalists and critics of Orbán were targeted with Pegasus, a powerful Israeli cyberweapon. In: Direkt36. July 19, 2021, accessed July 22, 2021 (American English).
  20. a b Le "projet Pegasus": un logiciel espion utilisé par des États pour cibler des politiques, the journalist, des avocats. In: France Info . July 18, 2021, accessed July 19, 2021 (French).
  21. FT editor among 180 journalists identified by clients of spyware firm. July 18, 2021, accessed July 18, 2021 .
  22. Devan Cole CNN: Washington Post: Investigation finds Israeli-designed spyware was used to hack journalists and activists around the world. Retrieved July 19, 2021 .
  23. Pegasus Project, "spiato anche Romano Prodi quando era inviato speciale Onu per il Sahel". July 21, 2021, accessed July 22, 2021 (it-IT).
  24. ^ Süddeutsche de GmbH, Munich Germany: Scouting attack on state heads. Retrieved July 21, 2021 .
  25. Gero von Randow: French President Macron in the sights of the spies. The president, the cabinet, a human rights lawyer: attacks with the Pegasus cyber weapon are massive in France. Suspected: Morocco. In: Zeit Online. Zeit Online GmbH, July 21, 2021, accessed on July 21, 2021 .
  26. a b c Pegasus project: spyware leak suggests lawyers and activists at risk across globe. July 19, 2021, accessed July 22, 2021 .
  27. Revealed: murdered journalist's number selected by Mexican NSO client. July 18, 2021, accessed July 22, 2021 .
  28. a b c Pegasus: NSO clients spying disclosures prompt political rows across world. July 20, 2021, accessed July 20, 2021 .
  29. ^ Key modes rival Rahul Gandhi among potential Indian targets of NSO client. July 19, 2021, accessed July 22, 2021 .
  30. a b c Viktor Orbán accused of using Pegasus to spy on journalists and critics. July 18, 2021, accessed July 18, 2021 .
  31. ^ A b c Astrid Geisler, Kai Biermann, Sascha Venohr, Holger Stark: Hungarian journalists monitored with spyware. Cell phone data show: Reporters from Hungary were attacked with cyber weapons. The Hungarian government claims that everything went according to the law. In: Zeit Online. Zeit Online GmbH, July 28, 2021, accessed on July 21, 2021 .
  32. ^ A b c Panyi Szabolcs: Hungarian journalists and critics of Orbán were targeted with Pegasus, a powerful Israeli cyberweapon. In: Direkt36. July 19, 2021, accessed July 23, 2021 (American English).
  33. Pegasus: Oppositionists and journalists in Hungary condemn alleged surveillance. In: Der Spiegel. Retrieved July 23, 2021 .
  34. Hacking Software Was Used to Spy on Jamal Khashoggi's Wife Months Before His Murder. In: The Wire , July 18, 2021
  35. Espionage in Khashoggi's environment. In: tagesschau.de, July 18, 2021
  36. ^ Phone of top Catalan politician 'targeted by government-grade spyware'. July 13, 2020, accessed on July 22, 2021 .
  37. ^ Joaquín Gil: El programa espía Pegasus atacó también el móvil de Ernest Maragall. July 14, 2020, accessed July 22, 2021 (Spanish).
  38. Before Indian Soldiers Captured Dubai Princess on High Seas, UAE Zeroed in on Her Friends' Numbers. Retrieved July 22, 2021 .
  39. Data leak raises new questions over capture of Princess Latifa. July 21, 2021, accessed July 22, 2021 .
  40. Dubai suspected after Princess Haya listed in leaked Pegasus project data. July 21, 2021, accessed July 22, 2021 .
  41. ديانا مقلد-صحافية وكاتبة لبنانية: UAE: Israel's (Pegasus) Spyware in the Service of Autocracy | Daraj. July 18, 2021, accessed July 22, 2021 (American English).
  42. Amazon bans Pegasus manufacturer NSO from the cloud. The internet company has blocked the accounts of the Israeli software manufacturer NSO. The Pegasus spy software is said to have been played via the Amazon services. In: Zeit Online. Zeit Online GmbH, July 20, 2021, accessed on July 21, 2021 .
  43. Pegasus spy software: Association of journalists demands clarification about the use of spy software. In: The time . July 19, 2021, accessed July 19, 2021 .
  44. ^ Edward Snowden calls for spyware trade ban amid Pegasus revelations. July 19, 2021, accessed July 19, 2021 .
  45. https://www.zeit.de/digital/2021-07/edward-snowden-spionage-software-pegasus-handy-ueberendung-diktaturen
  46. https://www.zeit.de/digital/2021-07/edward-snowden-spionage-software-pegasus-handy-ueberendung-diktaturen