Pegasus and Digital Security: Decrypted

You’ve probably heard the terms “Pegasus” and “spyware” at some point over the last week, and some of you might have been wondering what that is all about. So I thought I’d do a short write-up on it and share some insights on what it is and how worried we should all be, and what steps we as individuals can take to better protect ourselves online.


What is Pegasus?

Pegasus is the name of a hacking tool or spyware (malicious software which spies on the users of devices it’s installed on) that was developed by an Israeli corporation called NSO Group and licensed to government intelligence and law enforcement agencies around the world. While they were intended to be used against criminals, an investigation by a group of 17 news outlets working together with Amnesty International and an NGO called Forbidden Stories, revealed early last week the scale to which the hacking tool has been misused for surveillance on activists, human rights lawyers and dissidents, according to a report by The Guardian.


Pegasus infiltrates devices by what is known as a “zero-click” attack, which means it requires no input whatsoever from the target device for it to succeed, through vulnerabilities in operating systems or apps including Apple’s iMessage, according to Amnesty International. Once it infects the phone, the tool can then be used to access and retrieve messages, WhatsApp chats, emails, photos and videos, call logs and location data apart from being able to activate the camera and microphone, and much more.


How bad is it?

While news of cyberattacks and exploits are becomingly increasingly common, the scale to which Pegasus has been used is terrifying. According to The Washington Post, after examination by Amnesty’s Security Lab, a total of 37 smartphones belonging to high profile targets were found to be successfully hacked so far. The analysis was done after a list of 50,000 phone numbers of surveillance targets from more than 50 countries were leaked to Forbidden Stories. This included the numbers of 189 journalists, 85 human rights activists, and over 600 politicians and governments officials, according to the Pegasus Project via the BBC. The Guardian also revealed that the numbers of the French president, Emmanuel Macron, and 13 other heads of states and government were also on the list.


Based on the investigations of the list, Amnesty said that “NSO Group’s spyware has been used to facilitate human rights violations around the world on a massive scale” and that they were “able to confirm that thousands of iPhone were listed as potential targets for Pegasus spyware, though it was not possible to confirm how many were successfully hacked”.


Should we be worried?

Now that we’ve got the explanation out of the way, I thought I’d share my thoughts on this and what the takeaway here is to the average person. The first time I heard of Pegasus was a couple of months back when I watched the documentary called The Dissident (a documentary on the assassination of Washington Post reporter Jamal Khashoggi) and was shocked by the capability of these types of exploits. Lo and behold, the same spyware is in the news again, but this time on a much, much bigger scale. I’m definitely concerned about what these all mean for democracies around the world, the freedom of speech and the right to protest.


However, in terms of digital and online security, I’m not too worried about Pegasus on a personal level. Although they seem to be highly effective in exploiting vulnerabilities in devices, spyware like these are very expensive and are usually used to break into devices of very specific high-level targets. As long as we’re not prominent journalists, activists, or human rights lawyers, this hacking tool probably shouldn’t worry us too much.


That being said, this is a stark reminder of how important digital and online security is, especially since there are potentially tonnes of other ways we are susceptible to a cyberattack. While we can’t do much about sophisticated targeted attacks like Pegasus, there are various measures the average person can take to stay safe in an increasingly digital world.


I’ll share 5 basic practices that I personally use to ensure good digital security hygiene. You’ve probably heard most, if not all, of them before, but I’m going to reiterate them anyway because practices like these go a long way in ensuring our safety online.


What can we do?

1. Use a password manager

You’ve probably heard of this over and over again, but if you aren’t using one, start using a password manager. SERIOUSLY. Using a password manager is probably the first line of defense in not getting ourselves hacked. A surprisingly large number of people reuse the same password for all their accounts or on multiple accounts, while others use personal information (such as the names of their pets) as their passwords or parts of it. And those who do use unique passwords for different accounts are probably using passwords that aren’t particularly strong. I guess these limitations are due to our memory, we have so many accounts and it’s near impossible to create and remember strong unique passwords for each account. But this can be disastrous when it comes to protecting our online security, and that’s where a password manager comes in.


A password manager helps generate strong unique passwords that are very difficult to crack for each of our accounts so that you don’t have to remember them or reuse them, making it very difficult for you to become a victim of a password-based breach. The passwords are then encrypted and stored, and all you have to remember is one master password to rule them all. Password managers usually have desktop and mobile applications as well as browser extensions and are often very convenient to use. I use 1Password at the moment and am loving it so far. It is however a paid app, and if you are looking for a free option, I’ve read good reviews on Bitwarden, an open-source alternative.


I thought I’d also share an online tool called “Have I Been Pwned”, where you can check your email address against a database of breaches to see if any of your personal information has ever been leaked.


2. Use two-factor authentication (2FA)

Besides using a password manager, another step we can take to lock down our account is to use 2-step authentication. This is an additional layer of protection to our passwords in the event that they are compromised, and usually works by the user needing to provide extra information like a code or a pin, or by using a hardware key or biometrics in order to log in to their account. Most major online services and websites including social media sites offer this functionality and it can be easily switched on through their settings page.


I use a 2FA authentication app called Authy to secure my accounts (using authenticator apps are safer than an SMS based option), but there are other alternatives like Google Authenticator. You could also set up a hardware key if you’d like to be extra vigilant.


3. Keep everything updated all the time

No device, operating system, firmware or software is hack-proof, and there are always going to be new vulnerabilities and exploits being discovered all the time. And companies are always constantly pushing security updates and patches (sometimes together with OS updates) to address these issues. Therefore, it’s important that we keep all our devices and apps constantly updated to prevent hackers from gaining access through older exploits.


Always update your devices’ operating system and firmware (iPhones, Android devices, computers, tablets, smartwatches, routers and others) as well as your applications (browsers, messaging apps) on those devices. It is probably a good idea to keep automatic updates turned on as well. I usually have most of my devices and apps updated automatically as the updates arrive, and try to occasionally check and update (if there are any) my router’s firmware.


This is one of the areas in which iPhones have a massive advantage over Android devices though. Latest versions of iOS are immediately available to all iPhone users when they are released, while Android users (unless you have a device like the Google Pixel) often have to wait for the manufacturers of their devices to push OS updates after a new version of Android is live.


4. Encrypt everything

I’ll make a separate post explaining in depth what encryption and end-to-end encryption are, but for now, let me give a short explanation. Encryption is basically making the data that you send, receive or store unreadable to someone who is not supposed to have access to it, so in the case that they do get hold of it, they can’t do anything with it. Therefore, it is an excellent habit to encrypt everything and opt for applications and services with an end-to-end encryption option whenever possible.


Encrypt your hard drives (both Windows and Mac make it easy to do this) and external storage. Use end-to-end encrypted apps, like Signal for messaging. Always make sure your connections to websites, especially the ones where you are entering personal data, are encrypted. This can be done by making sure that the connection is secured by an HTTPS connection (with a verification certificate in the form of a lock icon in most browsers), rather than an HTTP connection (you can check this in the URL section of your browser).


I use a browser extension called HTTPS Everywhere, which automatically forces websites to switch to an HTTPS connection if it is supported. This extension has been highly recommended and is available on most major browsers through their official stores.


5. Use a VPN

Talking about encryption, a VPN (Virtual Private Network) is a pivotal tool in our arsenal in defending ourselves from cyberattacks. In a nutshell, a VPN encrypts data and creates a tunnel between our devices to the internet, therefore protecting our data and identities. This is especially important in scenarios where we are connected to unsecured or even secured public networks. Connecting to these types of networks without using a VPN can be very dangerous and makes a user susceptible to various forms of attacks, and enables attackers to snoop and eavesdrop on our traffic.


If you are installing a VPN, be sure to research and use one from a reputable company with good reviews as a lot of VPNs, especially the free options, could also prove to be more harmful than it is useful. At the moment, I’m using a combination of ProtonVPN (using its free tier, which only allows one connection at a time) and Cloudflare’s WARP service (it’s free, but it’s not a full VPN). Although it’s probably a good practice to be using a VPN at all times, I usually tend to only use it when I’m connected to WIFI networks away from my home.


What’s next?

So there you go, I’ve tried my best in summarising what Pegasus is and shared a few tips that I use to improve my own digital security habits. I will try to explain more on how concepts and services like encryption and VPNs work in future posts, as well as share even more basic steps we can take to reduce our chances of becoming victims of cyberattacks.


When it comes to digital security, it’s best to think of it using a Swiss Cheese model. None of these steps is going to be enough to ensure we are safe; however, when combined they will significantly reduce our chances of being “hacked”. In a world where we send, receive and store valuable data including text messages and photos, conduct financial transactions, and so much more through our devices, I cannot stress enough how crucial these steps are. Remember, all it takes is one breach to make a significant impact on your life.


Arvinth Gunasegaran | MSc International Business, Nottingham University (UK)