Phone numbers of over 300 Indian journalists, government officials and opposition politicians were found in a leaked list of potential targets for surveillance which were later confirmed— via forensic analysis done by Amnesty International, a global Human rights NGO—to have been targeted and surveilled by a spyware called Pegasus, the Wire reported on Sunday night.
The investigation was part of a large global collaboration between news platforms across the world which included the likes of Washington Post, and Le Monde, among others. The investigation found that more than 50,000 phone numbers appeared in a surveillance list which includes people from countries like Mexico, Morocco, India, Saudi Arabia, Rwanda and Hungary among others.
Among the people reportedly targeted in India were senior journalists working for organisations like Hindustan Times, Indian Express, the Wire, and the Hindu. Others on the list were cabinet ministers, opposition leaders and even a sitting Supreme Court judge.
Soon after the story broke it created a privacy related furore with people demanding answers from the government. The NSO Group, the developer of Pegasus, has so far maintained that it sells the malware only to government agencies.
The revelations lay threadbare the implications of a missing robust data protection law for citizens. However, the data protection bill that is currently being deliberated by a Parliamentary committee has carved out expansive exclusions for government agencies. Aside from a data protection law, surveillance reform in India is also long overdue, Indian civil liberties activists pointed out.
Here’s an explainer on what exactly Pegasus is and how it can be used to gather critical data from a target’s phone:
What is Pegasus?
Pegasus is a spyware developed by Israel’s NSO Group that enables law enforcement and intelligence agencies to remotely and covertly extract valuable intelligence from virtually any mobile device.
When planted on a target’s mobile phone, the spyware can intercept all sorts of communications made on all sorts of messaging platforms including WhatsApp, iMessage, Facebook, Skype, Viber, and Gmail, among others. Apart from private communication, the spyware can also keep tracking the target’s location.
Phones made by almost all manufacturers and operating systems including iOS, Androids, and Blackberrys, among others can be infiltrated by the malware.
The NSO Group has sold Pegasus to governments and law enforcement agencies worldwide.
How can Pegasus be planted on a target’s phone?
According to an internal document on Pegasus accessed by Entrackr, the spyware silently deploys an “invisible software” on the target’s device which then extracts and securely transmits the collected data for analysis.
Installation is performed remotely (over-the-air), does not require any action from or engagement with the target, and leaves no traces whatsoever on the device, as per the internal document. In other words, once targeted, there is apparently no defence against it for the target.
Over the air installation works by sending a push message to the target’s device covertly which triggers a download and installs Pegasus on the device. In cases where this is not possible, a message or an email can be sent to the device luring the target to open it and the spyware installs on the device following a single click.
In the latest revelations made on Sunday night, Amnesty International said at least one of the attacks was carried through a zero-click iMessage exploit.
What can Pegasus do after being installed on a target’s mobile phone?
Once deployed on a phone, Pegasus can essentially read through almost any and every piece of data present on the mobile phone. This includes:
- Unlimited access to the target’s mobile devices: Pegasus allows to collect information about a target’s relationships, location, phone calls, plans and activities, and passwords, among others anytime.
- Intercept calls: Voice and Voice over Internet Protocol (VoIP) calls can be monitored using Pegasus once it is installed on a device.
- Application monitoring: Pegasus allows for monitoring a multitude of applications including Skype, WhatsApp, Viber, Facebook and Blackberry Messenger, among others.
- Pinpoint location tracking: Using Pegasus, a target’s location can be tracked accurately using GPS.
“Pegasus is something that comes to your office, your home, your bed, every corner of your existence. It is a tool that destroys the essential codes of civilisation,” Mexican investigative journalist Carmen Aristegui, who was snooped on using Pegasus, told the Washington Post.
What does this mean for WhatsApp’s encryption security?
WhatsApp is the world’s most popular messaging platform, so it is natural that any spyware would try and tap into communications done on the platform. Pegasus’ internal document claims that it can get past encryption, SSL, and proprietary security protocols. India is also the largest user market for WhatsApp with close to 530 million users, making it easily the most widely used social medium for communication today.
In fact, Pegasus was planted on several targets’ phones in 2019 using a WhatsApp vulnerability which allowed an attacker to plant Pegasus in the target’s phone through a missed WhatsApp voice/video call. The vulnerability was later fixed by WhatsApp.
WhatsApp had also sued the NSO Group for exploiting this vulnerability.
Another point to remember is that WhatsApp’s encryption keeps messages secure when they are in transit, that is when they are being transmitted from one device to another. However, once a WhatsApp’s message is delivered and is at rest on a device, it is typically not encrypted.
Who can plant Pegasus on a target’s device?
The NSO Group has so far maintained that it only sells Pegasus to governments and authorised law enforcement and intelligence agencies. However, the company does not disclose the names of its clients.
Did the Indian government plant Pegasus on the targets’ devices?
Most of the journalists that have been reported to be targeted have been involved in investigative stories critical of either the government, or those considered close to the government. However, the government has denied its involvement.
Soon after the story broke about the use of Pegasus against prominent Indian journalists and civil liberties activists, the government issued a statement via news agency ANI, in which it said that there has been “no unauthorised interception by government agencies”.
However, nowhere in its statement did the government clarify whether it has indeed purchased Pegasus from the NSO Group. For the record, news reports indicate that a single license of Pegasus costs $7-8 million per year, to track upto 50 devices at a time.
IT Minister Ashwini Vaishnaw called the stories about the use of Pegasus against Indians baseless in Parliament on Monday and said that India has a due process of law for intercepting communications. However, Vaishnaw did not clarify whether or not the government has access to Pegasus.
The government has also not made any commitment towards investigating claims about the use of Pegasus.
Who all have been targeted by Pegasus so far?
Aside from the 40 Indian journalists, thousands of journalists and civil liberties activists across the world were targeted using Pegasus. Before that, in 2019, more than 20 activists, lawyers, scholars involved in the Bhima Koregaon case were targeted using Pegasus.
Amazon’s co-founder Jeff Bezos’ phone was also reported to have been infiltrated by Pegasus following a WhatsApp message by the crown prince of Saudi Arabia, Mohammed bin Salman. However, it is yet to be confirmed whether Pegasus was indeed used to infiltrate Bezos’ iPhone.
The first case of the use of Pegasus was back in 2016 when it was used to infiltrate the phone of Saudi activist Omar Abdulaziz, who was also close to Saudi dissident Jamal Khashoggi. Khashoggi himself was murdered after a malware unfiltered his device and gave prior details about his presence at the Saudi consulate to those on the lookout for him. However, the NSO Group denied that Pegasus was used to target Khashoggi’s phone.