Analysis

Pegasus Snooping Victim Explains Why Users No Longer Believe WhatsApp and Mobile Phones Are Secure

Nihalsing B Rathod

The Pegasus snooping scandal shook the confidence of WhatsApp users and dispelled the notion that some devices are more secure. Under pressure from users, WhatsApp has deferred its new privacy policy, but after Pegasus, WhatsApp will have to do a lot more to restore faith in privacy and security, writes NIHALSING B RATHOD.

——-

IN 2017, 2018 and early 2019, I received repeated video-calls from international numbers on WhatsApp. The moment I would answer these calls, they would disconnect. Calling back never worked either. The episode left me with a string of missed video-call alerts.

I presumed the calls were from scamsters, and suspected they were an attempt to steal my data. Not knowing what else to do, I would block each such caller. Still the calls continued. On 28 March 2019, propelled by irritation and fear, I complained to WhatsApp. I never got a response from them.

In October 2019, I received a message from a different overseas number. The text seemed sincere; the sender wanted to talk about a privacy breach. After a few days of should I or shouldn't I, I decided it was better to talk. The messenger shared some bone-chilling details. An Israeli company, NSO, had apparently deployed a malware named Pegasus in my phone through the WhatsApp application I had installed.

Also Read: How not to Outlaw Illegal Surveillance

NSO later said that it had supplied the Pegasus software and related technical support only to governments. As we now know, Pegasus is capable of taking control of a mobile device remotely. It can share live details of all activities conducted on any phone.

Over 1,400 people reportedly had the malware installed on their devices, including businessmen, politicians, journalists and social activists.

The messenger shared some bone-chilling details: An Israeli company, NSO, had apparently deployed a malware named Pegasus in my phone through the WhatsApp application I had installed.

The person who had messaged me worked with a reputed cyber forensics expert. He had given me some of these details and offered suggestions on how to deal with the attack. The best advice he offered was: discard the phone altogether.

CURIOUSER AND CURIOUSER

When news broke that renowned Indian activists and lawyers had become victims of Pegasus, a chill went over all of us. It was an intensely strange experience to learn that we were being snooped on. Some time passed before we could understand what had really happened.

Also Read: Lawyers Withstood Pressures and Defended Activists in the Bhima Koregaon Case

All of us were, in one way or another, connected with the Bhima Koregaon-Elgar Parishad case. It was hard to believe that with just one missed call someone can take absolute control over your phone and the victim would not even find out. Even more worrying was the ability of this malware to not just take data away from a phone, but to even plant data in it.

In the days after the snooping came to light, our online accounts were scanned and analysed threadbare (with our express consent this time!). We discovered that many of us had indeed received suspicious emails. Some of us had opened those emails, while others had ignored them.

A cyber-security organisation published a report after thoroughly examining certain suspicious emails. It revealed that an email attachment, which seemed innocuous enough, contained malware akin to Pegasus. Downloading or accessing this file on a device would provide the hacker remote access to the entire system, be it a computer or tablet or any other instrument.

Pegasus has been collecting WhatsApp's so-called end-to-end encrypted data from much before. The submissions in the suit indicate that this was being done prior to 2015.

Remember—it is not just the ability of malware to take your data that is frightening. What is even more dangerous is its power to plant, manipulate, create or store data in your device, remotely and invisibly. It should worry one and all that the entire operation of planting spyware went unnoticed. A basic online search will show that such malware is available (with customer support!) for just $15 (Rs.1,000) a month.

WHAT ALL SHOULD KNOW ABOUT PEGASUS

Based on the information that is already in the public domain, I attempted to research how deep the Pegasus rabbit hole goes. A federal lawsuit filed by Facebook and WhatsApp against NSO in October 2019 contains certain documents, including a contract between agents of NSO and the Republic of Ghana, as also a product-description brochure. This relates to snooping done by deploying Pegasus over April and May 2019.

Also Read: India's Welfare State: A Citizen's Ratings based Panopticon

Here is what the suit said NSO's Pegasus is capable of (see picture 1): "Defendants' malware was designed to infect the Target Devices for the purpose of conducting surveillance of specific WhatsApp users ("Target Users"). Unable to break WhatApp's end-to-end encryption, Defendants developed their malware in order to access messages and other communications after they were decrypted on Target Devices."

This is what WhatsApp (which is owned by Facebook) has claimed in its suit. However, the submission seems to have been cleverly crafted to avoid having to admit that Pegasus has been collecting its so-called end-to-end encrypted data from much before. The submissions in the suit indicate that this was being done prior to 2015.

Picture 1, WhatsApp vs NSO Suit

The suit also states that the Pegasus spyware can make its way into a targeted device even without any action on part of the user. "According to media reports and NSO documents, Defendants claimed that Pegasus could be surreptitiously installed on a victim's phone without the victim taking any action, such as clicking a link or opening a message…"

Picture 2, WhatsApp vs NSO Suit

Essentially, it meant that Pegasus could infect phones and it did so without using the kind of technology that can be detected and reported by victims. (See picture 2.)

THE IMPACT ON PHONE USERS

What Pegasus has done is shatter the perception that certain mobile handsets are breach-free or immune to attacks. This understanding should no longer exist, considering NSO itself has claimed that Pegasus can extract intelligence from virtually any mobile device; and that includes Apple devices. (See picture 3.)

Picture 3, WhatsApp v NSO Suit

The product brochure details the benefits of deploying Pegasus (see picture 4). "Unlimited access to target mobile phone," it says. "Transparently monitor voice and VoIP calls in real time," it says. One can draw the conclusion is that the software has been evolving over time.

Picture 4, Pegasus Product Brochure

A copy of the contract between Ghana and an NSO agent shows that to work it needed support from local mobile network providers. In 2015, procuring such a system entailed an expense of US$8 million, plus 22% of the total amount, for a period of one year for support. The cost adds up to about US$10 million.

Also Read: The Mystery Behind the Aarogya Setu App

For such a sum, Pegasus would also record all calls received or dialled, and then replay them to the handler on demand. It also had a self-destruct mechanism in order to circumvent the risk of detection. Two features, of environmental sound recording and camera snapshot, allow a handler to remotely turn on the microphone of a target device and listen in, in real-time, to the sounds around the device as also to take videos and pictures of wherever the target device is.

Over 1,400 people reportedly had the malware installed on their devices, including businessmen, politicians, journalists and social activists.

So, whether you speak over the phone, or WhatsApp or Viber, or even keep your phone at rest, it is immaterial to your privacy and safety. Both stand eroded.

In any case, there is more to privacy policies than meets the eye. The lapses of security or fall-outs of written policies aside, we know after Pegasus that there are even more sinister subterranean breaches—things happen that do not even come to our notice.

(Nihalsing B Rathod is an advocate practicing at Bombay High Court. The views are personal.)