project-pegasus-several-leaders-and-ex-bureaucrats-and-journalists-are-on-the-list-of-spyware-targets

Context: Various Indian as well as International news media analysis confirms Pegasus attack or attempts on 10 Indian numbers.

More in the news:

  • The target list includes two serving Ministers in the government, three Opposition leaders, one constitutional authority, several journalists and business persons.
  • In the past, similar claims were made regarding the use of Pegasus on WhatsApp by the Indian state. 
    • Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court.
  • WhatsApp was one of the attack vectors used to infiltrate the mobile phones of selected targets using Pegasus. 
    • Other known vectors include SMS and iPhone’s iMessage service in addition to unknown vulnerabilities that a Pegasus user might exploit to install the spyware.
  • WhatsApp sued the NSO Group in a federal court in San Francisco, accusing it of using WhatsApp servers in the United States and elsewhere to send malware to approximately 1,400 mobile phones and devices (Target Devices). 
    • For the purpose of conducting surveillance of specific WhatsApp users (Target Users).
  • The NSO Group is a Tel Aviv-based cybersecurity company. 
    • It specialises in “surveillance technology” and claims to help governments and law enforcement agencies across the world fight crime and terrorism.
  • Several media houses conducted the investigation, called the Pegasus Project.
  • According to the report in the Le Monde (French Newspaper), the use of the Pegasus software began “just after” Prime Minister Narendra Modi visited Israel in July 2017.
    • Several Delhi-based diplomats were on the list of potential targets for phone hacking from 2017 to 2021.

Once installed, what can Pegasus do?

  • It can send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.
  • The target’s phone camera and microphone can be turned on to capture all activity in the phone’s vicinity, expanding the scope of the surveillance. 
  • According to claims in a Pegasus brochure that WhatsApp has submitted to the court as a technical exhibit, the malware can also access email, SMS, location tracking, network details, device settings, and browsing history data. 
    • All of this takes place without the target user’s knowledge.
  • Other key features of Pegasus, according to the brochure are: 
    • Ability to access password-protected devices, 
    • Being totally transparent to the target, 
    • Leaving no trace on the device, 
    • Consuming minimal battery, memory and data so as to not arouse suspicion in more alert users, 
    • A self-destruct mechanism in case of risk of exposure, and
    • Ability to retrieve any file for deeper analysis.
  • Pegasus can work on BlackBerry, Android, iOS (iPhone) and Symbian-based devices. 
    • The mention of the now discontinued mobile OS Symbian (Nokia Phones) and the no longer popular BlackBerry suggests the document is old and Pegasus has certainly been upgraded over the years.

Can Pegasus be used to target just about anyone?

  • Technically, yes. But while tools such as Pegasus can be used for mass surveillance; it would seem likely that only selected individuals would be targeted. 
  • In the present case, WhatsApp has claimed that it sent a special message to approximately 1,400 users who it believed were impacted by the attack, to directly inform them about what had happened.
  • The NSO Group, while disputing WhatsApp’s allegations in the strongest possible terms, has said that: 
    • It provides the tool exclusively to licensed government intelligence and law enforcement agencies, and not just to anyone who wants it.

Indian Government Response:

  • The Ministry of Information Technology (IT) and Communications, told the Lok Sabha that illegal surveillance was not possible in India, given its laws and robust institutions.
  • According to it, news reports about the Pegasus software being used to illegally tap phones was an attempt to malign the Indian democracy.
  • In the past, similar claims were made regarding the use of Pegasus on WhatsApp. 
    • Those reports had no factual basis and were denied by all parties, including in the Supreme Court.
  • The Israeli company NSO, refusing the claims and pointing out factual inaccuracies.
  • The IT minister cited that Section 69 of the IT Act and Section 5 of the Telegraph Act contain provisions for lawful interception of electronic communication for the purpose of national security.

WhatsApp warning:

  • WhatsApp CEO has called on governments and companies to take steps to hold the Israeli technology firm accountable.
  • WhatsApp in 2019 sued the NSO group, accusing it of using the former’s messaging service to conduct cyber-espionage on roughly 1,400 user accounts, including those of journalists and human rights activists.
  • The use of cyber spy software to hack smartphones even by the government is prohibited under Indian laws.

Concerns:

  • Both Prasad (Previous IT Minister) then and Vaishnaw (Incumbent IT Minister) now ducked the key question raised:
    • Did the Government or its agencies get Pegasus and, if yes, what were the terms of its use?
  • In 2019, similar allegations were made about the use of Pegasus against journalists and human rights activists.
    • Most of them were situated in Maharashtra and Chhattisgarh as the hack targeted lawyers related to the Bhima Koregaon case and Dalit activists, respectively.
  • A significant number of Indians reportedly affected by Pegasus this time are again journalists.
    • The World Press Freedom Index produced by Reporters Without Borders has ranked India 142 out of 180 countries in 2021.
    • The press requires (and in democracies is afforded) greater protections on speech and privacy. Privacy and free speech are what enable good reporting.
  • The government, in its purported undated and unsigned response, relied on existing provisions of law under the Indian Telegraph Act of 1885 and the Information Technology (IT) Act of 2000.
    • Even without the use of Pegasus or any other hacking software and surveillance, these provisions are problematic.
    • They offer the government total opacity in respect of its interception and monitoring activities.
    • While the provisions of the Telegraph Act relate to telephone conversations, the IT Act relates to all communications undertaken using a computer resource.
    • Section 69 of the IT Act and the Interception Rules of 2009 are even more opaque than the Telegraph Act and offer even weaker protections to the surveilled.
    • No provision, however, allows the government to hack the phones of any individual since the hacking of computer resources, including mobile phones and apps, is a criminal offence under the IT Act.
  • Surveillance itself, whether under a provision of law or without it, is a gross violation of the fundamental rights of citizens.
    • It impacts the right to privacy and the exercise of freedom of speech and personal liberty under Articles 19 and 21 of the Constitution, respectively.
    • There is also no scope for an individual subjected to surveillance to approach a court of law prior to or during or subsequent to acts of surveillance since the system itself is covert.
    • In the absence of parliamentary or judicial oversight
      • Electronic surveillance gives the executive the power to influence both the subject of surveillance and all classes of individuals, resulting in a chilling effect on free speech.
    • In response to a Right to Information (RTI) request in 2013, the Central government had revealed that 7,500 to 9,000 orders for the interception of telephones are issued by it every month.
    • The existing provisions are insufficient to protect against the spread of authoritarianism since they allow the executive to exercise a disproportionate amount of power.
    • Such surveillance, when carried out entirely by the executive, curtails Articles 32 and 226 of the Constitution (empowering the Supreme Court and High Courts, respectively, to issue certain writs) as it happens in secret.
    • The affected person is unable to show a breach of their rights. 
    • This violates not only the ideals of due process and the separation of powers but also goes against the requirement of procedural safeguards as mandated in K.S. Puttaswamy (Retd) v. Union of India (2017).
  • Role of Judiciary.
    • Only the judiciary can be competent to decide whether specific instances of surveillance are: 
      • Proportionate, 
      • Whether less onerous alternatives are available, and 
      • To balance the necessity of the government’s objectives with the rights of the impacted individuals.
    • The need for judicial oversight over surveillance systems in general, and judicial investigation into the Pegasus hacking in particular, is also essential; 
      • Because the leaked database of targeted numbers contained the phone number of a sitting Supreme Court judge, which further calls into question the independence of the judiciary in India.
  • When spyware is expensive and interception is inefficient, the individuals surveilled will be shortlisted by priority and perceived threat level to the existing regime.
    • But as spyware becomes more affordable and interception becomes more efficient, there will no longer be a need to shortlist individuals.

Way Forward:

  • Surveillance reform is the need of the hour in India.
    • Not only are existing protections weak but the proposed legislation related to the personal data protection of Indian citizens fails to consider surveillance while also providing wide exemptions to government authorities.

Related Facts

About Pegasus:

  • It is spyware, they spy on people through their phones.
  • It works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
    • A presumably newer version of the malware does not even require a target user to click a link.
  • Once Pegasus is installed, the attacker has complete access to the target user’s phone.
  • The first reports on Pegasus’s spyware operations emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.
  • The Pegasus tool at that time exploited a software chink in Apple’s iOS to take over the device. 
    • Apple responded by pushing out an update to “patch” or fix the issue.
  • Pegasus delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. 
    • A zero-day exploit is a completely unknown vulnerability, about which even the software manufacturer is not aware, and there is, thus, no patch or fix available for it. 
    • In the specific cases of Apple and WhatsApp, therefore, neither company was aware of the security vulnerability, which was used to exploit the software and take over the device.

About the Zero-Click attacks:

  • One of the worrying aspects of the Pegasus spyware is how it has evolved from its earlier spear-phishing methods using text links or messages to zero-click attacks which do not require any action from the phone’s user.
  • This has made it the most powerful spyware out there, more potent and almost impossible to detect or stop.
  • Working of the Zero-click:
    • A zero-click attack helps spyware like Pegasus gain control over a device without human interaction or human error. 
    • So all awareness about how to avoid a phishing attack or which links not to click is pointless if the target is the system itself. 
    • Most of these attacks exploit software that receives data even before it can determine whether what is coming in is trustworthy or not, like an email client.
    • The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory.
  • Can Zero click be protected?
    • Zero-click attacks are hard to detect given their nature and hence even harder to prevent. 
    • Detection becomes even harder in encrypted environments where there is no visibility on the data packets being sent or received.
    • Ensure all operating systems and software are up to date so that they would have the patches for at least vulnerabilities that have been spotted.
    • One way to go is to stop using apps altogether and switch to the browser for checking emails or social media, even on the phone.

More about the Cybersecurity in India.