Most likely initial attack vector for Pegasus

fxnn

First of all: Often when Pegasus and similar tools get brought up, the discussion devolves into wild speculation, conspiracy theories and FUD. This doesn't help anyone, so let's all please not do that and try to stick to substantiated claims, ideally with sources. Thanks!

My question is: What initial attack vectors should one be most concerned with when trying to defend against software like Pegasus?

I'm aware that depending on how important a target someone is, there's basically no way to resist these attacks with any certainty. But, especially with tools like becoming more widely used [1], driving up the cost to use them might be a worthwhile endeavor. There are of course many ways to do this. No matter what kind of software or exploit-chain is used, one thing the attacker will certainly have to do, is make contact somehow. That's also where potential victims should have their first line of defense in place. While you should certainly not just try to harden the most obvious initial attack vector and ignore all the others, it would be very interesting to know what the most popular ones are.

For example, my assumption is that, for devices not in the physical possession of the attacker, the preferred way to make contact would be the cellular network. But again, this is just an assumption and I could be completely wrong. Even if that was the case, I'd really like to know what the preferred alternative is – email? Knowing how "dangerous" each attack vector is in practice would be a great help to know what to prioritize and put most effort in.

1] Recent example: German coalition agreement, p. 2632

Brothe3r_max

fxnn please see

https://m.youtube.com/watch?v=Fsh5JcK5F4k&pp

TLDR : pegasus is a zero click exploit, NSO keeps on envolving it and keeps on changing to adapt to the environtment. It's a constant chess game.

At the end of the day, we can only speculate about it's capability.

And the most important thing is how to mitigate the risk

Like Sun Tzu said "If a battle can't be won don't fight it" and then we have to change rules of the game

AFAIK the only easy way to win this battle is with using multiple device for different purpose. Using different identity, operating system, account, email, network, behaviour, etc then keep it seperate and do not intersect.

You must protect your attribution (identity) at all cost

Disclaimer, this is just sharing my thought

For example, If you are a journalist, you can keep using iphone as public persona or decoy device for public usage subject for surveillance.

And then you must have secret secondary device like Graphene OS for sensitive use only (no simcard, no wifi wired only, always airplane modes) with seperated identity

To be noted don't use whatsapp, it is closed software, no one could verified the source code, don't use email, it's by design not secure. Only do comms with something like simpleX with TOR proxy, becuse it protect your metadata.

The point is you should protect your attribution (sensitive device) at first place, so they did not even realize it is exist with you

ryrona

I don't know what Pegasus is, but generally, people with physical access to the device tend to try hacking the USB stack in the kernel somehow, people that is within radio distance might attempt to exploit kernel vulnerabilities in the Wifi or cellular stack. These are serious, as it is all C code, vulnerabilities are common, and successful exploit fully compromises the whole device. GrapheneOS has a pretty strong protection against USB exploits, and physical attacks in general, and some defenses against Wifi exploits too by hardening against memory corruption vulnerabilities.

People with chat or e-mail access to you usually tries to exploit memory corruption vulnerabilities in the chat client or libraries used for file format parsing, people that can get you to visit their website tries to exploit memory corruption vulnerabilities in the web browser engine. This rarely result in full system compromise, as there is the app sandbox as a second layer of defense, but it might give enough access to your device and sensitive data to still be very useful. GrapheneOS has some extra defenses against memory corruption vulnerabilities.

Suggestions: Turn off radio modems you don't use. Enable the security settings for auto-disabling them at disconnect. This is especially good for Wifi, as the risk of getting compromised increases a lot when you start moving around. Leave USB security settings at their default values. Be careful about opening mails for unknown senders, or accepting chats from unknown persons. Rather reject and delete. Be careful about what websites you visit. Stay on sites where you trust the site owner to take security very seriously, so site isn't compromised. Keep your system and all apps up-to-date with security updates. Have as few apps as possible installed, only those you absolutely need, and install them from trusted sources.

horde

ryrona Pegasus is not a forensics company, they are commercial spyware company doing zero-click and one-click attacks that are zero days. https://citizenlab.ca/?s=pegasus

Byku

Regarding Pegasus, IIRC the contact was made using either an SMS or WhatsApp attachment with no need for you to interact with the attachment at all. I think iPhones had a particular vulnerability for Pegasus. A protective measure would be to turn off automatic downloading of said attachments. Also, since Pegasus was not persistent and remained entirely in RAM, frequent reboots would flush it from the phone every time. Of course the device could get reinfected again. I believe the vulnerabilities that Pegasus used to use are patched out right now though.

wuseman

Byku IIRC the contact was made using either an SMS

This is what I've read too. What I couldn't find by ducking it was how it actually worked, and if it could be prevented in any way. Would be fun to know.

TGOS

Afaik a lot of goverments bought it and use some zerodays to do what is necessary for them.
They could honeypot manny public sites, force some code on sold phones or even stinkray into your device I guess.
Citizenlab.ca has very good info in this.

locked

Pegasus was used by adversaries to send a silent message via SMS, iMessage, WhatsApp, that is called a zero click. Once this initial 'payload' was received, it attempted to 'phone home' and if successful, it installed other components that would in fact open up your entire phone, including your camera, microphone, picture gallery and messaging apps to the intruder. This software was fabricated by the now defunct NSO group. However, the NSO group has now morphed into Paragon Industries, and continues to build exploits that work in a similar fashion as Pegasus. These exploits are sold to governments around the world through a per case license. The main attack vector today is WhatsApp through its notorious and continued memory vulnerabilities. It is highly recommended, if use it (WhatsApp), to at least have A P8 which supports the memory tagging extension (MTE) and have it enabled. You'll have to be able to tolerate the frequent crashes. I am always on airplaine mode, and have never inserted a sim card into my P8. My main profile is a secondary profile. The owner profile has nothing installed in it. disconnect WiFi, NFC, and bluetooth while not in use. You can disable JAVA under exploit protection per app.... These are just some basics things. I am sure there is more.

onetwothree

locked Hi, I find your response very helpful. That being said, I have a few follow up questions that could help me make my set up more secure. In regards to "memory tagging extension (MTE) and have it enabled", if I dont have whatsapp but simply use molly, organic maps, sms and vanadium would it be necessary to enable it for those 4 apps or any other on the phone when trying to mitigate spyware risk? What about Memory Tagging (Async mode — less likely to crash)? Also, when you say that you have never inserted a sim card in the phone what do you recommend for making calls with the phone? And lastly the "disable JAVA under exploit protection per app" is that something that is only on pc or also for this 4 apps I mentioned on a graphene os phone? Thank you very much for taking the time to answer my doubts! I truly appreciated and it is a great favor! If you can think of any other actions or recommendations PLEASE let me know what could be done for this set up to mitigate spyware risk. I thought about disabling auto downloads on molly and sms and downloading the apps through Accressent (using the IVPN they have in the app store) many thanks!

justifier145

Brothe3r_max I don't understand how one should be able to communicate with anyone with such setup

locked

onetwothree Hi, all of the GrapheneOS apps, such as the Messaging app, Vanadium, etc. have Memory Tagging enabled by default, and it cannot be disabled. Molly also opts in, and Memory Tagging cannot be turned off there either. I can tell you from experience that the only frequent crasher is WhatsApp, so yes, you should enable it for all your apps whenever possible.

As far as making phone calls goes, I don’t use cellular networks at all. I rely on Signal, Telegram, and sometimes WhatsApp, which does offer some level of end-to-end encryption (E2EE). However, if you do decide to use the regular phone system, you can use any number of Voice over IP (VoIP) apps — just do a quick search and you'll find plenty of options.

Regarding Java, I was actually referring to WebView JIT, disable it for as many apps as you can under Settings → Apps → [App] → Exploit Protection. This helps improve your security by cutting off a common vector that spyware or malware may use to inject harmful code.

As for downloading apps, I get them from Accrescent, official websites, GitHub, or the Play Store (sandboxed). Obtanium is another great option. Most of the apps I use can be verified with AppVerifier, which is also available through Accrescent. I also recommend isolating any banking or sensitive apps in their own profile. As long as you stick with reputable sources and take the time to verify integrity, you’ll be okay.

Lastly, definitely use a reputable VPN with a kill switch enabled, such as ProtonVPN, IVPN, or Mullvad. And most importantly, stick around this site and other GrapheneOS-related communities. You’ll pick up a lot of valuable info and stay up to date on best practices for security.

Brothe3r_max

justifier145

Exactly, Sensitive device (GOS in that case) is not used for daily communication to everyone, only use it for sensitive communication stuff only

AFAIK Pegasus are not threated for everyone, only high profile individual like journalist, political dissident, etc

You can use Public device (Apple in that case) use for daily communication with everyone (Public usage)

It's known as Digital Compartmentalization

Please see

https://medium.com/codex/everyone-should-implement-digital-compartmentalization-e1cc45395db2

Brothe3r_max

justifier145 I'm sorry if you mean how to comunicate with set up ( no simcard, no wifi wired only, always airplane mode)
It's mean connected GOS via usb type C to Ethernet adapter for internet connection

Ofc, don' t forget using different network set up (IP, ISP, LAN,etc) from Public device network

Just reminder this set up not for everyone :)

onetwothree

locked Thanks so much for sharing all this—really helpful and kind of you. It’s great to have people like you in the community who take the time to help others stay safe and informed. Grateful!

onetwothree

locked Hi! Quick question, as for disabling WebView JIT for whatspp this are the instructions: Settings → Apps → [App] → Exploit Protection → Disable WebView JIT.
Could you please share the instructions for enabling Memory Tagging MTE (I just want to be sure I'm doing it the right way). Thank you very much for all of your help!