Checking for Pegasus


Photo by Sigmund on Unsplash

The Guardian newspaper recently published an article, “Revealed: leak uncovers global abuse of cyber-surveillance weapon”, detailing how governments have (ab)used, Pegasus, a spy-software sold by an Israeli surveillance company, NSO Group. These NSO Group clients used the software to target political critics, journalists, lawyers, and activists, including their families. What Pegasus does is exploit iPhone and Android smartphone vulnerabilities to gain full remote access to the device (extract data, turn microphone and camera on/off remotely, etc.). The likelihood that you are among those targeted by Pegasus users is slim, but if you are a politician, activist, human rights lawyer, or are related or friends with any of them, then the possibility of being included increases.

How do you know if you are targeted?

Whilst the possibility of being targeted cannot be disregarded, I had to check my iPhone if it is infected. Luckily, Amnesty International Security Lab, one of the organizations responsible for the expose, published their forensics tool on Github, along with the list of indicators that they have collected. The tool, Mobile Verification Toolkit, and the Pegasus STIX file, are open-source and free.

Essentially, you need (1) Mobile Verification Toolkit (MVT), which runs best on Linux or MacOS, (2) a copy of your encrypted backup done either by using another tool you install on Linux, libimobiledevice, or from your MacOS, and of course, the (3) STIX file.

I secured my iPhone backup first. Whilst doing the backup, I started installing the toolkit on a Raspberry Pi and downloading the STIX file. When the backup was done, I realized that all 61GB of it won’t fit the Raspberry Pi storage, so I shifted to the Ubuntu Linux laptop running 20.04 with the latest patches. For some reason, the toolkit’s dependencies (the libraries) were having some issues (which I found a bit weird), so I decided to build all of them directly from source. After doing a couple of “autogen.sh, make and make install”, the mvt was installed and functioning perfectly. Now I’m ready.

Instead of using the available backup created from the Mac, I decided to tether the iPhone to the Ubuntu laptop and extracted a backup directly. It took several minutes considering that it was done through USB 2.0 (aka slow) and it had to collect and encrypt 61GB worth of data. Once the backup has been saved on the laptop, I started the mvt process — decrypt and then check — took around 30 minutes to complete and generate the reports. The reports are all in JSON format. I was dreading to see if there’s a file suffixed with _detected.json, which indicated a Pegasus infiltration, and did not find a single one! *whew*

What’s next?

Amnesty International Security Lab and Citizen Lab also identified a couple of URLs that are being used by the NSO Group’s Pegasus clients. You can download the list of URLs and block them off of your network to provide some layer of protection (but then again, if you are targeted, you will need far more than just blocking traffic to these URLs!). Whilst I have yet to verify it, but I have heard that ControlD.com and NextDNS.io already block these identified URLs.

Whilst the last iOS version, 14.6, was included in the exploited iPhones, which means that the vulnerabilities have not yet been patched up, iOS 14.7, which was released earlier this week, has yet to be tested. So, if you still haven’t updated your iPhone OS, now is the time to upgrade to iOS 14.7! That being said, if you are one of those VIPs who are potential targets, assume that your smartphone has already been compromised. Good luck and stay safe.