Pegasus Targeting Apple Devices


    In News

    • A new zero-day, zero-click exploit called ‘FORCEDENTRY’ has been discovered in Apple’s iMessage service.
    • It was allegedly used by Israel’s NSO Group to install Pegasus spyware in devices including the iPhone, iPad, MacBook and Apple Watch. 


    • The exploit was discovered by researchers at Toronto-based Citizen Lab, who have been investigating the extent to which Pegasus is being used to spy on civilians, politicians, judges, activists, etc.
    • The Citizen Lab has advised everyone to update the operating systems on their Apple devices as the exploits can potentially affect their smartphones.

    What are zero-day, zero-click hacks?

    • These are essentially hacks that occur without any intervention of the victim, using a loophole or a bug in particular software, the existence of which its developer is unaware.
    • The same kind of exploit was earlier used to install Pegasus in WhatsApp and iMessage.
    • Zero-day attacks were a quantum leap in the world of cyber warfare, prior to which spyware such as Pegasus was deployed using attack vectors such as malicious links in an e-mail or an SMS, that were smartly crafted to trick the recipient.

    About Spyware Pegasus

    • Pegasus is spyware that can be installed on devices running some versions of iOS, Apple’s mobile operating system, as well on devices running on Android. 
    • It was developed by the Israeli cyber arms firm NSO Group.
    • Functioning: It mainly uses Exploit Links for its working. Clicking on such links automatically installs Pegasus on the user’s phone. The method of Social Engineering is used.
      • In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. 
      • This differs from social engineering within the social sciences, which does not concern the divulging of confidential information.
    • In July, Indian news portal The Wire reported that a leaked global database of 50,000 telephone numbers believed to have been listed by multiple government clients of NSO Group includes over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others.

    Challenges with Pegasus

    • Unlimited access to the target’s mobile devices: It collects information remotely and covertly about the target’s relationships, location, phone calls, plans, and activities whenever and wherever they are. It tracks targets and gets accurate positioning information using GPS.
      • It also gives the attacker control to the phone’s camera and microphone and enables the GPS function to track a target.
    • Intelligence gaps: Collects unique and new types of information (e.g., contacts, files, environmental wiretap, passwords, etc.) to deliver the most accurate and complete intelligence.
    • Intercepting calls: It transparently monitors voice and VoIP calls in real-time.
    • Decoding encrypted content: It overcomes encryption, SSL, proprietary protocols and any hurdle introduced by the complex communications world.
    • Application monitoring: Monitors a multitude of applications including Skype, WhatsApp, Viber, Facebook and Blackberry Messenger (BBM).
    • Bypassing Service provider: No cooperation with local Mobile Network Operators (MNO) is needed to attack. 
      • It constantly monitors the device without worrying about frequent switching of virtual identities and replacement of SIM cards
    • Avoids unnecessary risks: The spyware eliminates the need for physical proximity to the target or device at any phase.
    • Terrorist activities: Terrorists and other anti-social elements have started using more cyberspace which provides them with more getaways.
    • Digital Attacks: Pegasus had been used in some of the “most insidious digital attacks” on human rights activists in the world. 

    Methods to Secure Devices from Pegasus

    • Regular Updates: Always update the operating system to the latest version. Apple and Google regularly release updates which include security patches for vulnerabilities and malware. 
      • Both Apple and Google have released fixes for Pegasus. 
    • Remain Careful & Vigilant: Pegasus spyware (as well as all sorts of other malware) infiltrates phones by way of the phone user clicking a link in a text message, email, Twitter post, or any other means. 
      • When receiving any message with a link, make sure one is familiar with the person sending the link and actually verify that the message along with the link is coming from the authorized person.
    • Secure Communications: It is critical to maintaining secure communications including calls and messages that are not vulnerable to Pegasus and other malware. 
      • Secure calls and messages will ensure secure communication even when spyware infiltrates phones and one is “under mobile surveillance.”
    • Online database: It is launched by Forensic Architecture, Amnesty International and the Citizen Lab to document attacks against human rights defenders.
    • It showed the connections between the ‘digital violence’ of Pegasus spyware and the real-world harms lawyers, activists, and other civil society figures face.

    Reasons for increasing Cyber Attacks in India

    • Adverse relations with China: China is considered one of the world leaders in information technology. Therefore, it is expected to have capabilities to disable or partially interrupt the information technology services in another country. 
      • Combined with the recent border standoff and violent incidents between the armies of the two countries, the adversity in relations is expected to spill over to attacking each other’s critical information infrastructure.
    • Asymmetric and covert warfare: Unlike conventional warfare with loss of lives and eyeball to eyeball situations, cyber warfare is covert warfare with the scope of plausible deniability, i.e. the governments can deny their involvement even when they are caught.
      •  Similarly, even a small nation with advanced systems and skilled resources can launch an attack on a bigger power, without the fear of heavy losses. 
      • Therefore, cyber warfare has increasingly become the chosen space for conflict between nations.
    • Increasing dependency on technology: As we grow faster, more and more systems are being shifted to virtual space to promote access and ease of use.
      • However, the downside to this trend is the increased vulnerability of such systems to cyber-attacks. 
        • For e.g. there is a concern of widespread damage and huge loss if hackers are able to intrude into the nuclear, financial or energy systems of a country. 
        • Since almost all sectors of an economy are dependent upon power, the takedown of the power grid can substantially impact the economy.
        • Growing digital reliance in the post-COVID era has exposed digital disparities which must be bridged through capacity building.
    • There’s a sophisticated use of cyberspace by terrorists to broaden their propaganda and incite hatred.
    • Lack of robust law enforcement mechanisms: India’s approach to cyber security has so far been ad hoc and unsystematic
      • Despite a number of agencies, policies and initiatives, their implementation has been far from satisfactory.
    • Lack of International Coordination: International cooperation and consensus is missing in this field.
    • Low digital literacy among the general public and digital gaps amongst nations create an unsustainable environment in the cyber domain.

    India’s Preparedness to Ensure Cybersecurity

    • Information Technology Act, 2000 (Amended in 2008): It is the main law for dealing with cybercrime and digital commerce in India.
      • National Critical Information Infrastructure Protection Centre (NCIIPC) was created under Section 70A of IT Act 2000 to protect Cyberinfrastructure.
    • Banning of unsafe apps: India had banned apps that posed a threat to security.
    • Awaited National cybersecurity strategy: Comprehensive plan in preparing & dealing with cyber-attacks (Pre, Post and During the attack).
    • Indian Cyber Crime Coordination Centre (I4C): Launched in 2018, It is an apex coordination centre to deal with cybercrimes.
    • Evolving Technology: Cyber attackers are continuously working on novel ways to sabotage the systems. 
    • Human Resource: Anyone in cybersecurity needs to be an equally potent hacker.
    • CERT-In (Cyber Emergency Response Team, India): It is National Nodal Agency for Cyber Security and is Operational since 2004
    • National Cyber Security Policy, 2013: The policy provides the vision and strategic direction to protect the national cyberspace.
    • Cyber Swachhta Kendra: Cyber Swachhta Kendra helps users to analyse and keep their systems free of various viruses, bots/ malware, Trojans, etc.
      • Launched in early 2017.
    • Indian Cyber Crime Coordination Centre (I4C): Launched in 2018, It is an apex coordination centre to deal with cybercrimes.
    • Cyber Surakshit Bharat: It was launched by the Ministry of Electronics and Information Technology (MEITy) in 2018 with an aim to 
      • spread awareness about cybercrime and 
      • building capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
    • The Cyber Warrior Police Force: It was organised on the lines of the Central Armed Police Force in 2018.

    International Efforts in this direction 

    • Budapest Convention: 1st international treaty to address cybercrime; India is not a signatory.
    • Internet Corporation for Assigned Names and Numbers (ICANN): US-based not-for-profit organisation for coordinating & maintenance of several databases.
    • Internet Governance Forum: UN forum for multi-stakeholder policy dialogue on Internet governance issues. 

    What more needs to be done in this context?

    • Human Resource Development: Human resource is crucial and there is an urgent need to create an informal Indian team of Cyber Warriors.
    • Infrastructure Strengthening: The critical infrastructure managers should also be well trained in cyber warfare and well equipped with all the technologies for isolating viruses and attacks.
    • Mock Drills using White Hackers: There should be a reward for white hackers who can highlight the shortcomings.
    • Awareness: The managers and Common mass must be made aware.
    • Involvement of the Private Sector: Often the private sector is seen as a key innovator and their help can be crucial in securing cyberspace.
    • Separate wing under Army or Navy as Cyber Command on lines of US

    Source: IE