New Delhi: At the heart of the alleged phone-tapping scandal in India is Pegasus, the malicious software created by the Israeli company NSO Group.
According to an expose by a global consortium of media publications, phones of two serving union ministers, three opposition leaders, one constitutional authority, current and former heads of security organisations, administrators and 40 senior journalists and activists from India were allegedly bugged using the Israel spy software Pegasus and put on surveillance.
But Pegasus has been under the scanner, over its surveillance activities, for a while now.
In September 2018, The Citizen Lab, a Canadian cybersecurity organisation, published a comprehensive report identifying 45 countries, including India, in which the spyware was being used.
Then in October 2019, WhatsApp revealed that journalists and human rights activists in India had been targets of surveillance by operators using Pegasus.
But what really is Pegasus? How does it operate? Who uses the software? And why has it earned the reputation of being behind the most sophisticated spyware attacks?
What is Pegasus?
Pegasus is a type of malicious software or malware classified as a spyware.
Spyware such as Pegasus is designed to gain access to your device, without your knowledge, and gather personal information and relay it back to whoever it is that is using the software to spy on you.
According to this report, Pegasus is the “the ultimate spyware for iOS and Android”, and has been behind the “most sophisticated attack ever seen”
But then are Apple products immune to these attacks? In simple terms, no.
Pegasus, in fact, is widely sought after because it can hack into iPads and iPhones despite Apple products being touted to be among the safest and best for data privacy.
To make matters worse, those operating the software can even turn on a phone’s camera and microphone to capture activity in the phone’s vicinity.
In all, according to this report, Pegasus “can monitor up to 500 phones in a year, but can only track a maximum of 50 at one go”. The report, citing sources, adds that it costs about $7-8 million per year to license Pegasus.
So how does it work?
In short, keep an eye out for text messages.
A hacker would typically try to infect a victim’s device with Pegasus using a phishing link, mostly sent via a text message that looks innocent and benign.
Clicking on the phishing link would (without the victim’s knowledge) start the download of Pegasus on the device and set up a connection with a hacker’s command computer that could be thousands of miles away.
The hacker can then communicate with the Pegasus spyware via the remote command centre and issue directions for what information the spyware should send back to the hacker’s server.
According to The Citizen Lab, in this way Pegasus can be used to gather a vast amount of victim information: “Passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.”
According to this report, “Pegasus could even listen to encrypted audio streams and read encrypted messages”.
Then there are the other aspects that make Pegasus an extremely sophisticated software.
For one, Pegasus “self-destructs” if it can’t communicate with the hacker’s control centre for over 60 days or if it “detects” that it has been installed on a device with the wrong SIM card since NSO made Pegasus for targeted spying on selected victims, not just anyone.
Who owns Pegasus?
Pegasus has been developed by the Israeli firm NSO Group that was set up on 25 January 2010.
According to an Amnesty International report, the first name initials of the founders form the acronym ‘NSO’. The founders are Niv Carmi, Shalev Hulio and Omri Lavie.
The Amnesty report citing Hulio says NSO’s goal was “to develop technology that would provide law enforcement and intelligence agencies with direct remote access to mobile phones and their content – a workaround to the increasingly widespread use of encryption in the digital environment”.
The Amnesty report adds that Hulio “claimed” the idea for a service and company like NSO was inspired by “a request from European authorities that were familiar with his and Omri Lavie’s existing work on cell phone carrier customer service technology”.
Who uses Pegasus?
NSO does not openly name who buys its software. But its website does say that its products are used exclusively “by government intelligence and law enforcement agencies to fight crime and terror”.
The Citizen Lab report in 2018 identified 45 countries, including India, Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates, where it is being used.
In India, following WhatsApp revelations that activists were snooped upon, questions surfaced about a possible meeting between representatives of NSO and the Chhattisgarh Police on 2 November, 2019.
‘The Congress government in Chhattisgarh set up a three-member committee to look into it. In January 2020, the government, however, said that “no evidence linking any government official to the snooping was found”. The government also said there was no evidence found regarding a presentation done by NSO in Chhattisgarh.
Do security agencies in India use Pegasus?
There is no clarity on the issue.
In November 2019, Lok Sabha MP from the DMK, Dayanidhi Maran, asked on the floor of the House if the government taps WhatsApp calls and messages, and whether the government uses Pegasus for this purpose.
A written response provided by then Minister of State for Home Affairs, Kishan Reddy, did not directly address queries about tapping or Pegasus.
“Section 69 of the Information Technology Act, 2000 empowers the Central Government or a State Government to intercept, monitor or decrypt…any information generated…or stored in any computer resource,” the response said, adding that it was for reasons including sovereignty and security of the country.
“Section 5 of the Indian Telegraph Act, 1885 empowers lawful interception of messages on occurrence of public emergency or in the interest of public safety,” the response added.
The response also listed the 10 agencies that can intercept messages under the law and a Standard Operating Procedure (SOP). Such agencies allowed to intercept messages include the Intelligence Bureau, Enforcement Directorate, Cabinet Secretariat (RAW), and Commissioner of Police, Delhi.
The response further said that “there is no blanket permission to any agency for interception or monitoring or decryption and that permission from competent authority is required, as per due process of law and rules, in each case”.
(Edited by Arun Prashanth)